Authentication Command

Use the Authentication command to change the network authentication protocol that a Web site for Team Foundation uses.

Important noteImportant Note:

By default, both Negotiate and NTLM are enabled in Internet Information Services (IIS) 6.0. Windows SharePoint Services 2.0 supports only Integrated Windows authentication (NTLM) protocol for network authentication. Users might not be able to access Web sites for Team Foundation if Kerberos authentication (Negotiate) is enabled.

Required Permissions

To use the Authentication command, you must be a member of the Team Foundation Administrators security group on the application-tier server for Team Foundation If you use the /proxy option, you must be an administrator on the application-tier server for Team Foundation or the proxy server. For more information, see Team Foundation Server Permissions.


Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see the Microsoft Web site.

TFSAdminUtil Authentication [/provider:NTLM|Negotiate] [/proxy] [/view] [/site:WebSiteName] 





Use with the /provider option to specify the NTLM authentication protocol.


Use with the /provider option to specify the Negotiate (Kerberos) authentication protocol.


Use to specify the Web site whose authentication protocol you want to change.




Displays the current authentication settings for Team Foundation Server.


Runs the command for the Web site on the computer that is running Team Foundation Server Proxy.


Specifies the Web site whose network authentication protocol you want to change.

If you do not specify a name, Team Foundation Server is used. If you specify the proxy switch, Team Foundation Server Proxy is used.


The Authentication command is used by an administrator who wants to change the network authentication protocol for one or more Web sites on which Team Foundation relies. The administrator runs this command from the application tier to update those Web sites that require a change in their network authentication protocol. The command changes the NTAuthenticationProviders property in the IIS metabase.

Important noteImportant Note:

Before you use the Authentication command to change the authentication protocol, you should run the command with the /view option to view the existing settings.


The following example displays the current value that is assigned for the network authentication protocol.

>TFSAdminUtil Authentication /view

See Also

Other Resources

Using Team Foundation Server Command-Line Tools

Administering Team Foundation Server

Managing Team Foundation Server Services and Service Accounts