TFS Impersonation

Owned by Jo Haley (Unlicensed)
Last updated: Sept 06, 2017
2 min read

TFS Impersonation as its name suggests impersonates the user to TFS, using functionality that is built into TFS itself. The benefits of this approach is that the user only has access to functionality in TFS that has been granted to them in TFS, including projects and data. TFS Impersonation is the recommended approach for a StandAlone SenseAdapt Server where you wish to restrict user access to the ACLs that have been setup in TFS.


In order for this to happen the following needs to take place

  • Ensure .NET Framework 4.5.2 is installed on the server
  • The app pool sense adapt runs under must be set to .NET Framework 4
  • The app pool that SenseAdapt runs under needs to have its identity set to an account that has access to TFS. It is recommended that a dedicated account be setup for this purpose.
  • The application pool must have Load User Profile set to true and have 32 bit applications enabled.

ApplicationPoolSettingsImpersonation.png


  • The account that the SenseAdapt app pool runs under must have the following permission set in TFS "Make requests on behalf of others" (Please see further below for details)
  • In IIS, Authentication for the website needs to be set to "Windows Authentication" only, all other authentication methods must be disabled.


SenseAdaptAuthStandAlone.PNG

  • Inside the web.config authentication needs to be set to <authentication mode="Windows" /> inside the <system.web> tag
  • Validation integration mode needs to be set to false <validation validateIntegratedModeConfiguration="false" /> inside the <system.webServer> tag
  • IdentityImpersonation need to be set to false <identity impersonate="false" /> inside the <system.web> tag
  • Inside the visualisation.config TFSImpersonation needs to be set to true <add key="useTFSImpersonation" value="true" />


Setting a TFS user up to make requests on Behalf of users

In TFS you will need to assign the permission "Make requests on behalf of others", this can be done from within the control panel in TFS for the designtaed user (the user used in the app pool identity mentioned above). This setting must be set to "Allow" . The user should have elivated rights comparable to a service account.


Allow.PNG


If you get the error below it is usually an indicator that TFS Impersonation was not setup or it was applied to the wrong account. Ensure the Make Request on behalf of others is applied to the correct account in TFS and that this is also the account the application pool is running under in SesnseAdapt.

TFS30063.PNG