Share via


Walkthrough: Setting up Team Foundation Server to Require HTTPS and Secure Sockets Layer (SSL)

The following walkthrough describes a procedure for requiring Team Foundation clients to use HTTPS and Secure Sockets Layer (SSL) connections to connect to Team Foundation Server when it has installed Service Pack 1 (SP1). To support external connections to your deployments of Team Foundation Server, you must configure Internet Information Services (IIS) to enable Basic authentication, Digest authentication, or both. Additionally, you must configure an Internet Server Application Programming Interface (ISAPI) filter.

Important

If you configure Team Foundation Server to use any customized ports, such as HTTPS and SSL, you will not be able to install any service packs for Team Foundation Server after you make those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.

Throughout this walkthrough, you will accomplish the following activities:

  1. Create a certificate request for Team Foundation Server Web sites.

  2. Issue the certificate request, and create the binary certificate file.

  3. Install and assign the certificate.

  4. Configure Team Foundation Server to require HTTPS and SSL.

  5. Install the certificate on client computers.

  6. Test the certificate.

Important   The procedures in this topic are specific to Team Foundation Server with SP1. If you do not have SP1 installed, you cannot configure an ISAPI filter, and some of the functionality referred to in this topic will not be available. To configure Team Foundation Server for HTTPS and SSL without installing SP1, see Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL) and How to: Configure Team Foundation Server for HTTPS and SSL Only. For more information about Team Foundation Server, HTTPS, and SSL, see Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL).

Prerequisites

To complete this walkthrough:

  • Both the data tier and application tier parts of Team Foundation Server must be installed. For more information, see the Team Foundation Installation Guide. You can download the latest version of the Team Foundation Installation Guide from the Microsoft Download Center (https://go.microsoft.com/fwlink/?linkid=40042).

  • You must have a certification authority (CA) available to issue certificates. This walkthrough assumes that you are using Microsoft Certificate Services as your CA. If you do not have a certification authority, you can install Microsoft Certificate Services and configure a certification authority. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70929).

Required Permissions

You must be a member of the Administrators group on the Team Foundation application-tier and data-tier servers and a member of the Team Foundation Administrators group to complete this procedure. For more information about permissions, see Team Foundation Server Permissions.

Assumptions

This walkthrough assumes the following:

  • The Team Foundation data-tier server and the Team Foundation application-tier server have been installed and deployed in a secure environment and configured according to security best practices.

  • The administrator configuring Team Foundation Server with SSL is familiar with public key infrastructures (PKIs) and certificates, including familiarity with requesting, issuing, and assigning certificates. For more information about PKI and certificates, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70930).

  • The administrator is familiar with configuring Internet Information Services (IIS), Microsoft SQL Server, and network settings, and has a working knowledge of the network topology of the development environment.

Installing Microsoft Certificate Services

This walkthrough uses Microsoft Certificate Services as the certification authority (CA) for issuing certificates. For convenience in this walkthrough, Certificate Services is installed on the Team Foundation application-tier server. For security, you should consider isolating your root certification authority when you deploy Certificate Services in a production deployment. Physical isolation of the CA server, in a facility available only to security administrators, can significantly reduce the risk of tampering. For more information about Certificate Services features and best practices, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=70929).

Warning

Once you have installed Certificate Services, you cannot change the name of the computer or the domain in which the computer is enlisted. If you change the computer name or domain, the certificate issued from the certification authority (CA) is invalidated.

To install Certificate Services

  1. Click Start, click Control Panel, and then select Add or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. In the Windows Components Wizard, click Certificate Services in the Components list.

  4. Review the text in the message box, and then click Yes.

  5. Click Next to start the installation.

  6. On the CA Type page, select Stand-alone root CA, and then click Next.

  7. On the CA Identifying Information page, in Common name for this CA, type the name of the computer.

  8. In Validity period, change the duration for the certificate to six (6) months, and then click Next.

  9. On the Certificate Database Settings page, click Next without making any changes.

    A message box appears that shows that IIS must be stopped.

  10. In the message box, click Yes.

    The Configuring Components page appears.

