There are two types of authentication modules in TeamCity:
Credentials Authentication Modules authenticate users with a login/password pair specified on the login page.
HTTP Authentication Modules authenticate users with information from a certain HTTP request.
You can enable several credentials authentication modules and several HTTP authentication modules simultaneously.
On an attempt to sign in via the login form, TeamCity asks all the available credentials authentication modules in the order they are specified in the settings; the first one who can authenticate the user authenticates them. For any HTTP request, if there is no authenticated user yet, TeamCity asks all enabled HTTP authentication modules in the order they are specified; the first one who can authenticate the user, authenticates them (if no HTTP authentication module can authenticate the user for the specified HTTP request, TeamCity redirects the user to the login page).
Supported credentials authentication modules:
Built-in (cross-platform): Users and their passwords are maintained by TeamCity. New users are added by the TeamCity administrator (in the Administration area) or they can register themselves if the user registration at the first login is allowed by the administrator.
Microsoft Windows domain (cross-platform): All NT domain users that can sign in to the machine running the TeamCity server, can also sign in to TeamCity using the same credentials. That is, to sign in to TeamCity users should provide the DOMAIN\username pair and their domain password.
LDAP server (cross-platform): Authentication is performed by directly logging into LDAP with credentials entered into the login form.
Token-based Authentication (cross-platform): Authentication via the personal access tokens that are maintained by TeamCity. This enables both an ability to authenticate with login/access-token instead of login/password when using the login form and token-based HTTP authentication.
Supported HTTP authentication modules:
Basic HTTP (cross-platform): Allows accessing certain web server pages and perform actions from various scripts.
NTLM HTTP (only for Windows servers): Allows logging in using NTLM HTTP protocol. Depending on the client's web browser and operating system can provide an ability to log in without typing the user's credentials manually.
GitHub.com and GitHub Enterprise: Allow authenticating using an existing GitHub user account. Allow limiting access to members of a GitHub organization.
GitLab.com and GitLab CE/EE: Allow authenticating using an existing GitLab.com account. Allow limiting access to members of a GitLab group.
Bitbucket Cloud: Allows authenticating with an existing Bitbucket Cloud account.
JetBrains Space: Allows authenticating with an existing JetBrains Space account.
Azure DevOps: Allows authenticating with an existing Azure AD account via OAuth 2.0.
Refer to Configuring Authentication Settings for specific authentication modules' configuration. See also Accessing Server by HTTP page for details about accessing a server from your scripts using Token-Based Authentication or basic HTTP authentication.