How to connect to TF Service without a prompt for LiveID credentials


Normally when you connect to the Team Foundation Service you are presented with a web page to log in with your Microsoft Account (aka LiveID). When you log in you can choose to have it remember you and you won’t have to enter your Microsoft Account credentials again (unless you don’t log in again for a long time, and then you’ll be prompted again).

That’s great for humans, but what about an application or another web service that wants to connect? For that the code will need to use “alternate credentials," which you must enable on your account. This is the same setting used to enable basic authentication for git-tf. Then we can write some code to connect to the service with those credentials.

Longer term, we will have OAuth support available as well, but that’s not ready yet.

Enabling Alternate Credentials

You’ll need to first to turn on this feature. First, visit your account or project in a browser, click on your name in the upper right, and then click My Profile.

myprofile

On the User Profile dialog, click on the Credentials tab.

enablecreds

Now provide a password and save the changes.

password

Using Alternate Credentials in code

Before going further, you’ll need to make sure that you have Update 1 for Visual Studio 2012 or newer installed. That update includes enhancements to the TFS client object model to support alternate credentials.

The easiest way to get the latest update is either via clicking on the “toast” notification that pops up from the Windows taskbar or in VS going to Tools –> Extensions and Updates…, clicking on Updates followed by Product Updates and installing the latest update. Alternatively, you can download it here.

You can verify that you have Update 1 (or newer) installed in VS using Help –> About Microsoft Visual Studio.

vshelp

Now that we have the credentials turned on, we’ll now use them from a simple console app.

 

After creating a new console app, add a reference to Microsoft.TeamFoundation.Client.dll, which you will find under v2.0 in ReferenceAssemblies. The client object model for TFS is almost entirely built with .NET 3.5 (CLR 2.0) in order to support running the TFS web parts in SharePoint.

image

Here’s the code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;

using Microsoft.TeamFoundation.Client;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            NetworkCredential netCred = new NetworkCredential(
                "someone@yahoo.com",
                "password");
            BasicAuthCredential basicCred = new BasicAuthCredential(netCred);
            TfsClientCredentials tfsCred = new TfsClientCredentials(basicCred);
            tfsCred.AllowInteractive = false;

            TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(
                new Uri("https://YourAcct.visualstudio.com/DefaultCollection"),
                tfsCred);

            tpc.Authenticate();

            Console.WriteLine(tpc.InstanceId);
        }
    }
}

I’ve added two using statements, one for System.Net to pull in NetworkCredential and one for Microsoft.TeamFoundation.Client for the TFS classes we’ll need.

The first thing we construct is a standard NetworkCredential object with the username (the email address that you use for your Microsoft Account) and the password that you created for alternate credentials. On the TfsClientCredentials object, we set AllowInteractive to false to prevent a prompt dialog being shown if the credentials are invalid.

In constructing the TfsTeamProjectCollection, we must specify the URL to the collection and the credentials. Note that all connections to accounts in TF Service require https. Currently, there is only one collection per account in TF Service, so it is always DefaultCollection.

Finally, we call Authenticate() to verify that we have supplied the correct credentials and test that it is working by printing the unique InstanceId of the collection.

Now the rest of the TFS client object model is available for use with the TF Service from applications that cannot prompt for credentials.

Enjoy!

Follow me on Twitter at http://twitter.com/tfsbuck

Comments (32)

  1. Imar Spaanjaars says:

    Thanks! This worked great!

    Imar

  2. Misha says:

    Any news on OAuth support? :)

  3. buckh says:

    Misha, it is coming soon. We have made a lot of progress on it. Still don't have a date to announce.

  4. Steve says:

    Hi, this is great and worked a treat,

    How would I go about simply popping up a live id login prompt and making use of that authentication for my tfs calls?

    Thx

    Steve

  5. Oli says:

    Really wish the 'I Sign in frequently' checkbox worked. I sign in and then literally a minute later, try and do something else and I get shown the login prompt again. Makes matters worse that I have 2 step verification on my live ID.

  6. buckh says:

    Oli, which client are you using?

  7. Ranvir says:

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll though credentials are correct. Any help.

  8. buckh says:

    Ranvir, are you using the same code that I have posted? Have you ensured that the basic auth credentials are enabled and set correctly?

  9. Varun says:

    What if I dont want to store credential in the code (as you have shown) is there an alternative way.

    my code run's under a particular account and I can ensure that account has sufficient privilege to connect to VSO. I would like to leverage WindowsCredential or Credential under which code is running without having to store the password.

  10. Joe says:

    What if the Credentials Tab is not in the my profile page?

