Updated: Enabling SSL/HTTPS on Team Foundation Server 2010 RTM

Not too long ago I posted a set of instructions on how to setup SSL/HTTPS for TFS 2010 RTM (here).  But it had a few short comings, ie. Report Server was not over SSL and TFS had no idea the Sharepoint was running over SSL either or even the FQDN I was using for the site.  Since then I’ve been hacking away at trying to fix those short comings and as far as I can tell everything seems to be functioning now.  Instead of completely editing the old post, I’ll just give a new straight forward set of instructions.

Prerequisites:

  1. Have the basic TFS install completed along with the configuration.
  2. FQDN you would like to use, for this example I will be using “mycompany.com”
  3. A certificate from a Microsoft Certificate Services Server (this cannot be a self-signed certificate because Visual Studio Team Explorer will not accept it)
    To request the certificate from Microsoft Certificate Services use the following steps:

  • Open up the IIS Manager and select the server
  • Select “Server Certificate”
  • In the Actions pane > select “Create Domain Certificate”
  • Follow the steps in the “Create Certificate” dialog.

Here is some basic information I’ll be using during this guide:

Server Name: tfs-server
FQDN: mycompany.com
Certificate Name: tfs-cert

 

Steps:

Configure Sharepoint:
  • Open up SharePoint Administrator
  • Navigate to the “Operations” tab  
  • Select “Alternate Access Mappings”sharepoint1 
  • Click on “Edit Public URLs”sharepoint2
  • Select the “Default Web Site”sharepoint3 sharepoint4 sharepoint5
  • Change the “Default” from “http://tfs-server” to “https://mycompany.com”sharepoint6
  • Click “Save”
  • That should be it with Sharepoint Administrator.
  • One last thing is that we need to test the site.  When I did the initial configuration I was unable to navigate to the Sharepoint site from the server it self but was able to from client machines.  The site would prompt me for credentials over and over but would not let me into the site.  So just open a browser from the server and try to navigate to “https://mycompany.com/sites/defaultcollection”.  If that doesn’t work then you need to follow the next step, otherwise you are complete.
  • I came across this blog post that describes the very problem.  In the end I had to disable the loopback check, but different solutions may solve your problem.
Configure Reporting Services:
  • Open up “Reporting Services Configuration Manager”
  • Select “Web Service URL”
  • In the right panel, select “tfs-cert” as the SSL Certificate and 443 as the SSL Port.reporting1
  • Select Apply
  • Select “Report Manager URL”
  • In the right panel, select “Advanced”reporting2
  • In the “Advanced Multiple Web Site Configuration” window that pops up click “Add” under the “Multiple SSL Identities for Report Manager”reporting3
  • The “Add a Report Manager SSL Binding” window will pop-up, just select “tfs-cert” and it will automatically get the URL from the certificate.reporting4
  • Click “OK” until you get back to the main Reporting Services Configuration window.
  • That should be it for the Reporting Services Configuration.
Configure IIS:
  • Open IIS Manager, you should see something similar to the image below in your left panel.
    iis1
  • Select “Default Web Site” and select “Bindings” in the Action Pane.iis2
  • Click “Add” in the “Site Bindings” pop-up.
  • Change the following values:
    Type: https
    Port: 443
    SSL Certificate: tfs-cert

    iis3

  • Click “Ok” in the Add Site Binding and “Close” in “Site Bindings”
  • You will need to perform the same steps for the “Team Foundation Server” website except use port 8088 instead of 443.
  • That will be it for IIS Manager.
Configure Firewall:

You will need to ensure that your firewall is allowing 443 and 8088 in.

Configure TFS
  • Open up “Team Foundation Server Administration Console”
  • Navigate to the "Application Tier"
  • In the right pane, select "Change URLs".
  • In the "Change URLs" pop up, change the Notification URL to “https://mycompany.com:8088/tfs"tfs
  • Click “Ok”, we are finished configuring the Application Tier.
  • Navigate to the “Sharepoint Web Applications”
  • In the right pane, select the “http://tfs-server” application and click “Change”tfs1
  • Change the values in the “Sharepoint Web Application Settings”tfs2
    Friendly Name: mycompany.com
    Web Application URL: https://mycompany.com
    Central Administration URL: http://tfs-server:17012
    Default Location: sites
  • Navigate to “Reporting” in the left pane.
  • In the right pane select “Edit”tfs3
  • The “Reporting” window will popup.  Select the “Reports” tab.
  • Select the “Populate URLs”, this will cause the drop downs in the tab to refresh with what the Report Server has configured.
    tfs4
  • Change the drop downs in the URL section to the https addresses that were created earlier.
    Web Service: https://mycompany.com/reportserver
    Report Manager: https://mycompany.com/reports
  • Once you click “Ok”, be sure to click “Start Jobs” in the Reporting pane.

Congratulations!  You have finished the configuration.  Enjoy!

 

Update (5/18/2010): Thanks to the comment by Jason, I have added an extra step to configure the Application Tier in the TFS Administration Console.

    Advertisements

    18 thoughts on “Updated: Enabling SSL/HTTPS on Team Foundation Server 2010 RTM

    1. Pingback: Enabling SSL/HTTPS on Team Foundation Server 2010 RTM « Alan's Blog

      • Rodrigo, my first guess would be if the permissions have been configured. I have another post on TFS permissions, you can try looking at configuring the application layer permissions to see if that resolves your problem.

