How to connect to TF Service without a prompt for LiveID credentials


Normally when you connect to the Team Foundation Service you are presented with a web page to log in with your Microsoft Account (aka LiveID). When you log in you can choose to have it remember you and you won’t have to enter your Microsoft Account credentials again (unless you don’t log in again for a long time, and then you’ll be prompted again).

That’s great for humans, but what about an application or another web service that wants to connect? For that the code will need to use “alternate credentials," which you must enable on your account. This is the same setting used to enable basic authentication for git-tf. Then we can write some code to connect to the service with those credentials.

Longer term, we will have OAuth support available as well, but that’s not ready yet.

Enabling Alternate Credentials

You’ll need to first to turn on this feature. First, visit your account or project in a browser, click on your name in the upper right, and then click My Profile.

myprofile

On the User Profile dialog, click on the Credentials tab.

enablecreds

Now provide a password and save the changes.

password

Using Alternate Credentials in code

Before going further, you’ll need to make sure that you have Update 1 for Visual Studio 2012 or newer installed. That update includes enhancements to the TFS client object model to support alternate credentials.

The easiest way to get the latest update is either via clicking on the “toast” notification that pops up from the Windows taskbar or in VS going to Tools –> Extensions and Updates…, clicking on Updates followed by Product Updates and installing the latest update. Alternatively, you can download it here.

You can verify that you have Update 1 (or newer) installed in VS using Help –> About Microsoft Visual Studio.

vshelp

Now that we have the credentials turned on, we’ll now use them from a simple console app.

 

After creating a new console app, add a reference to Microsoft.TeamFoundation.Client.dll, which you will find under v2.0 in ReferenceAssemblies. The client object model for TFS is almost entirely built with .NET 3.5 (CLR 2.0) in order to support running the TFS web parts in SharePoint.

image

Here’s the code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;

using Microsoft.TeamFoundation.Client;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            NetworkCredential netCred = new NetworkCredential(
                "someone@yahoo.com",
                "password");
            BasicAuthCredential basicCred = new BasicAuthCredential(netCred);
            TfsClientCredentials tfsCred = new TfsClientCredentials(basicCred);
            tfsCred.AllowInteractive = false;

            TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(
                new Uri("https://YourAcct.visualstudio.com/DefaultCollection"),
                tfsCred);

            tpc.Authenticate();

            Console.WriteLine(tpc.InstanceId);
        }
    }
}

I’ve added two using statements, one for System.Net to pull in NetworkCredential and one for Microsoft.TeamFoundation.Client for the TFS classes we’ll need.

The first thing we construct is a standard NetworkCredential object with the username (the email address that you use for your Microsoft Account) and the password that you created for alternate credentials. On the TfsClientCredentials object, we set AllowInteractive to false to prevent a prompt dialog being shown if the credentials are invalid.

In constructing the TfsTeamProjectCollection, we must specify the URL to the collection and the credentials. Note that all connections to accounts in TF Service require https. Currently, there is only one collection per account in TF Service, so it is always DefaultCollection.

Finally, we call Authenticate() to verify that we have supplied the correct credentials and test that it is working by printing the unique InstanceId of the collection.

Now the rest of the TFS client object model is available for use with the TF Service from applications that cannot prompt for credentials.

Enjoy!

Follow me on Twitter at https://twitter.com/tfsbuck

Comments (45)

  1. Imar Spaanjaars says:

    Thanks! This worked great!

    Imar

  2. Misha says:

    Any news on OAuth support? :)

  3. Buck Hodges says:

    Misha, it is coming soon. We have made a lot of progress on it. Still don't have a date to announce.

  4. Steve says:

    Hi, this is great and worked a treat,

    How would I go about simply popping up a live id login prompt and making use of that authentication for my tfs calls?

    Thx

    Steve

  5. Oli says:

    Really wish the 'I Sign in frequently' checkbox worked. I sign in and then literally a minute later, try and do something else and I get shown the login prompt again. Makes matters worse that I have 2 step verification on my live ID.

