NTLM HTTP Authentication

TeamCity NTLM HTTP authentication feature employs Integrated Windows Authentication and allows transparent/SSO login to TeamCity web UI when using browsers/clients supporting NTLM, Kerberos or Negotiate HTTP authentications. Generally, it allows to login into TeamCity server using NT domain account normally without the need for user to enter credentials manually.

The protocols supported include NTLMv1, NTLMv2, Kerberos and Negotiate.

Requirements

1. Authenticating user should be logged in to the workstation with the domain account that is to be used for the authentication.

2. User's web browser should support NTLM HTTP authentication.

Enabling NTLM HTTP Authentication

NTLM HTTP authentication currently works only with "Windows Domain" authentication scheme, so please first Configuring Authentication Settings you use this scheme on your server. Also please make sure you do NOT use Configuring Authentication Settings.

With this settings, users will see a link on login screen which, when clicked will force browser to send domain authentication data.

You can force the server to announce NTLM HTTP authentication by setting the following Configuring TeamCity Server Startup Properties:

teamcity.http.auth.forceProtocols=ntlm

This will make the server to request domain authentication for any request to the TeamCity web UI. If the user's browser is run in domain environment, the current user will be logged in automatically. If not, browser will popup a dialog asking for domain credentials.

Without this property NTLM HTTP authentication will work only if client explicitly initiates it (e.g. clicks on "Login using NT domain account" link on the login page), and in usual case unauthenticated user will be simply redirected to the TeamCity login page.

Since version 7.1.1 TeamCity server forces NTLM HTTP authentication only for Windows users by default. If you want to enable it for all users, set the following Configuring TeamCity Server Startup Properties:

teamcity.ntlm.ignore.user.agent=true

NTLM login URL

There is one more way to force NTLM authentication for certain connection (there is no necessity to set property teamcity.http.auth.forceProtocols for this case). Just send request to <Your TeamCity server URL>/ntlmLogin.html and TeamCity will initiate NTLM authentication.

Client configuring

According to your environment, you may need to configure your client to make NTLM authentication work.

Internet Explorer

1. Open "Tools" -> "Internet Options".

2. On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.

3. On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your TeamCity server URL to the list.

Google Chrome

On Windows Chrome normally uses IE's behaviour, see more information here.

Mozilla Firefox

1. Type about:config in the browser's address bar.

2. Add your TeamCity server URL to network.automatic-ntlm-auth.trusted-uris property.

Troubleshooting

Helpful links:

• http://waffle.codeplex.com/wikipage?title=Frequently%20Asked%20Questions

• http://waffle.codeplex.com/discussions/254748

• http://waffle.codeplex.com/wikipage?title=Troubleshooting%20Negotiate&referringTitle=Documentation