Recently a customer was having a problem with being prompt for user name and password every time they tried to access TFS. After doing a little investigation, I found that the IIS default setting were changed. To the defense of the customer, I would have made the same guess for the authentication setting for the TFS top level website.
To get TFS back to not prompting for user name and password. We changed the authentication settings back to the Team Foundation Server default settings. Below are the default site settings.
In IIS click on Team Foundation Server node | Authentication
For the Team Foundation Server the Anonymous Authentication should be set to Enabled and the Windows Authentication set to Disabled.
At the tfs site node, the Anonymous Authentication should be set to Disable and the Windows Authentication set to Enabled.
There is a number of ways to secure TFS. The above is the default setting that would help on getting you back when making adjustments your TFS.
Security in itself is a fine art. It’s a balance between not blocking your teams from doing their work, too not have the intellectual properties show up on your competitors site. What is the correct balance? To give a consultant reply to this question. Well it depends.
Below are some of my favorite links that might shed some light on the TFS security model.