Using Visual Studio Team Services you have to enable Alternative Credentials in order to be able to connect to TFS Git Repo. using Eclipse or any other Git Client,
My problem is i want to connect to TFS on-premises Git repo. using Eclipse but there is no way to enable Alternative Credentials, any way to enable Alternative Credentials to be able to do that ? or can i do it other way?
TFS15 now supports Personal Access Tokens and SSH access, so your question isit's not entirely off the mark. There are scenario's where connecting using NTLM or kerberos security is not possible, but as #edward-thomson pointed out, the alternate credential is still linked to a domain account and should not be handed out to 3rd parties.
Instead users will need to be added to Active Directory, or a trust relation (or Federation) needs to be in place so the user is able to join using it's own orgs AD account.
If you're using Git, you could opt to also store the repository on Visual Studio Team Services and push/pull between that and your own TFS server. That way you can give 3rd parties access using their MSA or AAD account, while keeping the main repository secured using AD accounts only. Given the fact that Git is able to transfer data and history with ease, that's not an entirely weird scenario. It fits with the whole Distributed nature of Git quite well.
Related
I am building a web application where users have to provide my web application access to their repositories in GitHub| Bit bucket| Git Lab | any other code hosting platform.
I have implemented it through OAuth2 for which I had to create client applications on all platforms separately.
Initially it was scoped only to GitHub | Bit Bucket but now I want my web application to support all other major platforms as well.
So my current implementation requires me to create client applications for all other plat platforms which is a hectic because We want to give support for On-Premise version control system as well.
Is there a secure and generic way to authorize to version control system ?
One solution is that user directly provide their Personal Access Tokens (Encrypted) to my web application so that my application can save these PAT and use them to pull the repositories in future.
But I wonder if this is a secure enough or a standard method. If not then what might be the appropriate solution to this problem.
You might need to use an Oauth2 provider like:
dexidp/dex, an identity service that uses OpenID Connect to drive authentication for other apps.
Dex acts as a portal to other identity providers through "connectors", which do support your targets
or casdoor, an Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, including some of your targets.
Oauth2 is not the only option, as illustrated by SmartGit
After some reflection I realized that I actually haven’t had authentication problems with SmartGit and Azure DevOps for quite a while, so I spent some time experimenting to figure out just how SmartGit is authenticating to my repos in Azure DevOps.
I ultimately determined that it uses Personal Access Tokens via the Git Credential Manager.
So explicit support of PATs by SmartGit probably isn’t a critical feature after all. When you install Git (on Windows at least), you have the option to install the Git Credential Manager as well.
As long as you do that you should have smooth sailing.
I want to know if it's possible to connect my github enterprise account of my organization to vs code, and if so how?
I know how to sign in with a normal github account on vs code but it doesn't work for github enterprise. I already looked up online but couldn't find any answers.
In the vs code settings there is an option called github enterprise: Uri. I put there the url of my github organization "github.organizationname.com" but I don't know what else I need to do.
Here's what worked for me on vs code 1.62.3.
Clone the GitHub Enterprise repo outside of vs code (ie, using git cli in a terminal or GitHub Desktop).
In vs code, open the folder containing the cloned repo.
And just like magic, it works. If you click on the source control tab in vs code, you can pull changes and make commits. Actually, it might not work quite yet if your cloned project doesn't have your personal access token saved. If you need to do that, you can find instructions in this answer to a different question
I have set it up in the vscode settings like so:
Then it asked for my personal access token. This is token can be created under "settings" -> "developer options"
see: https://docs.github.com/en/enterprise-server#3.4/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
It is possible to login using GitHub enterprise from VS Code without using personal access token or SSH keys. User can login by SSO if session already exist in browser else will need to sign in using their credentials. One of the ways to achieve this is to install Git Credential Manager. Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux.
Compared to Git's built-in credential helpers (Windows: wincred, macOS: osxkeychain, Linux: gnome-keyring/libsecret) which provides single-factor authentication support working on any HTTP-enabled Git repository, GCM provides multi-factor authentication support for Azure DevOps, Azure DevOps Server (formerly Team Foundation Server), GitHub, Bitbucket, and GitLab.
For installing GCM based on OS follow the given link:
https://github.com/GitCredentialManager/git-credential-manager
Once GCM is installed and you try to clone a repository you will be able to see Enterprise login page. This can be achieved by using other Git Oauth Authorized Apps such as GitHub CLI.
Another option is to access with you microsoft email and then , the Github enterprise signing option will be added in "Account" just click it and you now will have access to GithubEnterprise
Account bottom in green
more reference here is the link:
https://learn.microsoft.com/en-us/visualstudio/ide/work-with-github-accounts?view=vs-2022
Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it. I am looking this feature in Team Foundation Server 2015 as well.
Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it.
To achieve this, we could set the access level of that specify user as stakeholder.
In this case, that user do not have permissions to see code on the web interface:
To checkout it locally, we could provide a PAT, which have permission access the repo to the user, so that that user could use git command line to checkout it:
git clone <repo>(https://<PAT>#dev.azure.com/<OrganizationName>/MyTestProject/_git/TestSample) <directory>
Besides, this method should also work for Team Foundation Server 2015.
Update:
is it posible to just restrict view of code on the web for a user with
a visual studio subscription, the porblem is that an stakeholder might
be very limited...
The answer is yes. Go to the Project Settings-> Repositories-> Add a specify user and set the Read permission as Deny:
Then we could not acess the code on the web UI:
We have this VSTS online account, and we want to see a list of all mapped workspaces of all users in one place.
We know that we can go to each developer's PC and use tf.exe workspaces to get the list of workspaces on that machine.
But we need to do it without going to each developer's PC. The reason we need this is that we suspect some team members use their credentials and map a workspace on a machine outside our company's environment, without our permission.
Is there a way to see all mapped workspaces in one central place?
The easiest way is to use something like Attrice TFS Sidekicks. It should work with VSTS, even if it doesn't say it does.
However, the more permanent solution is to set up conditional access in your Azure AD. That allows you to add restrictions so that your users cannot log in from outside your network.
(I know it's an old post, but researching for my own purposes...)
Extrapolating off of how to remove TFS workspace mapping for another user
The following worked for me:
>tf.exe workspaces /collection:https://contoso.visualstudio.com/ /owner:*
When using visual studio online, we want to ensure that contractors or developer working on project could only check-in and check-out using our given laptops.
Has anyone found a way to restrict access to code from a certain machines in Visual studio Online?
Can we somehow log who checked code out and from which machine at what time?
There is currently no way to restrict access to VSO by IP address. It is something we are considering. What you can do is to enable two-factor authentication in your Azure Active Directory tenant.
There's no way to currently log who has checked out code. The closest you could get would be to periodically query for the workspaces in the account if you are using TFVC. There's no way for you to track clones of Git repos.