NTAuthenticationProviders is not set to NTLM only
The information in this article applies to:
Visual Studio 2005 Team Foundation Server
Visual Studio Team System 2008 Team Foundation Server
Windows SharePoint Services 2.0
Team Foundation Server Complete Health Check
Team Foundation Server Framework Health Check
SharePoint Products Health Check
The Best Practices Analyzer tool for Team Foundation Server queries the metabase for Internet Information Services (IIS) to determine the value that is assigned to the NTAuthenticationProviders property.
An error appears when Kerberos authentication (Negotiate) is enabled. The recommended setting for SharePoint Web sites is Integrated Windows authentication (NTLM) protocol for network authentication.
To resolve this issue, you must reset the NTAuthenticationProviders property to enable NTLM only. You can use the TFSConfig Authentication command to change the NTAuthenticationProviders metabase property for a Web site that Team Foundation Server uses. If you cannot access other SharePoint sites, you might want to use the second procedure in this topic to correct the protocol for all SharePoint sites.
This topic describes how to modify the metabase. Before you modify the metabase, verify that you have a backup copy in case a problem occurs. If necessary, back up the metabase. For more information, see the "Backing Up and Restoring the Metabase" Help topic in the Internet Information Services Microsoft Management Console (MMC).
To perform the first procedure, you must be a member of the Administrators security group on the application-tier server for Team Foundation. To perform the second procedure, you must be a member of the Administrators security group on the server that hosts Windows SharePoint Services 2.0.
To change the value of the NTAuthenticationProviders metabase property to NTLM for Web sites on which Team Foundation Server relies
Log on to the application-tier server.
Click Start, click Run, type cmd, and then press ENTER.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as administrator. For more information, see the Microsoft Web site.
Locate the directory that contains the TFSConfig utility.
By default, this utility is located in Drive:\Program Files\Microsoft Team Foundation Server 2010\Tools.
At the command prompt, type the following command, and then press ENTER:
TFSConfig Authentication /provider NTLM /site:SiteURL
To verify whether the setting has changed, type the following command, and then press ENTER:
TFSConfig Authentication /view
To reset the NTAuthenticationProviders property in the IIS metabase
Open the Start menu, click Run, type cmd, and then press ENTER.
Locate the directory that contains the adsutil.vbs file.
The default location of this directory is Drive:\Inetpub\Adminscripts.
Use the following command to retrieve the current values for the NTAuthenticationProviders property:
Do not copy the command line and paste it at the command prompt. This operation can cause problems with the property setting. To avoid problems, type the whole command (including the spaces) at a command prompt.
cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders
In this command, WebSite is a placeholder for the ID number of the Web site. The ID number of the default Web site is 1.
This command fails if the NTAuthenticationProviders property is not defined. When you install IIS 6.0, this property is not defined, and IIS 6.0 enables both Negotiate and NTLM by default.
If Kerberos authentication (Negotiate) and Integrated Windows authentication (NTLM) are both enabled, this command will return the following string:
NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
If only NTLM is enabled, this command will return the following string:
NTAuthenticationProviders : (STRING) "NTLM"
If the command in step 3 returns a string that contains Negotiate, use the following command to disable Kerberos authentication:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Repeat step 3 to verify that Negotiate has been removed.