  11. If a message box appears with information about Active Server Pages (ASP), click Yes.

  12. Click Finish.

Creating a Certificate Request for Team Foundation Server Web Sites

On the application-tier computer, you must create a certificate request for Team Foundation Server using Internet Information Services (IIS) Manager.

To create a certificate request for Team Foundation Server Web sites

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand computername (Local Computer) and then expand Web sites.

  3. Right-click Team Foundation Server and then click Properties.

  4. In Team Foundation Server Properties, click the Directory Security tab.

  5. Under Secure Communications, click Server Certificate.

    The Web Server Certificate Wizard appears. Click Next.

  6. On the Server Certificate page, click Create a new certificate, and then click Next.

  7. On the Delayed or Immediate Request page, click Next.

  8. On the Name and Security Settings page, click Next without making any changes.

  9. On the Organization Information page, specify values for Organization and Organization unit. For example, enter the name of your company as the Organization and your team or group name for Organization unit. Click Next.

  10. On the Your Site's Common Name page, click Next without making any changes.

  11. On the Geographical Information page, specify the appropriate information in the Country/Region, State/province, and City/locality boxes, and then click Next.

  12. On the Certificate Request File Name page, under File name, specify the location where you want the certificate request file saved and the name of the file, and then click Next.

    Note

    Make sure that you save the certificate request file to a network share or other location that can be accessed from the CA computer.

  13. Review the information listed on the Request File Summary page and then click Next.

  14. Click Finish.

  15. Click OK to exit the Team Foundation Server Properties dialog box.

Issuing a Certificate Request and Creating a Binary Certificate File

After you have created a certificate request, you must have the CA, in this case Microsoft Certificate Services, issue a certificate based on the request. As soon as a certificate is created, you can assign the certificate to the appropriate Web sites using IIS.

To issue a certificate request using Microsoft Certificate Services

  1. Click Start, click Administrative Tools, and then click Certification Authority.

  2. In the Explorer pane, right-click the computer name, select All Tasks, and the click Submit new request.

  3. In the Open Request File dialog box, locate the certificate request text file that you created in the previous procedure, and then click Open.

  4. In the Explorer pane, expand the computer name, and then click Pending Requests.

  5. Note the Request ID value for the pending request.

  6. Right-click the request, select All Tasks, and then click Issue.

  7. In the Explorer window, under the computer name, select Issued Certificates and review the listed certificates to verify that a certificate was issued that matches the Request ID value for your request.

  8. In Issued Certificates, right-click the issued certificate, select All Tasks, and then click Export Binary Data.

  9. In Columns that contain binary data, select Binary Certificate. Under Export options, select Save binary data to a file, and then click OK.

  10. In Save Binary Data, save the file to a portable media device or network share that can be accessed by the Team Foundation application-tier computer.

  11. Exit Certification Authority.

Installing and Assigning the Certificate

Before you can use SSL with Team Foundation Server, you must install the server certificate on the Team Foundation Server Web site and then configure HTTPS on Team Foundation Server-related Web sites. These related Web sites include the following:

  • Default Web site

  • SharePoint Central Administration

  • Report Server

Installing the Server Certificate

Follow these steps to install the server certificate on Team Foundation Server.

To install the server certificate on the Team Foundation Server Web site

  1. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand <computername> (local computer) and then expand Web sites.

  3. Right-click Team Foundation Server and then click Properties.

  4. In Team Foundation Server Properties, click the Directory Security tab.

  5. Under Secure Communications, click Server Certificate.

    The Web Server Certificate Wizard appears. Click Next.

  6. On the Pending Certificate Request page, select Process the pending request and install the certificate, and then click Next.

  7. On the Process a Pending Request page, click Browse.

  8. In the Open dialog box, under Files of type, select All files (*.*) from the drop-down list, and then locate the directory where you saved the binary certificate in the previous procedure. Select the binary certificate file and then click Open.

  9. On the Process a Pending Request page, click Next.

  10. On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.

    Important

    Consider using a port number other than the default, as using a default port number can reduce the security of your deployment. Make a note of the SSL port value that you assign. Before you accept the default value, make sure that the port is not being used by another server certificate. SSL port values must be different for each server certificate you install. For example, if the default port of 443 is not already being used and you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.

