Command-Line Authentication for Team Explorer Everywhere
You need to authenticate yourself to Team Foundation Server before you perform any version control operations. Here’s how: you can use the –login option to specify your credentials when you use any command in the tf command-line tool; if you set the TF_AUTO_SAVE_CREDENTIALS environment variable, you can also use the –login option to save your credentials in a credentials cache; if you have installed and configured the vendor supplied Kerberos libraries and tools, you can authenticate to the server by using Kerberos over the Negotiate (SPNEGO) protocol.
In this topic
The –login Option
Saving Credentials in the Credentials Cache
Changing Your User Name and Password
Using Kerberos Ticket
The –login option
You can use the –login option to specify your credentials. Here are two formats for this option:
-login:domain\username,password
-login:username@domain,password
You will be prompted to specify your credentials if you have not stored them and you try to run a tf command without this option. If you try to run a tf command with this option but you do not specify a password, you will be prompted to specify one.
Warning
Your password could be visible to other users on the same computer if you use –login option to specify password. However, using the automatic prompt to input your password can help to protect it from being seen by others.
The following examples demonstrate how to use the –login option:
This example specifies the domain as “company”, the user name as “John”, and the password as “Se^%cret1”.
-login:company\john,Se^%cret1
Important
If you are using Unix shells, you must precede the username and password with another backslash to preserve the literal value of the character. For example, -login:company\\john,Se^%cret1.
This example specifies the same credentials as the previous example but in a different format.
-login:john@company,Se^%cret1
This example supplies an empty password by following the user and domain names with a comma.
-login:john@company,
This example supplies no password at all. In this case, the command-line client will prompt the user for the missing password.
-login:join@company
This example is surrounded by double quotes because the credentials contain characters that shell programs consider special. User names, domains, and passwords might require quoting or escaping to be passed correctly to the tf command-line tool.
“-login:john\company, Se^%cret1”
Important
If you use the –noprompt option, you will not receive any prompt from the tf command-line tool.
Saving credentials in the credentials cache
If you set the TF_AUTO_SAVE_CREDENTIALS environment variable to any value, such as “0”, and then run a tf command with the –login option, you can automatically save the credentials to the credentials cache. After you take these steps, you do not need to specify authentication information each time that you run a tf command.
Note
For more information, see Set Environment Variables (Team Explorer Everywhere).
Changing your username and password
When you change your Active Directory credentials, such as username, domain name, or password, you also need to update your credentials with the tf command-line tool so that you can continue connecting to Team Foundation Server.
If you have enabled saving credential automatically in the credentials cache, provide your new credentials by using the –login option once. tf will update the saved credentials in the cache.
If you have not enabled automatic credential saving in the cache, supply your new credentials with the –login option or at the interactive prompts each time when you are connecting to Team Foundation Server.
Using a Kerberos ticket
You can authenticate to correctly configured instances of Visual Studio Team Foundation Server by using Kerberos over the Negotiate (SPNEGO) protocol. By using authentication with a Kerberos ticket, you can more securely authenticate from supported clients to your server without providing your password. After you obtain a Kerberos ticket, you can configure the command-line client to use Kerberos.
To use Kerberos authentication in the Cross-platform Command-Line Client for Team Foundation Server, you must set the profile property useDefaultCredentials to the value true. For example, to enable Kerberos authentication for the profile ProfileName, use the following command:
tf profile -edit -boolean:useDefaultCredentials=true ProfileName
If you receive an authentication error, you must make sure that Kerberos is configured correctly on both your instance of Team Foundation Server and on your local computer.
For more information, see Authentication by using Kerberos Tickets.