NOTE: This issue was resolved in Version 1.1 of Teamprise which now has full NTLM support (NTLMv2 and NTLMv1). If you are experiencing NTLM authentication issues then you should upgrade to the latest version (available here).

Windows Integrated Authentication or NTLM, as it is commonly known, is currently the only authentication mechanism supported by Microsoft for connection to the Team Foundation Server.

Teamprise v1.0 only allows authentication with the Microsoft Team Foundation Server using version 1 of the NTLM protocol (NTLMv1). NTLMv1 is significantly less secure than NTLMv2; however it is still more secure than basic http authentication over a non-encrypted channel such as HTTP.

NTLM version 2 is required for passwords greater than 14 bytes. There is no workaround than to reduce the length of the password in this case.

A Team Foundation Server may be configured to only accept NTLMv2 authentication in certain circumstances, to access the server using Teamprise Version 1.0 you must allow NTLMv1 authentication. We realize that this will cause some users problems and we are working to address the issue. For more information, consult the Microsoft Knowledge Base (http://support.microsoft.com/kb/823659). The key in question is “Network security: LAN Manager authentication level”

Possible settings include the following:

Determining LAN Manager Authentication Level Policy

Resultant Set of Policy Snap-In

Your server may be configured to reject NTLMv1 authentication information via a registry setting, local or domain policy.

If you have appropriate permissions, you can check what the setting is on your TFS server by using the "Resultant Set of Policy" MMC snap-in as follows:

• Login to the TFS server and select Start, Run… Type “mmc”, and press OK
• In MMC go to File, Add/Remove Snap-in…
• Click the Add… button
• Locate the “Resultant Set of Policy” snap-in and select Add. Press OK to confirm.
• Right-click the snap-in in the MMC console. Select Generate RSoP Data… to fire up the RSoP Data Collection Wizard.
• In the wizard, press Next.
• Ensure “Logging mode” is selected and press Next
• Ensure “This computer” is selected and press Next
• Select “Do not display user policy settings in the results (display computer settings only)” and press Next
• Press Next to confirm (this may take some time to complete)
• Press Finish
• In the snap-in, browse to the Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options tree. The key in question is the "Network security: LAN Manager authentication level" setting.

If this is shown as "Not Defined" then this may be because you do not have permission to access some of the locations (such as a domain policy) where it is being set. In this case you must get someone with the appropriate permissions to examine the policy information in the individual areas manually.

Checking the policy settings manually

Initially, you should check the local policy on the server (using Administrative Tools, Local Security Policies).

However, it is possible that the setting may be being picked up from the domain controller. The procedure for checking this is documented in the Microsoft KB article 823659 but is included below for convenience.

Look on the domain controller Note You may have to repeat the following procedure on all the domain controllers.

1. Click Start, point to Programs, and then click Administrative Tools.
2. Under Local Security Settings, expand Local Policies.
3. Click Security Options.
4. Double-click Network Security: LAN manager authentication level, and then click an appropriate value in the list.

If the Effective Setting and the Local Setting are the same, the policy has been changed at this level. If the settings are different, you must check the domain controller's policy to find out whether the Network Security: LAN manager authentication level setting is defined there. If it is not defined there, look at the domain controller's policies.

Look at the domain controller's policies

1. Click Start, point to Programs, and then click Administrative Tools.
2. In the Domain Controller Security policy, expand Security Settings, and then expand Local Policies.
3. Click Security Options.
4. Double-click Network Security: LAN manager authentication level, and then click an appropriate value in the list.

Finally, it is possible that this setting has been configured in the registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel either on your local machine or on the domain controller.