Introducing Search service authentication to make communications with TFS more secure
Basic authentication is now enabled on the communication between TFS and Search service to make it more secure.
Users can avail this enhanced security by upgrading to TFS 2018 Update 1.1 or TFS 2018 Update 3. Please note that customers running TFS 2018 RTM or TFS 2018 Update 1 need to upgrade to TFS 2018 Update 1.1. And customers running TFS 2018 Update 2 would need to upgrade to TFS 2018 Update 3. Please refer documentation for complete TFS Upgrade matrix information.
Upgrade to any of these releases requires one to provide a new user/password while configuring Search (and during Search Service setup in case of remote Search Service).
Resources for upgrade
You can reach us on Developer Community if you need any further help.
[9/20 UPDATE]: Adding FAQs
Note that while it is optional for users to upgrade to these new releases, users are highly recommended to avail this enhanced security.
Who can configure these credentials?
Only TFS Admins will be able to configure security credentials for Search Service.
What are these credentials?
Admins will need to configure credentials as part of configuring Search (through Server or Search configuration wizard) whether ES is on the same server as TFS, or on a separate server dedicated to Search. These new set of credentials will enable basic authentication in search service, and users need to provide them while upgrading. Note that these are neither TFS service credentials nor domain account credentials.
What are the best practices for defining these credentials?
User name must be at least eight (8) characters and up to sixty-four (64) characters long and contain alphanumeric characters.
Passwords must be at least eight (8) characters and up to sixty-four (64) characters long. To make it complex and hence difficult to guess, password characters should contain a combination of upper case, numeric, and special characters.
How can I further enhance the security of Search service?
Please note that Search credentials will only authenticate the users and makes sure that unauthenticated users cannot access the Elasticsearch endpoint. But since Elasticsearch does not support HTTPS, these auth credentials are sent over the network as Base64 encoded strings. If you think there is a possibility of someone sniffing the credentials, it is vital that you configure appropriate security settings based on your corporate security and compliance requirements. Please refer to this documentation for more details.