NTAuthenticationProviders is not set to NTLM only

  • Article

The information in this article applies to:

  • Visual Studio 2005 Team Foundation Server

  • Visual Studio Team System 2008 Team Foundation Server

  • Windows SharePoint Services 2.0

  • Application-tier server

  • Health check

The Best Practices Analyzer tool for Team Foundation Server queries the metabase for Internet Information Services (IIS) to determine the value that is assigned to the NTAuthenticationProviders property. 

Note

This rule is checked and applies only when Windows SharePoint Services 2.0 is deployed.

An error appears when Kerberos authentication (Negotiate) is enabled. Windows SharePoint Services 2.0 supports only Integrated Windows authentication (NTLM) protocol for network authentication.

To resolve this issue, you must reset the NTAuthenticationProviders property to enable NTLM only. The TFSAdminUtil Authentication command changes the NTAuthenticationProviders metabase property only for the Web sites for Team Foundation Server. If you cannot access other SharePoint sites, you might want to use the second procedure in this topic to correct the protocol for all SharePoint sites.

Important noteImportant Note:

This topic describes how to modify the metabase. Before you modify the metabase, verify that you have a backup copy in case a problem occurs. If necessary, back up the metabase. For more information, see the "Backing Up and Restoring the Metabase" Help topic in the Internet Information Services Microsoft Management Console (MMC).

Required Permissions

To perform the first procedure, you must be a member of the Administrators security group on the application-tier server for Team Foundation. To perform the second procedure, you must be a member of the Administrators security group on the server that hosts Windows SharePoint Services 2.0.

To change the value of the NTAuthenticationProviders metabase property to NTLM for Web sites on which Team Foundation Server relies

  1. Log on to the application-tier server.

  2. Click Start, click Run, type cmd, and then press ENTER.

    Note

    Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as administrator. For more information, see the Microsoft Web site.

  3. Locate the directory that contains the TFSAdminUtil utility.

    By default, this utility is located in Drive:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  4. At the command prompt, type the following command, and then press ENTER:

    TFSAdminUtil Authentication /provider NTLM

  5. To verify whether the setting has changed, type the following command, and then press ENTER:

    TFSAdminUtil Authentication /view

To reset the NTAuthenticationProviders property in the IIS metabase

  1. Open the Start menu, click Run, type cmd, and then press ENTER.

  2. Locate the directory that contains the adsutil.vbs file.

    The default location of this directory is Drive:\Inetpub\Adminscripts.

  3. Use the following command to retrieve the current values for the NTAuthenticationProviders property:

    Warning

    Do not copy the command line and paste it at the command prompt. This operation can cause problems with the property setting. To avoid problems, type the whole command (including the spaces) at a command prompt.

    cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders

    In this command, WebSite is a placeholder for the ID number of the Web site. The ID number of the default Web site is 1.

    Note

    This command fails if the NTAuthenticationProviders property is not defined. When you install IIS 6.0, this property is not defined, and IIS 6.0 enables both Negotiate and NTLM by default.

    If Kerberos authentication (Negotiate) and Integrated Windows authentication (NTLM) are both enabled, this command will return the following string:

    NTAuthenticationProviders      : (STRING) "Negotiate,NTLM"

    If only NTLM is enabled, this command will return the following string:

    NTAuthenticationProviders      : (STRING) "NTLM"

  4. If the command in step 3 returns a string that contains Negotiate, use the following command to disable Kerberos authentication:

    cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"

  5. Repeat step 3 to verify that Negotiate has been removed.

See Also

Other Resources

Issues That Relate to SharePoint Products and Technologies