      • I ran into the problem too. TFS couldn’t authenticate back to itself. I disabled the LSA’s loopback checking, similar to the well documented issue with SPS.

        In regedit, go to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
        Add a new DWORD called DisableLoopbackCheck and set the value to 1

        More about this can be found here: http://support.microsoft.com/kb/926642

        I’m guess some of the TFS Web Services recall the local machine and with the loopback check in place it fails.

        For a production machine this generally isn’t recommended and I’m still looking for better solutions out there. We may have to wait until MS posts their official documentation on SSL with TFS 2010.

    2. I have SSL working with VS2010 and VS2008 just fine now, but I can’t get Team Web Access to work with SSL. From the error messages its trying to use HTTPS along with the server name and not the FQDN. The screen partially renders, but the list boxes are filled with this message:

      Team Foundation services are not available from server https://btdm10/tfs. Technical information (for administrator): The underlying connection was closed: An unexpected error occurred on a send.

      BTDM10 is the server name. It should be using the FQDN instead.

      I’m mostly wondering if others have the Web Access client working with SSL and if others are seeing the same issue. I’m about to go searching for references to the server name in the DB, and config files.

      • Jason, web access is working for me using this setup. To get to the web access I have to type https://mycompany.com:8088/tfs. I would first go take a look at the Team Foundation Server Administration Console and check that the Application Tier is configured to use the FQDN. I had a similar problem before where it was only using computer names and not the FQDN, but adjusting the Application Tier fixed it. Hope that helps! -Alan

    3. I have the same problem that Jason has, in one test environment. The environment with a problem is using separate IP addresses to host WSS, Reporting Services and TFS all on port 443. I had previously set up another test environment where all three were on different ports, and Team Web Access worked OK with that one, but I get the “Team Foundation services are not available….” message in this environment.

      I have tried changing both URL settings (Notification URL and Server URL) in Team Foundation Server Administration Console to the FQDN, but this does not fix the problem.

      Any ideas for a fix?
      Mary

      • This is an update. I found a work-around. Here are the steps I took (slightly condensed).

        1. Stop IIS on the application tier server
        2. Make a backup copy of C:\Program Files\Microsoft Team Foundation Server 2010\Application Tier\Web Access\Web\web.config (or wherever your web.config for Team Web Access is)
        3. Run Notepad as Administrator, open the web.config file specified above. Under , copy and un-comment the subsequent line, so it looks like this, substituting the FQDN of your server for tfs.contoso.com. Be sure to add the “/tfs”.

        <!– –>

        4. Start IIS

        This at least appears to work.

        I also tried using the internal IP address in place of tfs.contoso.com, and this also works. I added that IP address to the list of servers in the registry for loopback checking, as described here: http://support.microsoft.com/kb/896861

        I am not a TFS expert, and I have no documentation about this other than what I saw in the web.config file. There may be unforeseen consequences.

        Mary

        • Hmm, It looks like the section of the web.config that I pasted disappeared. Evidently, this UI does not like angled brackets. Here it is again, sort of. **I have replaced angled brackets with square ones.**

          [tfServers]
          [!– [add name=”http://server:8080″ /] –]
          [add name=”https://tfs.contoso.com/tfs” /]
          [/tfServers]

    4. Had the same problem as Mary, but in our case we had to make the web.config file for the https://server/tfs/web directory have the IP address, not the machine name to work correctly.

      <!-- -->

      We are using Server 2008 with TFS 2010 NOT on a domain. We are running two web sites (TFS and a test site) on this single machine. Taking the the test site down makes TFS and TFS web work, but having both will cause the TFS web to not work unless you replace the machine name with the machine IP. Also, our test site is using port 443 and TFS is using 8443.

    5. This is by far the most detailed guide available anywhere on setting up TFS for SSL. I got thru all the steps except when configuring TFS. I got stuck on the third screen shot “Change the values in the “Sharepoint Web Application Settings”” – it won’t let me proceed. I keep getting this error –
      TF255329: The following site could not be accessed: http://sharepoint.SITE.com/. The server that you specified did not return the expected response. Either you have not installed the Team Foundation Server Extensions for SharePoint Products on this server, or a firewall is blocking access to the specified site or the SharePoint Central Administration.
      Any help will be appreciated.

      Vik

    6. I’ll look at these posts, but if it were a permissions issue then it won’t work without the SSL,right?. But everything was working without SSL.

    7. Actually, I removed the site that was there under “Sharepoint Web APplications” as it wasn’t letting me proceed with the https….FQDN site address. But now I can’t get anything added. It won’t even let me add the site address without the “https”

    8. Hi,

      While I followed these instructions I have managed to make everything work except the web parts were broken. I followed another instructions by setting the portal from team explore but it wouldn’t work either. Then I stumbled across the solution, apart from setting the “Sharepoint web application settings” in Team foundation Console. You also need to change the URL in “Extensions for Sharepoint Products”. This completely fixes the problem and make every thing happy. Hope this is of help to other users.

    9. Pingback: Publish Team Foundation Server 2010, Sharepoint 2010 and Project Server 2010 over SSL/HTTPS « Tips and tricks around code-world

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s