index > Team Foundation Server - Setup > Configuring SP1 ISAPI filter

Configuring SP1 ISAPI filter

Has anyone successfully configured the ISAPI filter that comes with SP1?
I enabled SSL on my single-tier TFS server, set Basic authentication on the TFS site in IIS, added AuthenticationFilter.dll as ISAPI filter and then tried to reach the server over the internet.
On the client a message pops up saying the client certificate is not installed, misconfigured or expired. In fact, it is installed, valid and not misconfigured as far as I can tell.
On the server, there is an entry in the event log:

TFS ISAPI Filter Loading

Secure Port Required

Filter not active: neither proxy IP list nor subnet mask configured

Where should I configure this proxy IP list or subnet mask? It's not on the Directory security tab in IIS I think, because changing anything there does not help.

thys

On the client you have to install the ssl certificate. Then you should be ready to go :)

/Morten Jokumsen, guidmaster

Morten Jokumsen MVP

Thanks for replying, but this will not help. According to the Event log on the server, the ISAPI filter is not configured.
My question is how do I configure the ISAPI filter?

thys

You need to create an AuthenticationFilter.ini file in the same dir as the AuthenticationFilter.dll (make sure the security tab has IIS able to read the .ini file contents).

There will be more complete docs on this posted in the next day or two, but a quick explanation follows. In both cases, "RequireSecurePort" means "requires HTTPS" (technically, it means we ask IIS whether it's a secure port or not, but for most cases this will mean HTTPS is required).

There are 2 possible configurations routes

1) You have a set of proxy (sometimes called reverse proxy in this case) machines that bring in "external" (generally internet-sourced) traffic. In this case you want to configure ProxyIPList to include the IP addresses of these proxy machine(s). Any requests coming in from the machines in the ProxyIPList will be deemed "external" and get the additional Basic or Digest authentication challenge.

For example, if I had 2 of these proxy machines at 10.197.175.32 and 10.197.175.33, I would have .ini file contents of:

[config]

James Manning - MSFT

Thanks James!

This is probably just what I was looking for. I'll give it a try asap and let you know the result.

Thys

thys

Thys,

You probably know this already, but for anyone else reading this thread in the future, the User Education team have published some more docs on the ISAPI filter:-

http://blogs.msdn.com/vstsue/archive/2006/10/04/You-ask_2C00_-we-provide.aspx

Cheers,

http://www.woodwardweb.com

Martin Woodward

reply 6