Configure TFS authentication for your private build and release agents

Last Update: 3/6/2017

TFS 2017 | TFS 2015 | Previous versions (XAML builds)

When you deploy a private agent, you choose how the agent will authenticate to your Team Foundation Server (TFS). Here we'll show you how to configure TFS to enable your agents to use different authentication methods.

Log on to your server

Log on to the machine where you are running TFS.

Configure authentication

Alternate

Configure basic authentication. See https://github.com/Microsoft/tfs-cli/blob/master/docs/configureBasicAuth.md.

Integrated

Start Internet Information Services (IIS) Manager. Select your TFS site and make sure Windows Authentication is enabled with a valid provider such as NTLM or Kerberos.

iis tfs windows authentication

iis tfs windows authentication with ntlm provider

Negotiate

Start Internet Information Services (IIS) Manager. Select your TFS site and make sure Windows Authentication is enabled with the Negotiate provider and with another method such as NTLM or Kerberos.

iis tfs windows authentication

iis tfs windows authentication with negotiate and ntlm provider

PAT

Personal access token (PAT) authentication is available in TFS 2015 Update 3 or newer and TFS 2017 RTM and newer. To use PAT, your server must be configured with HTTPS. See Web site settings and security.

Deploy your agent

TFS 2017

TFS 2015