Because of this, when we published guidance on how to use the new-in-TFS-SP1 ISAPI filter so you could use Basic or Digest authentication methods, we tied it specifically to the HTTPS scheme so that SSL would be protecting your password. Having it encrypted over the wire is very important.
You may notice that the vast majority of the instructions are actually tied to the work to get the TFS instance over to HTTPS. Because of this, on my to-do list for PowerShell scripts to write and post includes one to do all (or at least most) of this work for you to help make it faster and less error-prone.
Whatever the reason, it is possible (although not recommended) to use the ISAPI filter with a regular old HTTP scheme (no SSL involved at all).
How? 2 steps.
- Turn on the "other" authentication scheme (Basic or Digest), leaving the "Integrated Windows Authentication" still enabled, on the relevant web sites (among the options are Team Foundation Server (the TFS web services), typically on port 8080, "Default" (WSS and Reporting), typically on port 80, and Sharepoint Central Admin, typically on 17012)
- Follow the instructions in the walkthrough under the section "Configuring the ISAPI filter" with one modification: as you may have guessed by now, you'll want to set "RequireSecurePort=false" in the .ini file instead of true. As with step #1, you'll need to do this for each of the web sites you want to allow this other authentication mechanism.
If you do really want to enable non-NTLM without SSL (and to make it clear, this can be considered as loading both barrels and pointing the shotgun down), at least be nice enough to hopefully use Digest instead of Basic - at least then the actual password isn't being sent, but a hash of it instead. Further reading:
Also, just as a reminder, the majority of people, even those using TFS in an extranet, won't need the ISAPI filter. Please review my "mechanics" blog post for further details.