Team Foundation Server Administration Tool

Patch Uploaded: #14458

vuanhduy18 — Fri, 10 May 2013 06:30:11 GMT

vuanhduy18 has uploaded a patch.

Description:
dsdsd

New Post: Does this tool support SharePoint 2013?

mskold — Sun, 14 Apr 2013 09:11:15 GMT

Hi Leo
Please note that SP2013 still supports Classic authentication, but you can only configure it through PowerShell, not from the UI.
For more info abou sp2013 authentication, please refer to http://technet.microsoft.com/en-us/library/jj219571.aspx

New Post: Does this tool support SharePoint 2013?

mskold — Sun, 14 Apr 2013 09:11:15 GMT

New Post: Does this tool support SharePoint 2013?

mskold — Sun, 14 Apr 2013 09:11:15 GMT

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Sat, 13 Apr 2013 21:55:11 GMT

Hi gholliday,

One thing to keep in mind is that it seems that SharePoint 2013 supports ONLY claims-based authentication now. The way to Tool is now, it doesn create a permissions entry in SharePoint for classic-mode (Windows domain) authentication, but that entry doesn't grant the rights to SharePoint that it says (so if you use the Tool to give someone Full Control of a SharePoint portal, there is a classic-mode entry in SharePoint permissions that says "Full Control," but the user will get denied when they try anything on the portal.)

So I think that for SharePoint 2013, you not only have to support claims-based authentication, but you have to make sure the Tool never tries to grant classic-mode authentication as it does now. This is only for SharePoint 2013 -- TFS 2012 seems to support both modes, as you noted.

What I don't get is, if SharePoint doesn't allow classic-mode authentication anymore, why does it still let the tool create those entries in SharePoint permissions? Probably a bug that Microsoft needs to fix.

Leo

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Sat, 13 Apr 2013 21:55:11 GMT

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Sat, 13 Apr 2013 21:55:11 GMT

Commented Issue: Tool 2.2 doesn't work with SharePoint 2013 Claims-based authentication [33950]

gholliday — Tue, 09 Apr 2013 23:48:10 GMT

We're having trouble using the TFS Administration Tool 2.2 with SharePoint 2013. The tool creates an entry in the SharePoint website's PERMISSIONS list, but that entry doesn't seem to grant the requisite rights.

Turns out that SharePoint 2013 only supports Claims-based authentication (the "i:0#.w|" prefix at the beginning of the permission username in SharePoint 2013 denotes this mode of authentication). So only by granting rights directly in SharePoint (and verifying that you have the "i:0#.w|" prefix) can you get the new rights to work.

The TFS Administration Tool, on the other hand, grants rights using Classic mode Authentication (windows domain\user), which has been deprecated in SharePoint 2013. So until the Tool is updated to administer SharePoint rights using claims-based authentication, it won't work for SharePoint 2013 (and furthermore, you'll have duplicate entries for users in SharePoint permissions, one entry being for Claims-based authentication, and another for Classic mode authentication).

Here are some links that help explain this:

http://sharepointengineer.blogspot.com/2012/10/i0w-claims-or-classic-authentication.html#!/2012/10/i0w-claims-or-classic-authentication.html
(explains the meaning of the "i:0#.w|" prefix.)

http://technet.microsoft.com/en-us/library/jj906556.aspx
Key line: “The most common reason for failed authorization when you are using Security Assertion Markup Language (SAML) claims-based authentication is that the permissions were assigned to a user's Windows-based account (domain\user) instead of the user's SAML identity claim.”

http://extreme-sharepoint.com/2013/03/07/claims-based-authentication/
Key text: The latest version of SharePoint – SP 2013 – supports only Claims based Authentication. From Central Admin, when you create a web application, you can only specify authentication types and methods for claims-based authentication ( See below screenshot). [Note: Windows Classic mode authentication is deprecated in SharePoint 2013 and can be configured through Windows PowerShell only if needed. However, it is not recommended practice. ]
Comments: ** Comment from web user: gholliday **

More details in this discussion thread: https://tfsadmin.codeplex.com/discussions/434002

New Post: Does this tool support SharePoint 2013?

gholliday — Tue, 09 Apr 2013 23:46:38 GMT

Thanks for the detailed issue report.

I've had confirmation that TFS2012 and SharePoint 2013 in claims-based authentication mode is a supported configuration (* see below), so we'll make sure support for claims-based identities gets added to the TFSAdmin tool in a future release.

