TeamCity 3.0 Help

Authentication Settings

Out-of-the-box TeamCity Enterprise edition supports three Authentication Scheme:

Active authentication scheme is configured in the auth-type section of the main-config.xml file located in the <TeamCity data directory> /config directory, for example:

<auth-type> <!-- Active login module class, see below --> <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) --> <free-registration allowed="false" /> </auth-type>

Authentication type is defined by the login module, welcome message and the possibility to use anonymous login. Built-in login modules are:

  • jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule for Default Authentication

  • jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule for Windows Domain Authentication

  • jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule for LDAP Authentication

Default Authentication

Configuration of /config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) --> <free-registration allowed="true" /> </auth-type>

Users database is maintained by TeamCity. New users are added by TeamCity administrator (in administration area User Accounts) or user are self-registered if <free-registration allowed="true" /> tag is specified.

Windows Domain Authentication

Configuration of /config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> </auth-type>

Prior to TeamCity 3.1, Windows Domain Authentication was supported only if TeamCity server was installed under Windows 2000, Windows XP or Windows Server 2003. See NTAuthUnix for the features introduced in 3.1.

Prior to TeamCity 3.1, all Windows domain users that can log on to the machine running TeamCity server can also log in into TeamCity using the same credentials.

To log in to TeamCity users should provide their user name in the form DOMAIN\user.name and their domain password. TeamCity 3.1 also supports logging in using <username>@<domain> syntax. It is also possible to log in using only a username if the domain is added to the /config/ntlm-config.properties file.

Windows Domain Authentication on Unix-like Computers (TeamCity 3.1 Only)

Support for Windows Domain Authentication on Unix-like computers is available in TeamCity 3.1. For this to work, check the <TeamCity data directory> /config/ntlm-config.properties file and make sure the following line is commented out.

# ntlm.compatibilityMode=true

Please refer to the http://jcifs.samba.org/src/docs/api/ page for information about other supported properties.

If you want to use the NT domain authentication available in TeamCity version prior to 3.1, ensure the line ntlm.compatibilityMod=true is present and not commented in the ntlm-config.properties file.

LDAP Authentication

Configuration of <TeamCity data directory> /config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are supported --> <guest-login allowed="true" /> </auth-type>

Authentication is performed by direct login into LDAP with credentials entered into the login form.

Environment for initial context is initialized with java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory and then all properties from <TeamCity data directory>/config/ldap-config.properties file are loaded. Refer to the http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html page for more information about property names and values.

Use the LDAP explorer to browse LDAP directory and verify the settings (i.e.http://www.jxplorer.org/).

You can also specify multiple servers using the following pattern:

java.naming.provider.url="ldap://ldap.mycompany.com:389 ldap://ldap2.mycompany.com:389 ldap://ldap3.mycompany.com:389"

Active Directory

The following template enables authentication against active directory:

Add the following code to the <TeamCity data directory>/config/ldap-config.properties file.

java.naming.referral=follow java.naming.provider.url=ldap://main.labs.intellij.net:389/CN=users,DC=Labs,DC=IntelliJ,DC=Net java.naming.security.authentication=simple

Non-AD LDAP server issues

By default login format is restricted to DOMAIN\sAMAccountName (i.e. "LABS\alexey.gopachenko"). But since version 2.1 you can override this restriction by adding property loginFilter, value is java.util.RegEx expression to match against. (I.e. loginFilter=.+ will accept any non-empty login).

OpenLDAP users can benefit from formatDN property. If formatDN is defined then it is used as user DN with $login$ substring replaced with anyting what user enters into login field, i.e

formatDN=uid=$login$,ou=people,dc=company,dc=com

Last modified: 20 April 2023
Accessing Server from Scripts Including Third-Party Reports in the Build Results