TeamCity 2020.2 Help

Configuring Authentication Settings

TeamCity can authenticate users via an internal database, or can integrate into your system and use external authentication sources such as Windows Domain, LDAP, or Git hosting providers.

Configuring Authentication

Authentication is configured on the Administration | Authentication page. Currently used authentication modules are also displayed there.

TeamCity provides several preconfigured authentication options (presets) to cover the most common use cases. The presets are combinations of authentication modules supported by TeamCity:

When you first sign in to TeamCity, the default authentication, including the Built-in and Basic HTTP authentication modules, is enabled.

To modify the existing settings, click Edit next to the description of the enabled authentication module.

To switch to a different preconfigured scheme, use the Load preset button.

Using Presets

To load a preconfigured set of modules, use the Load preset button, select a required option, and Apply your changes. The following presets are available:

Enabling Multiple Authentication Modules

TeamCity allows enabling multiple authentication modules simultaneously.

When a user attempts to sign in, modules will be tried one by one. If one of them authenticates the user, the login will be successful; if all of them fail, the user will not be able to sign in to TeamCity.

It is possible to use a combination of internal and external authentication. The recommended approach is to configure LDAP Integration for your internal employees first and then to add Built-in authentication for external users. Since TeamCity 2020.2, you can also enable authentication via OAuth services.

To add a module:

  1. Click Add Module and select a module from the drop-down menu.

  2. Use the properties available for modules by selecting checkboxes in the Add Module dialog.

  3. Click Apply and Save your changes.

User Authentication Settings

The very first time TeamCity server starts with no users (and no administrator), so the first user is prompted for the administrator account. If you are not prompted for the administrator account, refer to How To Retrieve Administrator Password for a resolution.

The TeamCity administrator can modify the authentication settings of every user on their profile page.

The TeamCity list of users and authentication modules just map external credentials to the users. This means that a single TeamCity user can authenticate using different modules, provided the entered credentials are mapped to the same TeamCity user. Authentication modules have a configuration on how to map external user data to a TeamCity user, and some allow editing the external user linking data on the TeamCity user profile.

Handling of the user mapping by the bundled authentication modules:

  • Built-in authentication stores a TeamCity-maintained password for each user.

  • Windows Domain authentication allows specifying the default domain and assumes the domain account name is equal to the TeamCity user. The domain account can be edited on the user profile page.

  • LDAP Integration allows setting LDAP property to get TeamCity username from user's LDAP entry.

  • Modules, corresponding to Git hosting providers, allow admins mapping users with their external accounts by usernames. Each user can connect own profile to an external Git hosting account in My settings & Tools | General | Authentication Settings.

Be cautious when modifying authentication settings: there can be a case when the administrator cannot sign in after changing authentication modules.
Let's imagine that the administrator had the "jsmith" TeamCity username and used the default authentication. Then, the authentication module was changed to Windows domain authentication (i.e. Windows domain authentication module was added and the default one was removed). If, for example, the Windows domain username of that administrator is "john.smith", they will not able to sign in anymore: not via the default authentication since it is disabled nor via Windows domain authentication since their Windows domain username is not equal to the TeamCity username. The solution nevertheless is quite simple: the administrator can sign in using the superuser account and change their TeamCity username or specify their Windows domain username on their own profile page.

Special User Accounts

By default, TeamCity has a Super User account with maximum permissions and a Guest User with minimal permissions. These accounts have no personal settings such as the Changes page and Profile information as they are not related to any particular person but rather intended for special use cases.

Credentials Authentication Modules

Built-in Authentication

By default, TeamCity uses the built-in authentication and maintains users and their passwords by itself.

When signing in to TeamCity for the first time, the user will be prompted to create the TeamCity username and password which will be stored in TeamCity and used for authentication. If you installed TeamCity and signed in to it, it means that built-in authentication is enabled and all user data is stored in TeamCity.

In the beginning, the user database is empty. New users are either added by the TeamCity administrator, or users register themselves if the corresponding option is enabled in the authentication module settings. All newly created users belong to the All Users group and have all roles assigned to this group. If some specific roles are needed for the newly registered users, these roles should be granted via the All Users group.

By default, the users are allowed to change their password on their profile page.