The TFS docs for sharepoint say that “NTLM is the recommended authentication”, but don't explicitly rule-out claims-based authentication.
http://msdn.microsoft.com/en-us/library/vstudio/dd578615.aspx
http://msdn.microsoft.com/en-us/library/vstudio/hh667648.aspx

The TFS / Project Server Integration docs explicitly call it out as not supported, but it’s not clear whether that applies ONLY when integrating with TFS/Project Server
http://msdn.microsoft.com/en-us/library/vstudio/hh674251.aspx

New Post: Does this tool support SharePoint 2013?

gholliday — Tue, 09 Apr 2013 23:46:38 GMT

The TFS docs for sharepoint say that “NTLM is the recommended authentication”, but don't explicitly rule-out claims-based authentication.
http://msdn.microsoft.com/en-us/library/vstudio/dd578615.aspx
http://msdn.microsoft.com/en-us/library/vstudio/hh667648.aspx

New Post: Does this tool support SharePoint 2013?

gholliday — Tue, 09 Apr 2013 23:46:38 GMT

The TFS docs for sharepoint say that “NTLM is the recommended authentication”, but don't explicitly rule-out claims-based authentication.
http://msdn.microsoft.com/en-us/library/vstudio/dd578615.aspx
http://msdn.microsoft.com/en-us/library/vstudio/hh667648.aspx

Created Issue: Tool 2.2 doesn't work with SharePoint 2013 Claims-based authentication [33950]

lgrin7654321 — Tue, 09 Apr 2013 00:20:33 GMT

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Tue, 09 Apr 2013 00:15:12 GMT

Hi tjanders,

We were also having this issue, so I did some research.

Turns out that SharePoint 2013 only supports Claims-based authentication (the "i:0#.w|" prefix denotes this mode of authentication). So only by granting rights directly in SharePoint (and verifying that you have the "i:0#.w|" prefix) can you get the new rights to work.

The TFS Administration Tool, on the other hand, grants rights using Classic mode Authentication (windows domain\user), which has been deprecated in SharePoint 2013. So until the Tool is updated to administer SharePoint rights using claims-based authentication, it won't work for SharePoint 2013 (and furthermore, you'll have duplicate entries for users in SharePoint permissions, one entry being for Claims-based authentication, and another for Classic mode authentication).

Here are some links that help explain this:

http://sharepointengineer.blogspot.com/2012/10/i0w-claims-or-classic-authentication.html#!/2012/10/i0w-claims-or-classic-authentication.html
(explains the meaning of the "i:0#.w|" prefix.)

http://technet.microsoft.com/en-us/library/jj906556.aspx
Key line: “The most common reason for failed authorization when you are using Security Assertion Markup Language (SAML) claims-based authentication is that the permissions were assigned to a user's Windows-based account (domain\user) instead of the user's SAML identity claim.”

http://extreme-sharepoint.com/2013/03/07/claims-based-authentication/
Key text: The latest version of SharePoint – SP 2013 – supports only Claims based Authentication. From Central Admin, when you create a web application, you can only specify authentication types and methods for claims-based authentication ( See below screenshot). [Note: Windows Classic mode authentication is deprecated in SharePoint 2013 and can be configured through Windows PowerShell only if needed. However, it is not recommended practice. ]

Hope this helps.

Leo

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Tue, 09 Apr 2013 00:15:12 GMT

New Post: Does this tool support SharePoint 2013?

lgrin7654321 — Tue, 09 Apr 2013 00:15:12 GMT

Created Issue: Null reference in v2.2 in cloud service [33889]

msawczyn — Sun, 17 Mar 2013 19:08:04 GMT

Attaching to Team Foundation __Service__ (not Server), and then double clicking the project gave me the following:

```
3/17/2013 3:00:35 PM: Exception occurred
Type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
InnerException: -
Source: TFSAdministrationTool.Proxy
Target: TFSAdministrationTool.Proxy.Common.WssVersion GetVersion()
Stacktrace: at TFSAdministrationTool.Proxy.SharePointProxy.GetVersion() in d:\Code\tfsadmin\Main\src\TFSAdministrationTool.Proxy\SharePointProxy.cs:line 238

