There's another option for tfx-cli to connect to the TFS instance, and it is basic authentication. Just use the following format:

tfx login --auth-type basic --username myuser --password mypassword --service-url http://tfscollectionurl

Here is the quote from Github:

You can alternatively use basic auth by passing --auth-type basic (read Configuring Basic Auth). NTLM will come soon.

Note: Using this feature will store your login credentials on disk in plain text.

TFS 2015 doesn't support Personal Access Tokens, this feature was introduced with TFS 2017. In the mean time you'll either need to configure basic auth and use that (only enable basic auth if your TFS server is running over SSL), Or use the trick below to trick the command lien tools to authenticate by lettign an NTLM proxy (like Fiddler) handle the auth for you.

If you do not want to configure Basic Authentication on your TFS server (which many people don't want due to security concerns), then you can use a neat trick to let Fiddler handle your authentication:

Then enter:

C:\>set http_proxy=http://localhost:8888
C:\>tfx login --auth-type basic --service-url http://jessehouwing:8080/tfs/DefaultCollection

You'll be prompted for a username and a password, it doesn't really matter what you enter, fiddler will handle the authentication for you in the background:

More detailed steps outlined on my blog.

If you're battling self-signed certificates, which is also a common problem when using tfx against a on-premise TFS server, make sure you're using a recent enough version of Node and point it to an aditional cert store using environment variables:

As of Node.js 7.3.0 (and the LTS versions 6.10.0 and 4.8.0) it is now possible to add extra well-known certificates to Node.js with an environment variable. This can be useful in cloud or other deployment environments to add trusted certificates as a matter of policy (as opposed to explicit coding), or on personal machines, for example, to add the CAs for proxy servers. See the CLI documentation for more information on using NODE_EXTRA_CA_CERTS, as well as the original pull-request.

NODE_EXTRA_CA_CERTS=file#

^{Added in: v7.3.0}

When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates in file. The file should consist of one or more trusted certificates in PEM format. A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.

Note that neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.