Team Foundation Server, Authentication, and Access
You can configure your deployment to help secure the connections between your users and your deployment of Visual Studio Team Foundation Server. Team Foundation Server (TFS) can support Basic authentication, Digest authentication, and certificates. Therefore, you can configure your deployment of TFS to use Hypertext Transfer Protocol Secure (HTTPS) with Secure Sockets Layer (SSL) and either Basic or Digest authentication. If you adopt this strategy, your users can connect more securely to your deployment without having to use virtual private network (VPN) connections.
To support more secure external connections to your deployment of Team Foundation Server, you must configure Internet Information Services (IIS) to enable Basic authentication, Digest authentication, or both. You should also configure any external connections to require certificates.
Basic authentication is part of the HTTP 1.0 specification and uses Windows user accounts. During Basic authentication, the browser prompts the user for a user name and password and then transmits that information across HTTP using Base64 encoding. By default, Basic authentication requires the Windows user account to have local logon rights at the web server. You can use Basic authentication in both workgroup and domain deployments. Most web servers, proxy servers, and web browsers support Basic authentication, but it is not secure. Because data that is encoded with Base64 is easy to decode, Basic authentication is essentially sending the password as plaintext. By monitoring communications on the network, a malicious user can easily intercept and decipher these passwords by using publicly available tools. To improve security, you should consider using HTTPS with SSL.
Digest authentication is a challenge/response mechanism that sends a digest (also referred to as a hash) instead of a password over the network. During Digest authentication, IIS sends a challenge to the client to create a digest and then send that digest to the server. As a response to the challenge, the client sends a digest that is based on the user's password together with data that is known both to the client and to the server. The server uses the same process as the client to create its own digest, with the user information obtained from Active Directory. IIS authenticates the client only if the digest that the server creates matches the digest that the client creates. You can use Digest authentication only in Active Directory deployments. By itself, Digest authentication is only a small improvement over Basic authentication. A malicious user could record communication between the client and the server and then use that information to replay the transaction. Digest authentication also has dependencies on the HTTP 1.1 protocol, which not all web browsers support. Moreover, attempts to access Team Foundation Server will fail if you do not configure Digest authentication correctly. Do not choose Digest authentication unless your deployment meets all the requirements for that mode. For more information, see the following page on the Microsoft website (Configure Digest Authentication (IIS 7.0)).
By default, Team Foundation Server uses the Windows Challenge/Response (NTLM) authentication protocol. NTLM credentials are based on data obtained during the interactive logon process, and include a one-way hash of the password.
Team Foundation Server also supports Microsoft Negotiate as an authentication protocol. In the Negotiate protocol, Kerberos is selected unless it cannot be used by one of the systems involved in the authentication process. For those systems not configured for Kerberos, NTLM is used. Negotiate is the more secure option for most deployments, but can require additional configuration tasks.
In addition to the domain and workgroup requirements that were mentioned earlier in this topic, both Basic and Digest authentication are insufficient by themselves to provide network security for external clients. Therefore, you should not configure Team Foundation Server to support external clients unless you also configure these connections to require HTTPS with SSL.