  6. Buck Hodges says:

    Oli, which client are you using?

  7. Ranvir says:

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll though credentials are correct. Any help.

  8. Buck Hodges says:

    Ranvir, are you using the same code that I have posted? Have you ensured that the basic auth credentials are enabled and set correctly?

  9. Varun says:

    What if I dont want to store credential in the code (as you have shown) is there an alternative way.

    my code run's under a particular account and I can ensure that account has sufficient privilege to connect to VSO. I would like to leverage WindowsCredential or Credential under which code is running without having to store the password.

  10. Joe says:

    What if the Credentials Tab is not in the my profile page?

  11. Billy Sachse says:

    Hey Buck,

    Thank you very much for the code.  I have been trying to resolve this for quite awhile, now.  I have done everything as instructed, including setting the alternate authentication credentials and stepping through the code.  I'm using Version 12.0.30501.00 Update 2.  I'm still receiving this error: TF30063: You are not authorized to access <xyz>.visualstudio.comDefaultCollection.

    One other note: when I go back into the user profile/credentials tab, it doesn't show that they have been enabled (only a link to enable it).  However, I did receive email confirmation that it was set up.

    I would be happy to provide you any additional specifics, if you could help me figure out what I'm missing.

    Any help you can offer would be greatly appreciated.

  12. Buck Hodges says:

    Joe, try forcing a refresh of the page or clearing the cache. I can't imagine why the Credentials section would be missing.

  13. Buck Hodges says:

    Billy, the problem is on our end. We made a change today that introduced the bug you are hitting, and we are working on it now.

  14. Billy Sachse says:

    Thank you for the reply.  I look forward to hearing from you on the resolution.  I inadvertently posted our sub-domain in my initial post (paste / send too quick).  Could you possibly obfuscate that for me?  Thank you again!  

  15. Buck Hodges says:

    Hopefully, we'll get it fixed today. I've replaced the account name with <xyz>.

  16. Buck Hodges says:

    We now have fixed it so you can set alternate credentials.

  17. Anonymous says:

    Excellent!  Thank you very much for the prompt resolution.  I just verified and it did work as expected.

  18. Shahin says:

    I receive the following error:

    TF14045: The identity Shahin is not a recognized identity.

  19. jzon says:

    How can I make it work using a different programming language? like for example java.

    Because you have a class NetworkCredential, BasicAuthCredential and TfsClientCredentials that other languages don't have.

  20. Buck Hodges says:

    jzon, we have Java SDK that is available as part of Team Explorer Everywhere. You can get TEE 2013 at http://www.microsoft.com/…/details.aspx

  21. I am getting below error:

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll

    Additional information: TF30063: You are not authorized to access hemanthbidare.visualstudio.com/DefaultCollection.

    I am using VS2013

  22. Buck Hodges says:

    The problem is likely to be incorrect user name and password. Make certain that they match the settings in your profile.

  23. Andy Cottrell says:

    Someone else posted this but I also don't see the credentials or connections tabs when I go to my profile.  I have refreshed the page and nothing.  What do I have to do in order to add the Credentials tab to the My Profile popup?

  24. Buck Hodges says:

    Andy, are you using Visual Studio Online or TFS? In TFS, you won't see Credentials in the profile.

  25. Rajasekhar says:

    I am using the above code and getting below error

    An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException' occurred in Microsoft.TeamFoundation.Client.dll

    Additional information: TF30063: You are not authorized to access hemanthbidare.visualstudio.com/DefaultCollection.

    I am using VS2013

  26. SHxr says:

    This was clean and easy to read. It looks like its exactly what I want, but I am running visual studio 2010, so I can’t use the other credential classes you mention.

    Is there some other way to authenticate properly into the tfs server? I keep getting Authentication errors:
    TF30063: You are not authorized to access the server.
    TF30064: You are not authorized to access the server.

