问题
All,
I am using the ASP.Net MVC 4 application. I have enabled Windows Authentication.
Till now it is working fine.
Now I enhanced the application to connect to TFS via its API. For this, I need to use the windows authentication credentials.
I have tried using
ICredentialsProvider credential = new UICredentialsProvider();
TfsTeamProjectCollection teamProjectCollection = new TfsTeamProjectCollection(collectionUri, credential);
This works great in the development environment. But when I host the application in IIS 8.5, it is not working at all under "Application Pool Identity" and "Network Service" account.
I tried with Local System and specific user in identity of application pool, it is working.
But I need this to work based on the windows credential (Active directory).
Can anyone suggest a solution?
回答1:
You can deploy your web application on the TFS App Tier and configuring its app pool to run as the same identity as the TFS web services, and enable ASP.NET impersonation. Check this case: ASP.NET MVC3 Windows Authentication Pass Through to TFS
回答2:
You are likely hitting a Kerberos double hope issue.
You have two options to resolve it:
- Host your mvc web app on the same server as tfs
- Configure Active Directory to allow your servers identity to delegate the logged in user credentials to another service.
#1 is easy but #2 will require a bunch of work for your Active Directory domain administrators.
https://support.microsoft.com/en-us/kb/810572
You will need:
- At least one Service Principal Name (SPN) configured for your server's account (either a dedicated domain\svc_myaccout or the domain\servername$ account for Network Service).
- The account you use needs to be enabled to allow delegation in AD
- The server that hosts your application needs to be enabled for delegation
This is not 101 and in my experience, having done this a bunch in enterprise and small business, that most Domain Administrators don't know how Kerberos delegation works, or how to configure it.
You will need to learn how and make explicit requests that they can action. Like "run 'setspn myapp.mydomain.com domain\myserviceaccount'".
来源:https://stackoverflow.com/questions/35894813/access-tfs-via-its-api-using-windows-authentication