Token-Based Authentication

This module allows users to authenticate via access tokens that they can create and invalidate themselves.

This authentication module is enabled by default.

Windows Domain Authentication

Allows user sign in using a Windows domain name and password. TeamCity checks these credentials: the server should be aware of the domain(s) users use to sign in. The supported syntax for the username is DOMAIN\user.name or <username>@<domain>.

In addition to signing in using the login form, you can enable NTLM HTTP Authentication single sign-on.
If you select the "Microsoft Windows Domain" preset, in addition to the login via a Windows domain, the Basic HTTP and NTLM authentication modules are enabled by default.

Specifying Default Domain

To allow users to enter the system using the login form without specifying the domain as a part of the username, do the following:

  1. Go to Administration | Authentication.

  2. Click Edit next to the Microsoft Windows domain authentication description.

  3. Set the name in the Default domain field.

  4. Click Done and Save your changes.

Registering New Users on Login

The default settings allow users to register from the login page. TeamCity usernames for the new users will be the same as their Windows domain accounts.
All newly created users belong to the All Users group and have all roles assigned to this group. If some specific roles are needed for the newly registered users, these roles should be granted via the All Users group.

To disable new user registration on login:

  1. Go to Administration | Authentication.

  2. Click Edit next to the Microsoft Windows domain authentication description. Clear the Allow user registration from the login page box.

  3. Click Edit next to the NTLM HTTP authentication description. Clean the Allow user registration from the login page box.

Linux-Specific Configuration

If your TeamCity server runs under Linux, JCIFS library is used for the Windows domain login. This only supports Windows domain servers with SMB (SMBv1) enabled. SMB2 is not supported.
The library is configured using the properties specified in the <TeamCity Data Directory>/config/ntlm-config.properties file. Changes to the file take effect immediately without the server restart.

JCIFS library settings which cannot be changed in runtime or settings to affect HTTP NTLM settings can only be set via a properties' file passed via -Djcifs.properties JVM option.

If the default settings do not work for your environment, refer to JCIFS for all available configuration properties.
If the library does not find the domain controller to authenticate against, consider adding the jcifs.netbios.wins property to the ntlm-config.properties file with the address of your WINS server. For other domain services locating properties, see JCIFS.

LDAP Authentication

Please refer to the dedicated page.

HTTP / SSO Authentication Modules

Basic HTTP Authentication

Please refer to Accessing Server by HTTP for details about the basic HTTP authentication.

NTLM HTTP Authentication

Please refer to the dedicated page.

Bitbucket Cloud

Since version 2020.2, users can sign in to TeamCity with a Bitbucket Cloud account.

Before enabling this module, you need to configure a Bitbucket Cloud connection in the Root project's settings and a dedicated application in Bitbucket.

To sign in, click the Bitbucket icon above the login form and, after the redirect, approve the TeamCity application. If a user with your Bitbucket email is registered and this email is verified both in TeamCity and in Bitbucket, this Bitbucket account will be mapped with the respective TeamCity user and you will be signed in. Otherwise, TeamCity will create a new user profile, unless this option is disabled*. It is also possible to map existing TeamCity users with Bitbucket Cloud profiles.

SettingDescription

* Allow creating new users on the first login

Enabled by default.
If disabled, TeamCity will not create a new user when the provided external email is unrecognized. This is helpful if you use a publicly available TeamCity server and want to limit access to it.

Restrict authentication

A comma-separated list of workspaces' IDs.

This list limits a set of users who can register or authenticate in TeamCity with their Bitbucket Cloud account. Together with the enabled Allow creating new users on the first login option, this leaves an ability to automatically register unknown users but restricts it to those who work on your projects.

Leave empty to allow all Bitbucket Cloud users to access the TeamCity server.

GitHub.com

Since version 2020.2, users can sign in to TeamCity with a GitHub.com account.

Before enabling this module, you need to configure a GitHub.com connection in the Root project's settings and a dedicated application in GitHub.

To sign in, click the GitHub icon above the login form and, after the redirect, approve the TeamCity application. If a user with your GitHub email is registered and this email is verified both in TeamCity and in GitHub, this GitHub account will be mapped with the respective TeamCity user and you will be signed in. Otherwise, TeamCity will create a new user profile, unless this option is disabled*. It is also possible to map existing TeamCity users with GitHub.com profiles.