  11. Billy Sachse says:

    Hey Buck,

    Thank you very much for the code.  I have been trying to resolve this for quite awhile, now.  I have done everything as instructed, including setting the alternate authentication credentials and stepping through the code.  I'm using Version 12.0.30501.00 Update 2.  I'm still receiving this error: TF30063: You are not authorized to access <xyz>.visualstudio.comDefaultCollection.

    One other note: when I go back into the user profile/credentials tab, it doesn't show that they have been enabled (only a link to enable it).  However, I did receive email confirmation that it was set up.

    I would be happy to provide you any additional specifics, if you could help me figure out what I'm missing.

    Any help you can offer would be greatly appreciated.

  12. buckh says:

    Joe, try forcing a refresh of the page or clearing the cache. I can't imagine why the Credentials section would be missing.

  13. buckh says:

    Billy, the problem is on our end. We made a change today that introduced the bug you are hitting, and we are working on it now.

  14. Billy Sachse says:

    Thank you for the reply.  I look forward to hearing from you on the resolution.  I inadvertently posted our sub-domain in my initial post (paste / send too quick).  Could you possibly obfuscate that for me?  Thank you again!  

  15. buckh says:

    Hopefully, we'll get it fixed today. I've replaced the account name with <xyz>.

  16. buckh says:

    We now have fixed it so you can set alternate credentials.

  17. Anonymous says:

    Excellent!  Thank you very much for the prompt resolution.  I just verified and it did work as expected.

  18. Shahin says:

    I receive the following error:

    TF14045: The identity Shahin is not a recognized identity.

  19. jzon says:

    How can I make it work using a different programming language? like for example java.

    Because you have a class NetworkCredential, BasicAuthCredential and TfsClientCredentials that other languages don't have.

  20. buckh says:

    jzon, we have Java SDK that is available as part of Team Explorer Everywhere. You can get TEE 2013 at http://www.microsoft.com/…/details.aspx

  21. hemanthbidare says:

    I am getting below error:

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll

    Additional information: TF30063: You are not authorized to access hemanthbidare.visualstudio.com/DefaultCollection.

    I am using VS2013

  22. buckh says:

    The problem is likely to be incorrect user name and password. Make certain that they match the settings in your profile.

  23. Andy Cottrell says:

    Someone else posted this but I also don't see the credentials or connections tabs when I go to my profile.  I have refreshed the page and nothing.  What do I have to do in order to add the Credentials tab to the My Profile popup?

  24. buckh says:

    Andy, are you using Visual Studio Online or TFS? In TFS, you won't see Credentials in the profile.

  25. Rajasekhar says:

    I am using the above code and getting below error

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll

    Additional information: TF30063: You are not authorized to access hemanthbidare.visualstudio.com/DefaultCollection.

    I am using VS2013

  26. SHxr says:

    This was clean and easy to read. It looks like its exactly what I want, but I am running visual studio 2010, so I can’t use the other credential classes you mention.

    Is there some other way to authenticate properly into the tfs server? I keep getting Authentication errors:
    TF30063: You are not authorized to access the server.
    TF30064: You are not authorized to access the server.

    1. Buck Hodges says:

      I’m not sure what the possibilities are with 2010, but you can use the TFS 2015 client OM. Here’s a link that explains the NuGet packages: https://blogs.msdn.microsoft.com/buckh/2015/08/10/nuget-packages-for-tfs-and-visual-studio-online-net-client-object-model/

      1. SHxr says:

        I just tried implementing this in a winform in VS 2013, and it throws me the same error I commented about yesterday:
        TF30063: You are not authorized to access the server.

        Why is this still not working?

        By the way – I really appreciate your prompt responses and expansive knowledge on the subject!

        1. SHxr says:

          Is it even possible to do this –
          Create a standalone WinForm that accesses the tfs online code base and returns the latest files into my local windows folder.

          I’ve been looking at this for over a week now, and nothing seems to work.

          1. Buck Hodges says:

            I’d expect you’d be able to use the example from https://blogs.msdn.microsoft.com/buckh/2012/03/10/team-foundation-version-control-client-api-example-for-tfs-2010-and-newer/ and add in the basic auth from this post and get that working. Then add more stuff. Fiddler may be useful for seeing what’s happening. It’s easy to make subtle mistakes with auth, unfortunately.

          2. SHxr says:

            Ok, got everything working. Thanks again for all your help, these links really helped me!

  27. Buck Hodges says:

    SHxr, I’m glad to hear it. Sorry it took so long to get it working.