|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Team Foundation Server, Basic Authentication, and Digest Authentication
Team Foundation Server with Service Pack 1 (SP1) can support Basic and Digest authentication modes. By configuring your Team Foundation Server deployment to use HTTPS with Secure Sockets Layer (SSL) and Basic or Digest authentication, you can support external connections to your Team Foundation Server without having to use a virtual private network (VPN) connection.
This topic refers to functionality available for Team Foundation Server with SP1.
In order to support external connections to your Team Foundation Server deployments, you must configure Internet Information Services (IIS) to enable Basic and/or Digest authentication. Additionally, you must configure an Internet Server Application Programming Interface (ISAPI) filter. ISAPI filters are DLL files that can be used to modify and enhance the functionality that is provided by IIS. ISAPI filters always run on a server that is running IIS. You must configure the ISAPI filter that is part of SP1 with the IP addresses of Web proxies and/or any clients required to use Basic or Digest authentication.
Basic Authentication and Digest Authentication
Basic authentication is part of the HTTP 1.0 specification. It uses Windows user accounts. During Basic authentication, the browser prompts the user for a user name and password. User name and password information is transmitted across HTTP using Base64 encoding. By default, Basic authentication requires the Windows user account to have local logon rights at the Web server. You can use Basic authentication in both workgroup and domain deployments. Although most Web servers, proxy servers, and Web browsers support Basic authentication, it is not secure. Because it is easy to decode Base64 encoded data, Basic authentication is essentially sending the password as plain text. By monitoring communications on the network, someone could easily intercept and decipher these passwords by using publicly available tools.
Digest authentication is a challenge/response mechanism which sends a digest (also referred to as a hash) instead of a password over the network. During Digest authentication, IIS sends a challenge to the client to create a digest and then sends it to the server. The client sends a digest based on the user's password and data known both to the client and to the server as the response to the challenge. The server uses the same process as the client to create its own digest, with the user information obtained from Active Directory. If the digest created by the server matches the digest created by the client, IIS authenticates the client. You can only use Digest authentication in Active Directory domain deployments. By itself, Digest authentication is only a small improvement over Basic authentication. An attacker could record communication between the client and server and use that information to replay the transaction.
In addition to the domain and workgroup requirements that were mentioned earlier, both Basic authentication and Digest authentication are insufficient by themselves to provide network security for external clients. Therefore, you should not configure Team Foundation Server to support external clients unless you also configure these connections to require HTTPS with SSL.
ISAPI Filter Configuration
The ISAPI filter can be configured to enforce rules on any given set of IP addresses. Whereas most administrators will be primarily concerned with configuring the ISAPI filter rules for external IP addresses, you can configure rules for internal addresses also. Any IP addresses configured in the ISAPI filter rules must follow the rules that are specified in the filter. Depending on the RequireSecurePort setting, addresses that are not specified in the file might or might not be allowed to connect to Team Foundation Server.
The ISAPI filter uses an AuthenticationFilter.ini file for its configuration settings. You must configure this file with settings appropriate to your deployment. The file can use the following configuration keys and values:
IPaddress (can be more than one address, separated by semicolons).
IP address/subnet mask (can be more than one address, separated by semicolons).
Section header for the ISAPI filter file.
The keys are further defined as follows:
RequireSecurePort If you configure RequireSecurePort as True, all connections must use HTTPS/SSL and either Digest or Basic authentication unless they are one of the addresses specified in SubnetList. If you configure RequireSecurePort as False, only the connections using the addresses specified in ProxyIPList will be required to use HTTPS/SSL and either Digest or Basic authentication.
ProxyIPList IP address or addresses for which you want to enforce Digest or Basic authentication. The easiest way to conceptualize this key is to consider it as "Only require Basic or Digest authentication for these addresses." Addresses specified for this key will be required to use Digest or Basic authentication and HTTPS/SSL. This key takes precedence over SubnetList; if the ProxyIPList key is present, the SubnetList key and its values will be ignored.
SubnetList IP address/subnet mask pair or pairs for which you do not want to enforce Digest or Basic authentication. The easiest way to conceptualize this key is to consider it as "Require all addresses to use Basic or Digest authentication except for these addresses." Addresses specified for this key will not be required to use Digest or Basic authentication and HTTPS/SSL. Any address not specified for this key will be required to use Digest or Basic authentication. If the ProxyIPList key is present in the ISAPI filter, the SubnetList key and its values will be ignored.