I'm proud to note that Teamprise 1.1 was released this morning, which adds support for NTLM2 authentication, fixes several small bugs and is released for Mac OS X as a Universal Binary.
NTLM2 is a challenge-response authentication system that is frequently used by IIS (and thus, Team Foundation Server) installs for additional security above HTTP Basic authentication.1 We released Teamprise 1.0 without support for NTLM2 authentication (we supported the older LM style) because Microsoft has not openly published the specification for NTLM2, and we believed that most TFS installations would not need it – those worried about security would opt for SSL and encrypt the entire transport, not just the authentication.2
Unfortunately, enabling NTLM2 in Team Foundation Server - and disabling other authentication methods - seems like a win with no drawbacks, and most administrators went ahead with it. We quickly realized that Teamprise needed support for NTLM2.
Fortunately, the Samba team3 has documented much of the work they've done in reverse engineering of NTLMSSP4 for CIFS, and the Apache HTTPClient team has implemented LM authentication over HTTP. Between these two, we got a good head start, and the powerful protocol analyzer Ethereal helped us with the trial and error to figure out the rest, and we are very pleased to support NTLM2 in Teamprise 1.1.
Further additions to Teamprise 1.1 include Universal Binary support for Mac OS X – another feature I'm very pleased with. As the Mac guy, I was a bit embarrassed to release Teamprise 1.0 with PPC-only support, even though we delivered Intel Mac binaries to beta testers. Fortunately, all went well, and we're releasing Teamprise 1.1 as a Universal Binary. I believe this brings the Mac version onto a level playing field with Windows and Linux.
Teamprise 1.1 is not a critical update for those that are happily using Teamprise 1.0, but if you've been waiting on evaluating Teamprise until NTLM2 support was available, or if you're using Teamprise 1.0 on an Intel Mac, Teamprise 1.1 is a nice little release we think you'll be very happy with.
Note that HTTP Digest is at least equally secure – and presumably more so, since the NTLM2 specification is closed and has not been formally peer reviewed. ↩
If you are that worried about security, it is still recommended that you use SSL – using NTLM2 alone leaves precious data flying across the wire in cleartext. ↩
The terminology gets a bit hairy here, especially with the commonality in names. LM, NTLM and NTLM2 are all crypto-based authentication protocols, while NTLMSSP is the definition of the message protocol that delivers them. Ie, you receive an NTLM challenge in an NTLMSSP message, you then send your NTLM response in an NTLMSSP message. ↩