  11. Review the information about the Certificate Summary page, and then click Next.

  12. Click Finish.

  13. On the Directory Security tab, under Authentication and access control, click Edit.

  14. In Authentication Methods, make sure that the Enable anonymous access box is cleared. In Authenticated access, select Integrated Windows authentication and either Basic Authentication or Digest authentication for Windows domain servers or both, depending on your deployment. Clear any other selections, and then click OK.

    Note

    After clicking Digest authentication for Windows domain servers, you might be prompted to confirm your choice. Read the text and then click Yes.

  15. Click OK to close the Team Foundation Server Properties dialog box.

    Note

    If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.

Assigning the Certificate to Default Web Site

Follow these steps to set up HTTPS on the default Web site in IIS.

To set up HTTPS on the Default Web site and require SSL

  1. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand <computername> (local computer) and then expand Web Sites.

  3. Right-click Default Web Site and then click Properties.

  4. In Default Web Site Properties, click the Directory Security tab.

  5. Under Secure Communications, click Server Certificate.

    The Web Server Certificate Wizard appears. Click Next.

  6. On the Server Certificate page, select Assign an existing certificate, and then click Next.

  7. On the Available Certificates page, select the certificate whose Friendly Name value is Team Foundation Server. You might have to scroll to see the Friendly Name column in the list. Click Next.

  8. On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.

    Important

    Consider using a port number other than the default, as using a default port number can reduce the security of your deployment. Make a note of the SSL port value. SSL port values must be different for each server certificate you install. For example, if you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.

  9. Review the information about the Certificate Summary page and then click Next.

  10. Click Finish. The wizard will close.

  11. .On the Directory Security tab, under Secure Communications, click Edit.

  12. In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.

  13. On the Directory Security tab, under Authentication and access control, click Edit.

  14. In Authentication Methods, make sure that the Enable anonymous access box is cleared. In Authenticated access, select Integrated Windows authentication and either Digest authentication for Windows domain servers, Basic authentication, or both, as appropriate to your deployment. Clear any other selections, and then click OK. For more information about authentication methods and Team Foundation Server, see Team Foundation Server, Basic Authentication, and Digest Authentication.

    Note

    After clicking Digest authentication for Windows domain servers, you might be prompted to confirm your choice. Read the text and then click Yes.

  15. Click OK to close the Default Web Site Properties dialog box.

    Note

    If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.

To configure the Team Foundation Server Web site to require SSL

  1. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand <computername> (local computer) and then expand Web sites.

  3. Right-click Team Foundation Server and then click Properties.

  4. In Team Foundation Server Properties, click the Directory Security tab.

  5. On the Directory Security tab, under Secure Communications, click Edit.

  6. In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.

  7. Click OK to close the Team Foundation Server Properties dialog box.

    Note

    If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.

Assigning the Certificate to SharePoint Central Administration

Follow these steps to set up HTTPS for SharePoint Central Administration.

To set up HTTPS for SharePoint Central Administration and require SSL

  1. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand <computername> (local computer) and then expand Web Sites.

  3. Right-click SharePoint Central Administration and then click Properties.

  4. In SharePoint Central Administration Properties, click the Directory Security tab.

  5. Under Secure Communications, click Server Certificate.

    The Web Server Certificate Wizard appears. Click Next.

  6. On the Server Certificate page, select Assign an existing certificate, and then click Next.

  7. On the Available Certificates page, select the certificate whose Friendly Name value is Team Foundation Server. You might have to scroll to see the Friendly Name column in the list.

  8. Click Next.

  9. On the SSL Port page, accept the default value or enter a new value, and then click Next. The default port for SSL connections is 443.

    Important

    Consider using a port number other than the default, as using a default port number can reduce the security of your deployment. Make a note of the SSL port value. SSL port values must be different for each server certificate you install. For example, if you accept the default port value of 443 for the Team Foundation Server Web site, you must assign a different port value for the default Web site and the SharePoint Central Administration Web site.

    Note

    Make a note of this value, as you will need it in order to assign the certificate to the SQL Report Server.