    1. Buck Hodges says:

      I’m not sure what the possibilities are with 2010, but you can use the TFS 2015 client OM. Here’s a link that explains the NuGet packages: https://blogs.msdn.microsoft.com/buckh/2015/08/10/nuget-packages-for-tfs-and-visual-studio-online-net-client-object-model/

      1. SHxr says:

        I just tried implementing this in a winform in VS 2013, and it throws me the same error I commented about yesterday:
        TF30063: You are not authorized to access the server.

        Why is this still not working?

        By the way – I really appreciate your prompt responses and expansive knowledge on the subject!

        1. SHxr says:

          Is it even possible to do this –
          Create a standalone WinForm that accesses the tfs online code base and returns the latest files into my local windows folder.

          I’ve been looking at this for over a week now, and nothing seems to work.

          1. Buck Hodges says:

            I’d expect you’d be able to use the example from https://blogs.msdn.microsoft.com/buckh/2012/03/10/team-foundation-version-control-client-api-example-for-tfs-2010-and-newer/ and add in the basic auth from this post and get that working. Then add more stuff. Fiddler may be useful for seeing what’s happening. It’s easy to make subtle mistakes with auth, unfortunately.

          2. SHxr says:

            Ok, got everything working. Thanks again for all your help, these links really helped me!

  27. Buck Hodges says:

    SHxr, I’m glad to hear it. Sorry it took so long to get it working.

  28. Deepika Rao says:

    Hi Buck,
    I do not have “Alternate credentials” enabled for my account. Isn’t there another way to connect?
    What about “Personal Token” / “OAuth”??

    1. Buck Hodges says:

      Deepika, you could use PATs as a direct replacement. You should be able to put whatever you want for the user name, and the password in the code above should be the PAT.

      1. Deepika Rao says:

        Hi Buck,
        Is this code and library reference applicable in VS2013 . I am trying the same code with Personal Access Token as suggested. I am still getting the “TF30063: You are not authorized to access…” at tpc.Authenticate().

        1. Deepika Rao says:

          I was able to connect using the PAT…Error got resolved when I gave username as string.Empty ..

          1. Buck Hodges says:

            Deepika, glad to hear that you got it working. I wasn’t expecting that the user name had to be blank

    2. Deepika Rao says:

      Hi Buck,
      Our requirement changed. Now, we want the windows application to prompt for the liveid credentials.
      That is, whenever our app tries to connect to TF Service, it should initiate phone authentication (by default).
      Is it possible to do from windows application? Please share sample code snippet.

      1. Buck Hodges says:

        In that case then set AllowInteractive to true (that’s also the default).

        1. Deepika Rao says:

          Tried that as well…But did not work…I am still getting the error “TF30063: You are not authorized to access ….”

          1. Buck Hodges says:

            Are you still setting the password and all? I wrote the post because if you follow the usual examples you get the web UI pop up prompting for credentials since it is the default. You have to do something different to avoid the prompt.

          2. Deepika Rao says:

            No, I am not setting the password and all. and based on usual code I am connecting to TFS as below expecting a web UI pop-up

            Tpc = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri(“https://myvso.visualstudio.com/DefaultCollection”));
            WorkItemStore store = (WorkItemStore)Tpc.GetService(typeof(WorkItemStore));

            But I am getting the error message instead.

          3. Buck Hodges says:

            Try calling Authenticate() on the TeamProjectCollection.

  29. Deepika Rao says:

    It is observed that, if I try to connect to the VSO during windows form initialization, the exception occurs. But if the connection is being established after the form is up (for example during a button click action), then I am getting the popup for live-id login.

    Any knowledge why it happens that way. Does the windows form initialization purposefully suppress such prompts / pop-up?

    1. Buck Hodges says:

      I don’t understand the question. Are you calling Authenticate() from multiple threads at the same time?