There are two types of authentication modules in TeamCity:
Credentials Authentication Module authenticates users with a login/password pair specified on the login page.
HTTP Authentication Module authenticates users with some information from a certain HTTP request.
You can enable several credentials authentication modules and several HTTP authentication modules simultaneously.
On an attempt to sign in via the login form, TeamCity asks all the available credentials authentication modules in the order they are specified in the settings; the first one who can authenticate the user authenticates them. For any HTTP request, if there is no authenticated user yet, TeamCity asks all enabled HTTP authentication modules in the order they are specified; the first one who can authenticate the user, authenticates them (if no HTTP authentication module can authenticate the user for the specified HTTP request, TeamCity redirects the user to the login page).
TeamCity supports the following credentials authentication modules:
Built-in (cross-platform): Users and their passwords are maintained by TeamCity. New users are added by the TeamCity administrator (in the Administration area) or they can register themselves if the user registration at the first login is allowed by the administrator.
Microsoft Windows domain (cross-platform): All NT domain users that can log on to the machine running the TeamCity server, can also log in to TeamCity using the same credentials. i.e. to log in to TeamCity users should provide domain and username (DOMAIN\username) and their domain password.
Token-based Authentication (cross-platform): Authentication via the personal access tokens that are maintained by TeamCity. This enables both an ability to authenticate with login/access-token instead of login/password when using the login form and token-based HTTP authentication.
The following HTTP authentication modules are supported:
Basic HTTP (cross-platform): Allows accessing certain web server pages and perform actions from various scripts.
NTLM HTTP (only for Windows servers): Allows logging in using NTLM HTTP protocol. Depending on the client's web browser and operating system can provide an ability to log in without typing the user's credentials manually.
GitHub.com and GitHub Enterprise: Allow authenticating using an existing GitHub user account. Allow limiting access to members of a GitHub organization.
GitLab.com and GitLab CE/EE: Allow authenticating using an existing GitLab.com account. Allow limiting access to members of a GitLab group.
Bitbucket Cloud: Allows authenticating using an existing Bitbucket Cloud account.
Refer to Configuring Authentication Settings for specific authentication modules' configuration. See also Accessing Server by HTTP page for details about accessing a server from your scripts using Token-Based Authentication or basic HTTP authentication.