Authentication Settings
Last modified: 20 April 2023Out-of-the-box TeamCity Enterprise edition supports three Authentication Scheme:
note
TeamCity Professional edition only supports TeamCity Default Authentication and does not support changing the authentication scheme.
Switching Authentication Scheme
To switch from one authentication scheme to another you need to edit <TeamCity data directory> /config/main-config.xml file on the server machine. Change the value of class attribute of <login-module> tag inside <auth-type> tag. Please restart the server after editing the file.
Please note that each authentication type maintains own list for users. This means that on switching from one authentication to another you start with no users (and no administrator) and will be prompted for administrator account on first TeamCity start after the authentication change . This also means that all the existing users will need to create their accounts and re-enter their settings anew.
if you are not prompted for administrator account on switching to a new scheme, this means this there are users in the scheme already. If there is no administrator account in this scheme, you can use http://<your_TeamCity_server>/setupAdmin.html URL to setup administrator account. If there is an administrator account in the current authentication scheme, the page is not available. Otherwise you need to remember the administrator account credentials. See also Changing user password with default authentication scheme. Related feature requests in our tracker: TW-1964, TW-4524, TW-1681.
Supported values for class attribute are:
jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModulefor Default Authenticationjetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModulefor Windows Domain Authenticationjetbrains.buildServer.serverSide.impl.auth.LDAPLoginModulefor LDAP Authentication Also, TeamCity plugins can provide Custom Authentication Module.
Example of the relevant main-config.xml file section:
<auth-type>
<!-- Active login module class, see below -->
<login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" />
<!-- Welcome message displayed to users on login form -->
<login-description>Welcome to TeamCity, your team building environment!</login-description>
<!-- Whether anonymous "view-only" logins are allowed (true|false) -->
<guest-login allowed="true" />
<!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) -->
<free-registration allowed="false" />
</auth-type>Default Authentication
Configuration of <TeamCity data directory> /config/main-config.xml:
<auth-type>
<login-module class="jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule" />
<!-- Welcome message displayed to users on login form -->
<login-description>Welcome to TeamCity, your team building environment!</login-description>
<!-- Whether anonymous "view-only" logins are allowed (true|false) -->
<guest-login allowed="true" />
<!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) -->
<free-registration allowed="true" />
</auth-type>Users database is maintained by TeamCity. New users are added by TeamCity administrator (in administration area Users and Groups) or user are self-registered if <free-registration allowed="true" /> tag is specified.
Windows Domain Authentication
Configuration of <TeamCity data directory> /config/main-config.xml:
<auth-type>
<login-module class="jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule" />
<!-- Welcome message displayed to users on login form -->
<login-description>Welcome to TeamCity, your team building environment!</login-description>
<!-- Whether anonymous "view-only" logins are allowed (true|false) -->
<guest-login allowed="true" />
</auth-type>Windows Domain Authentication is supported if TeamCity server is installed under Windows 2000, Windows XP or Windows Server 2003, as well as NTAuthUnix.
Prior to TeamCity 3.1, all Windows domain users that can log on to the machine running TeamCity server can also log in to TeamCity using the same credentials.
To log in to TeamCity users should provide their user name in the form DOMAIN\user.name and their domain password. Since TeamCity 3.1 <username>@<domain> login name syntax is supported. It is also possible to log in using only a username if the domain is specified in ntlm.defaultDomain property of <TeamCity data directory> /config/ntlm-config.properties file.
Windows Domain Authentication on Unix-like Computers
TeamCity supports Windows Domain Authentication on Unix-like computers. For this to work, check the <TeamCity data directory> /config/ntlm-config.properties file and make sure the following line is commented out.
# ntlm.compatibilityMode=truePlease refer to the "Available Properties" section on http://jcifs.samba.org/src/docs/api/ page for information about other supported properties.
note
If you want to use the NT domain authentication available in TeamCity version prior to 3.1, ensure the line ntlm.compatibilityMode=true is present and not commented in the
ntlm-config.propertiesfile.
LDAP Authentication
Please refer to the LDAP Integration.
Just in case. pre-4.1 part that is superseeded by LDAP Integration.
Configuration of <TeamCity data directory> /config/main-config.xml:
<auth-type>
<login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" />
<!-- Welcome message displayed to users on login form -->
<login-description>Welcome to TeamCity, your team building environment!</login-description>
<!-- Whether anonymous "view-only" logins are supported -->
<guest-login allowed="true" />
</auth-type>Authentication is performed by direct login into LDAP with credentials entered into the login form.
LDAP authentication is configured by ldap-config.properties file residing in <TeamCity data directory> /config. See below for example settings.
Some implementation-specific LDAP authentication technical bits: Environment for initial context is initialized with java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory and then all properties from <TeamCity data directory> /config/ldap-config.properties file are loaded. Refer to the http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html page for more information about property names and values.
You can use the LDAP explorer to browse LDAP directory and verify the settings (i.e.http://www.jxplorer.org/).
You can also specify multiple servers using the following pattern:
java.naming.provider.url="ldap://ldap.mycompany.com:389 ldap://ldap2.mycompany.com:389 ldap://ldap3.mycompany.com:389"By default login format is restricted to DOMAIN\sAMAccountName (i.e. "LABS\john.smith"). You can override this restriction by adding property loginFilter, value is java.util.RegEx expression to match against. (That is, loginFilter=.+ will accept any non-empty login).
Please note that in certain configurations (e.g. with java.naming.security.authentication=simple) login information will be sent to the LDAP server in the not encrypted form. For securing the connection you can refer to corresponding Sun documentation. Another option is to configure communications via ldaps protocol.
Related external link: How To Set Up Secure LDAP Authentication with TeamCity by Alexander Groß.
Active Directory
The following template enables authentication against active directory:
Add the following code to the <TeamCity data directory>/config/ldap-config.properties file (assuming the domain name is "Labs.IntellJ.Net" and domain controller is "main.labs.intellij.net").
java.naming.referral=follow
java.naming.provider.url=ldap://main.labs.intellij.net:389/CN=users,DC=Labs,DC=IntelliJ,DC=Net
java.naming.security.authentication=simpleNon-AD LDAP server issues
OpenLDAP users can benefit from formatDN property. If formatDN is defined then it is used as user DN with $login$ substring replaced with anything what user enters into login field, that is:
formatDN=uid=$login$,ou=people,dc=company,dc=comThanks for your feedback!