Authentication Settings

Out-of-the-box TeamCity Enterprise edition supports three Authentication Scheme:

Default-Authentication
Windows-Domain-Authentication
- NTAuthUnix
LDAP Integration (separate page)

Switching Authentication Scheme

To switch from one authentication scheme to another you need to edit <TeamCity data directory> /config/main-config.xml file on the server machine. Change the value of class attribute of <login-module> tag inside <auth-type> tag. Please restart the server after editing the file.

Please note that each authentication type maintains own list for users. This means that on switching from one authentication to another you start with no users (and no administrator) and will be prompted for administrator account on first TeamCity start after the authentication change . This also means that all the existing users will need to create their accounts and re-enter their settings anew.

if you are not prompted for administrator account on switching to a new scheme, this means this there are users in the scheme already. If there is no administrator account in this scheme, you can use http://<your_TeamCity_server>/setupAdmin.html URL to setup administrator account. If there is an administrator account in the current authentication scheme, the page is not available. Otherwise you need to remember the administrator account credentials. See also Changing user password with default authentication scheme. Related feature requests in our tracker: TW-1964, TW-4524, TW-1681.

Supported values for class attribute are:

jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule for Default Authentication
jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule for Windows Domain Authentication
jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule for LDAP Authentication Also, TeamCity plugins can provide Custom Authentication Module.

Example of the relevant main-config.xml file section:

<auth-type>
    <!-- Active login module class, see below -->
    <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" />
    <!-- Welcome message displayed to users on login form -->
    <login-description>Welcome to TeamCity, your team building environment!</login-description>
    <!-- Whether anonymous "view-only" logins are allowed (true|false) -->
    <guest-login allowed="true" />
    <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) -->
    <free-registration allowed="false" />
</auth-type>

Default Authentication

Configuration of <TeamCity data directory> /config/main-config.xml:

<auth-type>
    <login-module class="jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule" />
    <!-- Welcome message displayed to users on login form -->
    <login-description>Welcome to TeamCity, your team building environment!</login-description>
    <!-- Whether anonymous "view-only" logins are allowed (true|false) -->
    <guest-login allowed="true" />
    <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) -->
    <free-registration allowed="true" />
</auth-type>

Users database is maintained by TeamCity. New users are added by TeamCity administrator (in administration area Users and Groups) or user are self-registered if <free-registration allowed="true" /> tag is specified.

Windows Domain Authentication

Configuration of <TeamCity data directory> /config/main-config.xml:

<auth-type>
    <login-module class="jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule" />
    <!-- Welcome message displayed to users on login form -->
    <login-description>Welcome to TeamCity, your team building environment!</login-description>
    <!-- Whether anonymous "view-only" logins are allowed (true|false) -->
    <guest-login allowed="true" />
</auth-type>

Windows Domain Authentication is supported if TeamCity server is installed under Windows 2000, Windows XP or Windows Server 2003, as well as NTAuthUnix.

Prior to TeamCity 3.1, all Windows domain users that can log on to the machine running TeamCity server can also log in to TeamCity using the same credentials.

To log in to TeamCity users should provide their user name in the form DOMAIN\user.name and their domain password. Since TeamCity 3.1 <username>@<domain> login name syntax is supported. It is also possible to log in using only a username if the domain is specified in ntlm.defaultDomain property of <TeamCity data directory> /config/ntlm-config.properties file.

Windows Domain Authentication on Unix-like Computers

TeamCity supports Windows Domain Authentication on Unix-like computers. For this to work, check the <TeamCity data directory> /config/ntlm-config.properties file and make sure the following line is commented out.

# ntlm.compatibilityMode=true

Please refer to the "Available Properties" section on http://jcifs.samba.org/src/docs/api/ page for information about other supported properties.

LDAP Authentication

Please refer to the LDAP Integration.

Just in case. pre-4.1 part that is superseeded by LDAP Integration.

Configuration of <TeamCity data directory> /config/main-config.xml:

<auth-type>
    <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" />
    <!-- Welcome message displayed to users on login form -->
    <login-description>Welcome to TeamCity, your team building environment!</login-description>
    <!-- Whether anonymous "view-only" logins are supported -->
    <guest-login allowed="true" />
</auth-type>

Authentication is performed by direct login into LDAP with credentials entered into the login form.

LDAP authentication is configured by ldap-config.properties file residing in <TeamCity data directory> /config. See below for example settings.

Some implementation-specific LDAP authentication technical bits: Environment for initial context is initialized with java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory and then all properties from <TeamCity data directory> /config/ldap-config.properties file are loaded. Refer to the http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html page for more information about property names and values.

You can use the LDAP explorer to browse LDAP directory and verify the settings (i.e.http://www.jxplorer.org/).

You can also specify multiple servers using the following pattern:

java.naming.provider.url="ldap://ldap.mycompany.com:389 ldap://ldap2.mycompany.com:389 ldap://ldap3.mycompany.com:389"

By default login format is restricted to DOMAIN\sAMAccountName (i.e. "LABS\john.smith"). You can override this restriction by adding property loginFilter, value is java.util.RegEx expression to match against. (That is, loginFilter=.+ will accept any non-empty login).

Please note that in certain configurations (e.g. with java.naming.security.authentication=simple) login information will be sent to the LDAP server in the not encrypted form. For securing the connection you can refer to corresponding Sun documentation. Another option is to configure communications via ldaps protocol.

Related external link: How To Set Up Secure LDAP Authentication with TeamCity by Alexander Groß.

Active Directory

The following template enables authentication against active directory:

Add the following code to the <TeamCity data directory>/config/ldap-config.properties file (assuming the domain name is "Labs.IntellJ.Net" and domain controller is "main.labs.intellij.net").

java.naming.referral=follow
java.naming.provider.url=ldap://main.labs.intellij.net:389/CN=users,DC=Labs,DC=IntelliJ,DC=Net
java.naming.security.authentication=simple

Non-AD LDAP server issues

OpenLDAP users can benefit from formatDN property. If formatDN is defined then it is used as user DN with $login$ substring replaced with anything what user enters into login field, that is:

formatDN=uid=$login$,ou=people,dc=company,dc=com

Last modified: 20 April 2023