Description
This tool has the same issue as the cross platform build agent when it comes to authenticating correctly to an on-prem TFS server using SSL.
As we know you can only authenticate to on-prem TFS using basic authentication but as a result you MUST enable SSL so that all traffic is encrypted. Obviously to enable SSL you need to get a certificate for the TFS App-Tier in IIS and these can be either from a vendor such as Symantec or you could create one using something like Microsoft Active directory certificate services (which is what we did).
We set everything up and can access the TFS via all common web browsers without any issues, as long as the root and intermediate certificates have been installed correctly, for example in the trusted roots folder in windows cert manager.
However when you try to authenticate using "--autht-type basic", the application will not accept the certificate handshake because it cant read from the certificate store so there is no reason as to why the certificate should be accepted as it could theoretically be from anywhere. However, we don't have any way to tell the application that the root or intermediates certificates should be trusted.
This has been raised multiple time on the xplat agent github page and on this issue Bryan Macfarlane suggested making use of a NPM package called "ssl-root-cas"
As a result of these SSL issues, we cant use either the xplat agent or the TFS CLI.