|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer|
Domain and Workgroup Requirements
This section covers the authentication approaches that Team Foundation Server supports.
There are two critical underlying principles for Team Foundation Server authentication models: authentication and authorization. Authentication refers to how the operating system determines who someone is. It is important to determine that users are who they say they are. Authorization refers to how the operating system determines what that user is allowed to do. Authentication and authorization are frequently confused, but the difference is important for this discussion.
Generally, Team Foundation Server uses the authentication integrated into Windows. This means that as soon as a user logs on to the operating system with a user name and password, that user is considered authenticated by Team Foundation Server. In other words, there is no separate logon step to connect to Team Foundation Server.
Authorization, however, is handled directly by Team Foundation Server instead of by the operating system. Although a user can access Team Foundation Server without an additional logon step, that user must have already been explicitly granted all the necessary permissions before he or she can read or write Team Foundation Server data. In other words, the user must already be an authorized user.
The following sections describe the various authentication models supported by Team Foundation Server.
In This Section
Describes the requirements for deploying Team Foundation Server by using workgroups.
Describes the requirements for deploying Team Foundation Server by using Active Directory.