5

We are running Azure DevOps 2019. The users are all authenticated by their domain accounts and are using Google Chrome.

They log in to Azure DevOps Server with their Windows username and password. I would like it if users on the domain were automatically logged in. I would still like for users not on the domain to be able to log in manually.

Is it possible to configure IIS to do this?

Currently if I look in the IIS Authentication config it shows:

  • Anonymous Authentication: Enabled
  • ASP.NET Impersonation: Disabled
  • Forms Authentication: Disabled
  • Windows Authentication: Enabled

Thanks

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
Beakster
  • 348
  • 1
  • 12
  • That's what Windows authentication does. You should be seeing exactly what you're describing. Are you having a specific issue? – Daniel Mann Jan 18 '19 at 20:51
  • Under the current setup, when they open chrome for the first time that day and go to our server they have to enter their username and password. As they are already logged into the domain I expect this shouldn't be required. Am I missing a setting to make this happen automatically? – Beakster Jan 21 '19 at 16:25
  • What is the DNS domain for your intranet? What is the DNS name of your Azure DevOps Server? – jessehouwing Jan 21 '19 at 18:47
  • @jessehouwing, my TFS Server is at https://tfs.companyname.org. From running ipconfig /all I see that Primary DNS suffix is companyname.ad. – Beakster Jan 22 '19 at 16:38
  • 1
    Likely the TFS server is auto-classified as 'internet' that way. Unless your IT department is also pushing out special IE configurations. – jessehouwing Jan 22 '19 at 17:52
  • Yes, it seems that Group Policy needed modified to put my server into the Intranet zone. Then it signs in automatically with chrome and IE. Thanks – Beakster Jan 23 '19 at 15:28

2 Answers2

3

The auto-login option in Chrome by default depends on the Windows Internet Zone setting. If Azure Devops Server is hosted on a domain that's in the Intranet zone, Chrome should try to automatically sign in.

Internet Explorer should be configured to auto-sign-in on Intranet. You can also add TFS to the Trusted Sites, in which case the default logon settings must be updated to logon for that zone:

enter image description here

There are also a couple of command-line parameters you can add to chrome:

  • --auth-negotiate-delegate-whitelist="tfsserver.tld"
  • --auth-server-whitelist="tfserver.tld"

See also:

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
1

I’ve managed to fix the issue on one of my servers. It seems that my Azure DevOps server was seen by Windows as being on the Internet, rather than the Intranet. By changing the Group Policy I was able to get the server to be seen as Intranet. This then causes IE and Chrome to automatically login without ever prompting any users for credentials.

I will need to get my company to push this group policy out to all users, but for my local test, in the Group Policy Editor I went to: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page, then select the "Site to Zone Assignment List”, click “Enable” and edit the list by clicking "Show..."

I then added "Value name" = "*.mydomain.org" and "value" = "1".

The 1 is for Intranet. I could also have listed to full server name rather than the full domain.

Beakster
  • 348
  • 1
  • 12