How to: Change the NTAuthenticationProviders Metabase Property
Windows SharePoint Services 2.0 supports only the NTLM protocol for network authentication. If Kerberos authentication is enabled, users might not be able to access Web sites for Visual Studio Team System Team Foundation Server. To resolve this issue, you must change the value of the NTAuthenticationProviders metabase property to NTLM.
The TFSAdminUtil Authentication command changes the NTAuthenticationProviders metabase property only for the Web sites for Team Foundation Server. If you cannot access other SharePoint sites, you might want to use the second procedure in this topic to correct the protocol for all SharePoint sites.
This topic describes how to modify the metabase in Internet Information Services (IIS). Before you modify the metabase, verify that you have a backup copy in case a problem occurs. If necessary, back up the metabase. For more information, see the "Backing Up and Restoring the Metabase" Help topic in the Internet Information Services Microsoft Management Console (MMC).
To perform the first procedure, you must be a member of the Administrators security group on the application-tier server for Team Foundation. To perform the second procedure, you must be a member of the Administrators security group on the server that hosts Windows SharePoint Services 2.0.
To change the value of the NTAuthenticationProviders metabase property to NTLM for Web sites on which Team Foundation Server relies
Log on to the application-tier server.
Click Start, click Run, type cmd, and then press ENTER.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as administrator. For more information, see the Microsoft Web site.
Locate the directory that contains the TFSAdminUtil utility.
By default, this utility is located in Drive:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.
At the command prompt, type the following command, and then press ENTER:
TFSAdminUtil Authentication /provider NTLM
To verify whether the setting has changed, type the following command, and then press ENTER:
TFSAdminUtil Authentication /view
To reset the NTAuthenticationProviders property in the IIS metabase for SharePoint sites
Open the Start menu, click Run, type cmd, and then press ENTER.
Locate the directory that contains the adsutil.vbs file.
By default, this directory is located at Drive:\Inetpub\Adminscripts.
Type the following command to retrieve the current values of the NTAuthenticationProviders property:
Do not copy the command and paste it at the command prompt. This operation can cause problems with the property setting. To avoid problems, type the whole command (including the spaces) at a command prompt.
cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
In this command, WebSite is a placeholder for the ID number of the Web site. The ID number of the default Web site is 1.
This command fails if the NTAuthenticationProviders property is not defined. When you install IIS 6.0, this property is not defined, and IIS 6.0 enables both Negotiate and NTLM by default.
If Kerberos authentication (Negotiate) and Integrated Windows authentication (NTLM) are both enabled, this command will return the following string:
NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
If only NTLM is enabled, this command will return the following string:
NTAuthenticationProviders : (STRING) "NTLM"
If the command in step 3 returns a string that contains Negotiate, use the following command to disable Kerberos authentication:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Repeat step 3 to verify that Negotiate has been removed.