ISAPI filter without SSL, or, why cleartext passwords are evil
Ever wonder why telnet and ftp are generally considered evil by security conscious admins? That's right, because they send passwords in cleartext. The same holds true of Basic authentication as well.
Because of this, when we published guidance on how to use the new-in-TFS-SP1 ISAPI filter so you could use Basic or Digest authentication methods, we tied it specifically to the HTTPS scheme so that SSL would be protecting your password. Having it encrypted over the wire is very important.
- https://blogs.msdn.com/vstsue/pages/Walkthrough_3A00_-Setting-up-Team-Foundation-Server-to-Require-HTTPS-and-Secure-Sockets-Layer-_2800_SSL_2900_.aspx
- https://blogs.msdn.com/vstsue/pages/Walkthrough_3A00_-Setting-up-Team-Foundation-Server-with-Secure-Sockets-Layer-_2800_SSL_2900_-and-an-ISAPI-Filter.aspx
You may notice that the vast majority of the instructions are actually tied to the work to get the TFS instance over to HTTPS. Because of this, on my to-do list for PowerShell scripts to write and post includes one to do all (or at least most) of this work for you to help make it faster and less error-prone.
However, there are situations where you already have a encryption-over-the-wire solution in place for all the hosts connecting to your TFS instance, perhaps via IPsec or IPv6.
Whatever the reason, it is possible (although not recommended) to use the ISAPI filter with a regular old HTTP scheme (no SSL involved at all).
How? 2 steps.
- Turn on the "other" authentication scheme (Basic or Digest), leaving the "Integrated Windows Authentication" still enabled, on the relevant web sites (among the options are Team Foundation Server (the TFS web services), typically on port 8080, "Default" (WSS and Reporting), typically on port 80, and Sharepoint Central Admin, typically on 17012)
- Follow the instructions in the walkthrough under the section "Configuring the ISAPI filter" with one modification: as you may have guessed by now, you'll want to set "RequireSecurePort=false" in the .ini file instead of true. As with step #1, you'll need to do this for each of the web sites you want to allow this other authentication mechanism.
If you do really want to enable non-NTLM without SSL (and to make it clear, this can be considered as loading both barrels and pointing the shotgun down), at least be nice enough to hopefully use Digest instead of Basic - at least then the actual password isn't being sent, but a hash of it instead. Further reading:
- https://www.w3.org/Protocols/HTTP/digest_specification.html
- https://www.w3.org/Protocols/rfc2069/rfc2069
Also, just as a reminder, the majority of people, even those using TFS in an extranet, won't need the ISAPI filter. Please review my "mechanics" blog post for further details.