Question

[chlsmith]

Dumb user question here. Does this actually connect the AD user accounts to user accounts within the TeamCity built-in authentication db, or does it just provide a second layer of security?

I have it configured and it appears to be working. However, after I sign in with my AD account, I just go to a regular TeamCity login window. I've enabled the matching email address option and created a user in TeamCity with the same email address as the AD account.

What am I missing here?

[ghost]

This auth scheme works as following

• it receives UID, email, username of AD user from specified AD
• looks for already added TeamCity user for received UID, if found authenticate this TeamCity user
• if allowed by scheme options tries find TeamCity user by e-mail
• if not found and user creation is allowed, new TeamCity user is created, some user like email are setted for newly create user

[chlsmith]

Here are my logs. You will see the evidence of me adding and removing the user chsmith2 for my testing.

Right now that account doesn't exist in TC but does in Azure AD. that's the one that should autocreate.

teamcity-server.log.txt

[ghost]

Please also enable debug-auth logging preset on the server try to login and share the logs. You can send all the logs to evgeniy dot koskin at jetbrains dot com

[chlsmith]

Emailing you the logs after changing the preset to debug-auth.

[ghost]

@chlsmith I do not see any kind of Azure AD activities in logs. Please make sure you've enabled Azure AAD auth scheme and put it first on the list of enabled auth modules. Also please describe what kind of errors do you see on TeamCity login page?

[chlsmith]

I see no errors whatsoever. I just get taken straight from my Azure AD login page to the regular TeamCity page. Does this look right?

[ghost]

@chlsmith so it works as expected)

[chlsmith]

No, it doesn't work as I'd expect it. When I try to log in with a user account that I have defined in Azure AD, it doesn't allow me into TeamCity. It simply takes me to a TeamCity logon prompt. is that the expected behavor, because that provides me very little.

[ghost]

Ok, so lets start from the very begining. Please check that plugin was loaded - go to administration > plugin list page for that After that please enable Azure AAD auth scheme / module After that logout current user, go to TeamCity server login page After that try to login via Azure AAD Authenticate in Azure auth UI After that you should be redirected directly to "my settings and tools" page in TeamCity UI for the given user. if it is not work like that please capture teamcity server logs with debug-all preset enabled and send it to me via email

[ghost]

Please make sure you've specified valid SIGN-ON URL and REPLY URL when registering TeamCity server as AAD application. Also please make sure there is no any proxy-related issues in your case.

[chlsmith]

I've verified everything and it's still the same. This is all on a single, default built system, all running locally. This isn't my production system, but just a PoC one that I want to setup before I do this for real in our prod environment.

[ghost]

So how do you reference teamcity server in azure aad configuration? What reply url do you use? The reason i'm asking is that i see no requests from azure to teamcity with login info in logs you've provided.

[chlsmith]

holy crap....I think I just figured something out.....

[chlsmith]

Got it! Holy crap! All of that because I was using the wrong URL in my configuration. I had a major brain fart and was using my prod URL instead of my test machine.

Sorry for all the runaround.

[ghost]

That is ok) Feel free to share your future feedback

[chlsmith]

One more question......

My current environment uses all TC accounts only. If I was to enable the Azure AD plugin and enable it, as long as the emails match between the AD and the TC accounts, the logons will use the same current account. Correct?

Would you suggest doing this and then enabling new users at first logon, then enabling access through Azure AD, and then having new users only configured with Azure AD accounts?

I would end up with two accounts....old ones that are "both" local and in Azure, and then new ones that are only in Azure. right?

[chlsmith]

I guess that's three questions....all related. :P

[ghost]

If I was to enable the Azure AD plugin and enable it, as long as the emails match between the AD and the TC accounts, the logons will use the same current account. Correct?

Correct

I would end up with two accounts....old ones that are "both" local and in Azure, and then new ones that are only in Azure. right?

Nope, there will be single TeamCity account for any Azure account in your system.