index > Team Foundation Server - Setup > Authentication problems using SSL.

Authentication problems using SSL.

I'm trying to install a Team Foundation for use over the Internet, with the assumption that clients will not be members of the Team Foundation Server's domain.  In order to reduce the Server's attack surface, my goal is to expose the Server as an IP address only, and require clients to connect to the Server using SSL, client certificates, and an arbitrary port.  For example, the Server path might look like:

   https://1.2.3.4:5/

My infrastructure consists of an offline root CA, a domain controller, and the single-deployment Team Foundation Server.  I imported the root CA certificate into the domain controller, and issued server certificates to the domain controller and Server.  I then built a standalone client, installed Team Explorer, and issued a user certificate to the client's login account.  The basic infrastructure functions correctly: HTTPS from the client's Internet Explorer to a test SSL site on the Server does work, as does login from non-SSL Team Explorer to the Server.

However, when I attempt an SSL login from Team Explorer, I keep getting authentication errors.

Can anyone provide insight into the problem?

Many thanks.  David

MintyEggNog
David,

I'm going to assign this question to someone with a little more knowledge of how this is configured.

marc [msft]

This post is provided as-is and without warranty.
Marc Kuperstein - MSFT
Hello Marc,

Many thanks for your help.  Here's some more information for you: I thoroughly tested the Certificate Services layer of my implementation, and verified that the layer works, in and of itself.  I can use Internet Explorer to access the Team Foundation Server's site (which, as we all know, is a SharePoint Services Web site) with mandatory HTTPS and client certificates, effectively eliminating my Certificate Services layer as the source of the authentication problems.

Furthermore, when I maintain the requirement for the Server site to use HTTPS, but lift the requirement to use client certificates, then I can successfully perform an initial login using Team Explorer in HTTPS mode.  HOWEVER, subsequent transactions against the Server (for example creating projects) fail with authentication errors.  This behavior suggests that, somewhere between the application tier and database tier, there is a lack of synchronization of authentication methods.

And finally, when I maintain the requirement to use client certificates, I cannot even perform a successful login using Team Explorer in HTTPS mode.

Let me know if you need more information.

Many thanks.  David
MintyEggNog
Quick question for you:
Are you configuring the TFS Server Site to "allow SSL connections only"?

Also in order for Reporting and Sharepoint (and project creation) to function properly, you'll need to make changes to the TFS registration database.  This can be accomplished through the use of the TFSReg.exe utility and a registry change.

Please see the following posting for instructions:
http://forums.microsoft.com/msdn/showpost.aspx?postid=107762&siteid=1

Note there are some other postings that also recommend use of a reverse proxy: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=101952&SiteID=1

I would be careful about putting your server directly on the internet - you may want to invest some time in using an HTTP proxy server such as ISA2004.

Thanks,



Dan Kershaw [msft]
Dan Kershaw
Were you ever able to sucessfully use the tool when client certificates were enforced? I am unable to get it working.

Jason Camp, MCSE, MCSD, MCDBA, MCAD, MCSA, CISSP, SCSA
Jason D. Camp
reply 5

You can use google to search for other answers

 

More Articles

Using Non-standard SQL Port Numbers
Upgrading from limited version
team members alert notifications (project alerts) - HOW??
Beta3 Error 32000 (tfsadminutil) on app tier
HTTP Status 401: Unauthorized - when trying to publish or view a ...
Small Business Server
Where is it?
Team System Beta 2 install error 26105
Tip of preventing the App.Tier (MSMDSRV.EXE) from using all the r...
Use Visual Studio 2005 Beta 2 to work on TFS Jun CTP
Welcome to Bokebb   New Update   Joins the collection  
 

New Articles

Problem caused by SQL 2005 Developer edi…
TFS and named instance of analysis server
TF30177: Team Project Creation Failed - …
How to setup permissions?
Cannot browse TFS website locally
Beta 3 - Can't create a project
Unable to browse to VSTFWeb - Error HTTP…
VTS Beta 3 is a ".IMG" file, n…
TFS - Application Tier Setup Error - 29105
Can't connect to TF Project with MS Proj…
TFS and Outlook Web Access
TFS Installation: Error 28905
Domain/Local accounts when installing TF…
team foundation client
Source Control stopped working - Cryptog…

Hot Articles

TFSAdminUtil in which version of TFS?
Can not reference to Microsoft.VisualStu…
Setup Issues with SQL Reporting
Unable to Create a Team Project
Work item type editor
Package Load Failure connecting to TFS R…
how to remove the tfs addin for Office p…
Installation Failure: Error 28100
Team Project creation failed. "Proj…
TFSSetup user as admin
Warehouse Cube Won't Process - B3Refresh…
What is this RTM version of Sql Server2005
TF30272: Template not found on the server
Active Directory and NT4 mix
TFS console or administrative tool

Recommend Articles

The report server cannot create the perf…
Error: "Microsoft.Pcw.currituck&quo…
Best Possible Business scenario for sour…
still stuck
permission in VSTS
Sharepoint Services and Frontpage Extens…
TFSDeleteProject.exe fails to delete pro…
Team System and Small Business Server 2003
can not read Installation guide for Beta3
Reporting Services fails after upgrading…
Source Control in Portal?
TFS in different AD domain than the user…
TFSSERVICE needs to be a member of Enter…
Visual Studio RTM above VSTS Beta3 refresh
Unable to connect to Team Foundation Ser…
index |  sitemap         Powered by xichy{at}163.com