metro-visual-studio-2005-128-link
 

Always prompted for credentials in TFS 2010?

Subscribe Subscribe

 

VisualStudioALMLogo

Sometimes when you setup TFS you find that your users, or just some of them, are being prompted for credentials. While manageable this is annoying and is not really related to TFS. This is an Active Directory thing and yes, there is a workaround…

 

 


The best way to fix this is to have your Active Directory administrator add your OWN domain to the list detected as internal and thus intranet. By default using just the server NETBIOS name will work anyway, but in this world of domain names http://tfs.company.com looks a lot better and is easier to remember than http://tfs. Its a brain thing… and it is a Kerberos thing, but don’t worry about that.

So, first, why is this happening?

SNAGHTML154bd5c
Figure: User Authentication on the Internet / Intranet

Its the default and it should be this way!

If you accidentally change this to allow authentication in all zones you may be exposing your username and password beyond the bounds of your internal network. This is not good.

So, if you want to fix this send this email to your Active Directory administrator or support desk:

Dear Admin,

Can you please make it so that all things that I access thorough the network as “*.mydomain.com” are classed as “intranet” so that I can authenticate correctly without having to enter my username and password every time. Can you also make sure that everyone i work with has the same setting applied automatically.

image
o_Error-iconFigure: Bad example, I should not have to do this locally

Hint: you can do this by adding “*.mydomain.com” to the list of websites that are automatically in Internet Explorers “Intranet” list

image
o_Tick-iconFigure: Good example, now i can authenticate

  • Please can you change the domain policy to add this automatically to Internet Explorer

Thanks,

Frustrated local user

But, sometimes you get a less than prompt response. How can I solve this in the mean time, knowing that my Support team is working hard of fixing it permanently?

[screencast url=”http://www.screencast.com/t/PAx7VWfa3jn” width=”640″ height=”360″]
Screencast: Administering TFS 2010 – Always prompted for credentials?

But I just want the simple steps!

  1. Open IE
  2. Click “Tools | Internet Option…image
    Figure: Internet Options is well hidden
  3. Go to “Security” tab.image
    Figure: These settings apply to all internet access, not just IE
  4. Select “Local Intranet | Sites | Advancedimage
    Figure: All useful options are hidden away
  5. Confirm that “*.mydomain.com” is in the list and add it if it is not.
  6. Close all instances of Internet Explorer

Now when you open IE and go to any address that contains your company domain it will automatically pass through your Active Directory identity.

Always prompted for credentials in TFS 2010? was last modified: November 22nd, 2011 by Martin Hinshelwood

-Every company deserves working software that successfully and consistently meets their customers needs on a regular cadence. We can help you get working software with continuous feedback so that your lean-agile teams can deliver continuous value with Visual Studio ALM, Team Foundation Server & Scrum. We have experts on hand to help improve your process and deliver more value at higher quality.

  • Anonymous

    Thanks Martin for sharing another informative tidbit of information with great screenshots. I haven’t had this problem with TFS (yet), but I have several other apps including Outlook that complain when I VPN or connect to various oddly named domains within my corporate intranet. It looks like these steps will apply to fix integrated authentication for Outlook SharePoint integration and general browsing. (WOHOO!)

    Enjoy! -Zephan

    • http://blog.hinshelwood.com Martin Hinshelwood

      It is easier to use @google-814b1816ded375a040b56645112244a8:disqus ‘s approach for multiple domains but if you do that and you still don’t get passthrough of credentials then the above post will help you. Most people don’t switch domains.

  • Brad Buhrkuhl

    You can also use windows’ built in Credential Manager to store TFS passwords.  The Credential Manager works great for machines that are not on the same domain as the TFS Server (or other server you need to store credentials for).

    • http://blog.hinshelwood.com Martin Hinshelwood

      That is a fantastic addendum that I use as well. However if you are in mydomain.com and are connecting to servers in mydomain.com and IE is not passing credentials then you have to do the above.

  • Pingback: SSRS vs SCVMM – The Kerberos token dispute | Process, Practices and Tools()