I'm using a TFS 2017.3 version on my Windows 2012 server IIS 8.
When I'm trying an HTTP request to my TFS server (Using Source Control for Oracle which is a Red-Gate tool for Oracle DB source control) with a 3rd Party tool that uses libgit2sharp.
Using wireshark, I found out that I'm getting 3 www-authenticate headers (within this order):
www-authenticate: Bearerwww-authenticate: Basic <realm>www-authenticate: NTLM
I'm only allowing Windows Authentication on my IIS (With NTLM provider).
This is quite problematic for me because I need the order to be different. I want to use Windows Authentication but when the www-authenticate: Basic comes before www-authenticate: NTLM the NTLM authentication isn't successful (Like in this case).
It's quite weird because I've disabled Basic Authentication on IIS and still the www-authenticate: Basic is present in the HTTP response HEADERS.
When the Basic Authentication is enabled with Windows Authentication (NTLM provider) then suddenly www-authenticate: NTLM comes before www-authenticate: Basic header (Which is super weird because when Basic Authentication was disabled then it didn't behave in the same way).
Any suggestions and tips what should I do and how can I manage the www-authenticate headers order on IIS or in TFS?
Maybe someone knows how can I remove the www-authenticate: Basic header when Basic Authentication is disabled?
Is it IIS problem or something TFS doing regardless of IIS?