SettingDescription

* Allow creating new users on the first login

Enabled by default.
If disabled, TeamCity will not create a new user when the provided external email is unrecognized. This is helpful if you use a publicly available TeamCity server and want to limit access to it.

Restrict authentication

A comma-separated list of organizations' IDs.

This list limits a set of users who can register or authenticate in TeamCity with their GitHub account. Together with the enabled Allow creating new users on the first login option, this leaves an ability to automatically register unknown users but restricts it to those who work on your projects.

Leave empty to allow all GitHub users to access the TeamCity server.

GitHub Enterprise

Since version 2020.2, users can sign in to TeamCity with a GitHub Enterprise account.

Before enabling this module, you need to configure a GitHub Enterprise connection in the Root project's settings and a dedicated application in GitHub.

To sign in, click the GitHub icon above the login form and, after the redirect, approve the TeamCity application. If a user with your GitHub email is registered and this email is verified both in TeamCity and in GitHub, this GitHub account will be mapped with the respective TeamCity user and you will be signed in. Otherwise, TeamCity will create a new user profile, unless this option is disabled*. It is also possible to map existing TeamCity users with GitHub Enterprise profiles.

SettingDescription

* Allow creating new users on the first login

Enabled by default.
If disabled, TeamCity will not create a new user when the provided external email is unrecognized. This is helpful if you use a publicly available TeamCity server and want to limit access to it.

Restrict authentication

A comma-separated list of organizations' IDs.

This list limits a set of users who can register or authenticate in TeamCity with their GitHub account. Together with the enabled Allow creating new users on the first login option, this leaves an ability to automatically register unknown users but restricts it to those who work on your projects.

Leave empty to allow all GitHub users to access the TeamCity server.

GitLab.com

Since version 2020.2, users can sign in to TeamCity with a GitLab.com account.

Before enabling this module, you need to configure a GitLab.com connection in the Root project's settings and a dedicated application in GitLab.

To sign in, click the GitLab icon above the login form and, after the redirect, approve the TeamCity application. If a user with your GitLab email is registered and this email is verified both in TeamCity and in GitLab, this GitLab account will be mapped with the respective TeamCity user and you will be signed in. Otherwise, TeamCity will create a new user profile, unless this option is disabled*. It is also possible to map existing TeamCity users with GitLab.com profiles.

SettingDescription

* Allow creating new users on the first login

Enabled by default.
If disabled, TeamCity will not create a new user when the provided external email is unrecognized. This is helpful if you use a publicly available TeamCity server and want to limit access to it.

Restrict authentication

A comma-separated list of groups' IDs.

This list limits a set of users who can register or authenticate in TeamCity with their GitLab account. Together with the enabled Allow creating new users on the first login option, this leaves an ability to automatically register unknown users but restricts it to those who work on your projects.

Leave empty to allow all GitLab users to access the TeamCity server.

GitLab CE/EE

Since version 2020.2, users can sign in to TeamCity with a GitLab CE/EE account.

Before enabling this module, you need to configure a GitLab CE/EE connection in the Root project's settings and a dedicated application in GitLab.

To sign in, click the GitLab icon above the login form and, after the redirect, approve the TeamCity application. If a user with your GitLab email is registered and this email is verified both in TeamCity and in GitLab, this GitLab account will be mapped with the respective TeamCity user and you will be signed in. Otherwise, TeamCity will create a new user profile, unless this option is disabled*. It is also possible to map existing TeamCity users with GitLab CE/EE profiles.

SettingDescription

* Allow creating new users on the first login

Enabled by default.
If disabled, TeamCity will not create a new user when the provided external email is unrecognized. This is helpful if you use a publicly available TeamCity server and want to limit access to it.

Restrict authentication

A comma-separated list of groups' IDs.

This list limits a set of users who can register or authenticate in TeamCity with their GitLab account. Together with the enabled Allow creating new users on the first login option, this leaves an ability to automatically register unknown users but restricts it to those who work on your projects.

Leave empty to allow all GitLab users to access the TeamCity server.

Last modified: 28 February 2021