Authentication by using Kerberos Ticket
You can authenticate to correctly configured instances of Visual Studio Team Foundation Server by using Kerberos over the Negotiate (SPNEGO) protocol. By using authentication with a Kerberos ticket, you can more securely authenticate from supported clients to your server without providing your password. After you obtain a Kerberos ticket, you can configure your client for Team Explorer Everywhere to use Kerberos.
In this topic
When you are prompted for authentication information in the Team Foundation Server plug-in for Eclipse, you can specify Authenticate as currently logged-in user instead of providing your Windows domain credentials. If you specify this option, you will authenticate by using your Kerberos ticket.
If Authenticate as currently logged-in user is available in the Add New Server dialog box, you must ensure that Kerberos is configured correctly on both your instance of Team Foundation Server and on your local computer.
For more information about how to connect to an instance of Team Foundation Server, see Connecting to Team Projects.
To use Kerberos authentication in the Cross-platform Command-Line Client for Team Foundation Server, you must set the profile property useDefaultCredentials to the value true. For example, to enable Kerberos authentication for the profile ProfileName, use the following command:
tf profile -edit -boolean:useDefaultCredentials=true ProfileName
If you receive an authentication error, you must make sure that Kerberos is configured correctly on both your instance of Team Foundation Server and on your local computer.
Visual Studio Team Foundation Server 2010 is configured to accept Kerberos authentication by default. You have to follow the steps in this section only if you are using Visual Studio Team System 2008 Team Foundation Server.
By default, Team Foundation Server and Internet Information Services are not configured to allow Kerberos authentication. Your network administrator might have to configure Kerberos manually.
Configure Internet Information Services to support Kerberos
Internet Information Services (IIS) must be configured to allow the Negotiate protocol for Kerberos authentication. For more information, see the following page on the Microsoft website: 215383: How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication.
Register the correct service principal name (SPN) for the server
After you configure IIS to allow the Negotiate protocol, you might have to configure the SPN for your instance of Team Foundation Server. For example, to bind your server that is running Team Foundation Server to the user Domain\UserName, use the following command:
setspn -a http/tfs.example.com Domain\UserName
For more information, see the following page on the Microsoft website: Setspn Overview: Active Directory.
The following sections describe methods to resolve common issues that you might encounter when you try to use Kerberos authentication.
Verify that Kerberos authentication is enabled on your instance of Team Foundation Server
This section applies to clients of Team Foundation Server on computers that are not running a Windows operating system. Team Explorer Everywhere clients that run on a Windows operating system use Microsoft Security Support Provider Interface (SSPI) for authentication. On other operating systems, Team Explorer Everywhere clients support Massachusetts Institute of Technology (MIT) and Heimdal implementations of Kerberos.
To test Kerberos authentication, access your instance of Team Foundation Server by using its uniform resource identifier (URI) in a browser that supports Kerberos authentication. Internet Explorer, Mozilla Firefox, and Apple Safari support authentication by using a Kerberos ticket via the Negotiate protocol. For example, you might use the following address:
When you open this page, you should not be prompted for a password, and an error should not indicate that the Directory Listing is Denied. If you are prompted for a password, Kerberos authentication is not functioning correctly.
If you are using Firefox, you must also verify that the URI of your instance of Team Foundation Server is in the list of Negotiate Trusted URIs (network.negotiate-auth.trusted-uris) in your Firefox configuration. For more information, see the following page on the MozillaZine website: About:config.
Verify that you have obtained a Kerberos Ticket-Granting Ticket (TGT)
At a command prompt, run the following command:
A valid ticket should appear for the service principal krbtgt/Domain@Domain. If you do not have a ticket for the krbtgt service principal, you cannot authenticate by using Kerberos. Consult your network administrator or your operating system documentation for information about how to obtain a Kerberos TGT.
Verify that the correct Kerberos libraries are loaded
Clients of Team Explorer Everywhere support MIT and Heimdal-based Kerberos distributions that support Kerberos 5 and General Security Services Application Program Interface (GSSAPI). The most recent version of MIT Kerberos is recommended, especially when Active Directory is used as the Key Distribution Center (KDC). If you upgrade Kerberos libraries, you may have to override the default search path by using the LD_LIBRARY_PATH environment variable (on most operating systems), the SHLIB_PATH environment variable (on HP-UX), or the LIBPATH environment variable (on AIX).
For more information, contact your system administrator or Kerberos vendor.