I just setup a TeamCity server at work and switched on the Windows Domain authentication. People thought it was pretty stick but one user didn't want to enter his Windows username/password because of concerns that the TeamCity server could be doing something nefarious with that information (eg transmitting it to a 3rd party).My response was "don't be absurd". But it seems to be a real concern for him. What proof can I give him to convince him this isn't a concern?
I know that Windows Domain authentication is quite common across many web-based tools and I don't want to hit this issue again and again. Is there a best practice that is employed out there to guard against transmission of senstive data? I suppose we could firewall off the TeamCity server so it can't communicate outside our internal network.