```

Nothing further appeared in the UI after that, even after refreshing. Full output is below.

```
3/17/2013 2:59:38 PM: TFS Administration Tool (2.2.0.0) has started
3/17/2013 2:59:47 PM: Button clicked: Server Explorer CONNECT
3/17/2013 3:00:06 PM: Connecting to Team Project Collection: xxx.visualstudio.com\DefaultCollection
3/17/2013 3:00:10 PM: Successfully connected to Team Project Collection: xxx.visualstudio.com\DefaultCollection (Tfs2010)
3/17/2013 3:00:35 PM: Exception occurred
Type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
InnerException: -
Source: TFSAdministrationTool.Proxy
Target: TFSAdministrationTool.Proxy.Common.WssVersion GetVersion()
Stacktrace: at TFSAdministrationTool.Proxy.SharePointProxy.GetVersion() in d:\Code\tfsadmin\Main\src\TFSAdministrationTool.Proxy\SharePointProxy.cs:line 238
3/17/2013 3:00:35 PM: Selecting Team Project: xxxxx
3/17/2013 3:00:35 PM: Getting list of users for Team Foundation Server: xxx.visualstudio.com\DefaultCollection, Team Project: xxxxx
3/17/2013 3:00:39 PM: UserGroup.Url: https://xxx.visualstudio.com/defaultcollection//xxxxx/_vti_bin/DummyUsergroup.asmx
3/17/2013 3:00:39 PM: SharePoint site status: Unavailable
3/17/2013 3:00:39 PM: SharePoint version: Unknown
3/17/2013 3:00:39 PM: PortalType: WebSite
3/17/2013 3:00:39 PM: ReportingService.Url: https://xxx.visualstudio.com/defaultcollection//DummyReportServiceUrl.asmx
3/17/2013 3:00:39 PM: Reporting Services site status: Unavailable
3/17/2013 3:00:39 PM: ReportWebServiceUrl: https://xxx.visualstudio.com/defaultcollection/
3/17/2013 3:00:39 PM: Initializing roles
3/17/2013 3:00:39 PM: Initializing roles mapping
3/17/2013 3:01:07 PM: Button clicked: Users list REFRESH
3/17/2013 3:01:07 PM: Selecting Team Project: xxxxx
3/17/2013 3:01:07 PM: Getting list of users for Team Foundation Server: xxx.visualstudio.com\DefaultCollection, Team Project: xxxxx
3/17/2013 3:01:11 PM: UserGroup.Url: https://xxx.visualstudio.com/defaultcollection//xxxxx/_vti_bin/DummyUsergroup.asmx
3/17/2013 3:01:11 PM: SharePoint site status: Unavailable
3/17/2013 3:01:11 PM: SharePoint version: Unknown
3/17/2013 3:01:11 PM: PortalType: WebSite
3/17/2013 3:01:11 PM: ReportingService.Url: https://xxx.visualstudio.com/defaultcollection//DummyReportServiceUrl.asmx
3/17/2013 3:01:11 PM: Reporting Services site status: Unavailable
3/17/2013 3:01:11 PM: ReportWebServiceUrl: https://xxx.visualstudio.com/defaultcollection/
3/17/2013 3:01:11 PM: Initializing roles
3/17/2013 3:01:11 PM: Initializing roles mapping

```

New Post: Does this tool support SharePoint 2013?

tjanders — Thu, 21 Feb 2013 18:03:16 GMT

We are currently running TFS 2012 with SharePoint 2013 database version 15.0.4420.1017. When using the TFS Admin Tool version 2.2 to grant SharePoint permissions, the permissions do not work properly after they are committed. The users are added to the SharePoint portal site with the permissions specified in the TFS Admin Tool, but the user permissions are not respected by SharePoint. In other words, the users are listed in SharePoint Site Permissions with "Full Control", but running "Check Permissions" for that user results in "None". The users added by the TFS Admin Tool have the account format <Domain>\<UserName>.

Granting the permissions directly from the Site Permissions page in SharePoint allows the permissions to work, but creates a second user of the same name with a different account. The users created by SharePoint have the account format i:0#.w|<Domain>\<UserName>.

What is the "i:0#.w|" prefix added by SharePoint, and is this a bug in the TFS Admin Tool for not adding the same thing, or some quirk about SharePoint I don't fully understand?

New Post: Does this tool support SharePoint 2013?

tjanders — Thu, 21 Feb 2013 18:03:16 GMT

New Post: Does this tool support SharePoint 2013?

tjanders — Thu, 21 Feb 2013 18:03:16 GMT

Commented Issue: Get a list of effective permissions for a given user [21558]

jimpeak — Wed, 20 Feb 2013 01:00:08 GMT

<p>Currently there is no way to get a list of permissions for a given user across a TFS instance. Many auditors are looking for this informaiton and there is no good story around it right now or for TFS 2010 at this point.</p>
Comments: ** Comment from web user: jimpeak **

The Attrice Permissions Sidekick may do what you need- it's freeware.
..List of sidekicks: [http://www.attrice.info/cm/tfs/](http://www.attrice.info/cm/tfs/)
..Permissions screen: [http://www.attrice.info/images/permission_sk_screen.png](http://www.attrice.info/images/permission_sk_screen.png)

Also, here's some code to show permissions- posted in 2006, but perhaps still of help.
..Post title is "Code snippet: What are my effective permissions {globally, to an item}?, in James Manning's blog on MSDN.
..[http://blogs.msdn.com/b/jmanning/archive/2006/01/09/510800.aspx](http://blogs.msdn.com/b/jmanning/archive/2006/01/09/510800.aspx)