I've been having major problems connecting to TFS through a proxy server. I've enabled the ISAPI filter and configured the site for SSL, and that all works great - until I try to connect from behind a proxy.

The error I get in DevStudio is:
TF31001: Team Foundation cannot retrieve the list of team projects from Team Foundation Server on domain.net. The Team Foundation Server returned the following error: The remote server returned an error: (407) Proxy Authentication Required..

When I saw this error, the first thing I tried was connecting to https://domain.net/services/v1.0/serverstatus.asmx using the browser that is built into DevStudio. I am able to connect with no problems at all, so I know the connection isn't being blocked.

The next thing was to do a quick Ethereal trace to determine why I couldn't connect, and it looks like the TFS client in DevStudio isn't handling the proxy authentication correctly. Here are the HTTP proxy requests for both the working and non-working cases:

1) Web browser connection string (works fine):

CONNECT domain.net:443 HTTP/1.0\r\n
...
\r\n

Proxy responds with an error 407 and a Proxy-Authorization challenge and the browser responds with a second connect that includes proxy authentication info.

2) Connect to TFS using client in DevStudio (doesn't work):

CONNECT domain.net:443 HTTP/1.1\r\n
...
\r\n

Proxy responds with error 407 and a Proxy Authorization challenge and then the TFS client just gives up and returns the error I listed before.

I really need to get this working as soon as possible. Is there any way I can force the TFS client in DevStudio to do proxy authentication correctly?

As a data point, if you switch back to HTTP (or also allow HTTP), does the through-the-proxy connection work for HTTP?

I did try to connect with just HTTP and had the same problem. The network trace looks identical in both cases (except for the port) because the failed negotiation is with the proxy.

One interesting data point is that if I leave DevStudio open for a while (I suspect it is an hour or more), then some other component authenticates the proxy and the TFS client starts working perfectly. Unfortunately the DevStudio web browser doesn't have that effect or it would be a great work-around.

Here is a trace of a failed connection as a reference:

CONNECT tfs.domain.net:443 HTTP/1.1
Host: proxy
Connection: Keep-Alive

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 PROXYISAW2K3
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="proxy.domain.com"
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 731

<HTML><HEAD><TITLE>Error Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<BODY>
<TABLE><TR><TD id=L_dt_1><B>Network Access Message: The page cannot be displayed<B></TR></TABLE>
<TABLE><TR><TD height=15></TD></TR></TABLE>
<TABLE>
<TR><TD id=L_dt_2>Technical Information (for Support personnel)
<UL>
<LI id=L_dt_3>Error Code: 407 Proxy Authentication Required. The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209)
<LI id=L_dt_4>IP Address: XXX.XXX.XXX.XXX
<LI id=L_dt_5>Date: 10/6/2006 12:48:14 PM
<LI id=L_dt_6>Server: proxy.domain.com
<LI id=L_dt_7>Source: proxy
</UL></TD></TR></TABLE></BODY></HTML>

For reference purposes, here is a trace of the connection to https://tfs.domain.net:443/services/v1.0/ServerStatus.asmx using the web browser in DevStudio:

CONNECT tfs.domain.net:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: tfs.domain.net
Pragma: no-cache

HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 PROXYISAW2K3
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="proxy.domain.com"
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 731

<HTML><HEAD><TITLE>Error Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<BODY>
<TABLE><TR><TD id=L_dt_1><B>Network Access Message: The page cannot be displayed<B></TR></TABLE>
<TABLE><TR><TD height=15></TD></TR></TABLE>
<TABLE>
<TR><TD id=L_dt_2>Technical Information (for Support personnel)
<UL>
<LI id=L_dt_3>Error Code: 407 Proxy Authentication Required. The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209)
<LI id=L_dt_4>IP Address: XXX.XXX.XXX.XXX
<LI id=L_dt_5>Date: 10/6/2006 12:52:20 PM
<LI id=L_dt_6>Server: proxy.domain.com
<LI id=L_dt_7>Source: proxy
</UL></TD></TR></TABLE></BODY></HTML>

CONNECT tfs.domain.net:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Pragma: no-cache
Host: tfs.domain.net

HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
Via: 1.1 PROXYISAW2K3
Proxy-Authenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAFgomicjmnselgjw0AAAAAAAAAALIAsgBIAAAABQLODgAAAA9BAE0ARQBSAEkAQwBBAFMAAgAQAEEATQBFAFIASQBDAEEAUwABAB4AQQBVAFMASQBTAEEAVwAyAEsAMwBQAFMAMwAwADEABAAaAGEAbQBlAHIALgBkAGUAbABsAC4AYwBvAG0AAwBCAGEAdQBzAGkAcwBhAHcAMgBrADMAcABzADMAMAAxAC4AYQB1AHMALgBhAG0AZQByAC4AZABlAGwAbAAuAGMAbwBtAAUAEABkAGUAbABsAC4AYwBvAG0AAAAAAA==
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0

CONNECT tfs.domain.net:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: tfs.domain.net
Pragma: no-cache
Proxy-Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIYAAAAYABgAngAAABAAEABIAAAAGAAYAFgAAAAWABYAcAAAAAAAAAC2AAAABYKIogUBKAoAAAAPQQBNAEUAUgBJAEMAQQBTAEQAYQB2AGUAXwBNAGEAdABoAGUAbgB5AFcAWABQAC0AOQBMAEYAQwBZADUAMQBWG5/C3uVrQwAAAAAAAAAAAAAAAAAAAADGP/OEeh2um/ll7N/nz9dxEaTVx9mJ0q4=

HTTP/1.1 200 Connection established
Via: 1.1 PROXYISAW2K3
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

The bug is still there, but I think I may have finally figured out what is causing the proxy authentication to start working after DevStudio has been opened for a while.

The component that is authenticating with the proxy is the DevStudio Start Page! I have that turned off because I like DevStudio to open with an empty environment, but there is an option that appears to refresh the data after 60 minutes anyway.

If I open the start page and let it load, then the TFS client works fine. If I don't open the start page then the proxy authentication fails with an error 407.

Yes, this is a known bug in the VS core - it doesn't support auth with your credentials from start page URL's.

Excellent work figuring it out!

And to be more specific, when trying the URL's directly, you're better off using an actual instance of IE rather than the browser built-in to VS for these reasons.

I'm glad it's working, but I'm not sure how the bug you mentioned is related to the problem here. In this case, the TFS client will only work once the start page has loaded - which makes it seem like this problem is actually with the TFS client, not with the start page.

Also, thanks for responding to my post. I appreciate the help on this stuff.

Interesting - what do you have for the proxy settings in IE? (tools -> options -> connections -> lan settings). We've had some problems with "automatically detect" in the past.

How does IE hitting these pages (in either HTTP or HTTPS mode) look? If IE instantly works but VS requires the start page to make the first hit before things get working, we may be reading the proxy values incorrectly.

On my system, the settings 'Automatically detect settings' and 'Use automatic configuration script' are NOT checked. I also have the proxy address set to 'proxy', the port is 80, and the 'Bypass proxy server for local addresses' is also enabled.

IE loads the pages just fine and the trace looks identical to the trace from within DevStudio because it is just using the IE web browser control. Both traces are attached so you can see the differences - but I noticed that the TFS client does include the proxy name in the 'Host' tag.

Good observation about the Host header.

Can you try going into IE, turning off the "Bypass proxy server for local addresses", closing IE, then restarting VS to see if it makes a difference?