  10. Review the information about the Certificate Summary page and then click Next.

  11. Click Finish.

  12. On the Directory Security tab, under Secure Communications, click Edit.

  13. In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.

  14. Click OK to close the SharePoint Central Administration Properties dialog box.

Configuring the ISAPI Filter

You must create an ISAPI initialization file in the same directory as the AuthenticationFilter.dll file that is part of Team Foundation Server SP1. You must also add the ISAPI filter to the registry.

To configure the ISAPI Filter

  1. On the Team Foundation application-tier server, click Start, click Programs, click Accessories, and click Notepad.

  2. In Notepad, create the following file, where ProxyAddress is the IP address where external network traffic to Team Foundation Server will appear to originate from (usually a router) for which you want to require HTTPS/SSL and Basic authentication, Digest authentication, or both, and SubnetMask is the IP address/subnet mask pair or pairs for which you do not want to enforce Digest or Basic authentication.

    Important

    If you add the ProxyIPList key to the file, the SubnetList key and its values will be ignored. For more information, see Team Foundation Server, Basic Authentication, and Digest Authentication.

    Note

    You can have more than one value for either ProxyAddress or SubnetMask. Separate ProxyAddress or SubnetMask values with a semicolon.

    [config]

    RequireSecurePort=true

    ProxyIPList=ProxyAddress;

    SubnetList=SubnetMask;

  3. Save this file as AuthenticationFilter.ini in the same directory as AuthenticationFilter.dll. This directory is drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\TF Setup**.

  4. Open a Command Prompt window. To open a Command Prompt, click Start, click Run, type cmd, and then click OK.

  5. At the command prompt, type the following command:

    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\TFS ISAPI Filter" /v EventMessageFile /t REG_SZ /d %windir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll /f

  6. At the command prompt, type the following command:

    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\TFS ISAPI Filter" /v TypesSupported /t REG_DWORD /d 7 /f

  7. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  8. Expand <computername> (local computer), expand Web Sites, right-click Team Foundation Server, and then click Properties.

  9. In Default Web Site Properties, click the ISAPI Filters tab.

  10. Under ISAPI Filters, click Add.

  11. In Add/Edit Filter Properties, in Filter name, type TFAuthenticationFilter, in Executable, type drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\TF Setup\AuthenticationFilter.dll**, and then click OK.

Configuring Your Firewall to Allow SSL Traffic

You must configure your firewall to allow for traffic on the SSL ports you specified in IIS for the default Web site, the Team Foundation Server Web site, and the SharePoint Central Administration Web site.

Note

The procedures for configuring your firewall to allow for SSL traffic will vary depending on the firewall software and hardware that you use in your deployment.

To configure a firewall to allow for network traffic on the SSL ports that are used by Team Foundation Server

  • See your firewall product documentation to determine the steps that are required to allow for network traffic on the SSL ports you specified for the default Web site, the Team Foundation Server Web site, and the SharePoint Central Administration Web site.

Editing Configuration Files for HTTPS and SSL Only

You must modify the Web.Config and TfsServerScheduler,exe.config files to require HTTPS and SSL.

To configure the Web.Config file for HTTPS and SSL only

  1. On the Team Foundation application-tier server, open a browser and open the drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services** directory.

  2. Right-click the Web.Config file and then click Edit. If it is necessary, select an editor with which to modify the file.

  3. In the Web.Config file, search for the TFSUrlPublic element. Uncomment the element and configure the appropriate values for your deployment. For example, if your company Web site was www.contoso.com and your deployment used the standard port for HTTP proxy, you would configure the key as follows:

    <add key="TFSURLPublic" value=https://www.contoso.com:8081"/>

  4. In the Web.Config file, search for the TFSNameUrl element. Edit the value for the element by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS. For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

    Important

    Make sure that you provide the correct port number for the server certificate you assigned to the Team Foundation Server Web site. SSL port values must be different for each server certificate you install, so the default port number might not be the correct number for the Team Foundation Server Web site certificate.

  5. If you have configured e-mail notification alerts, in the Web.Config file, search for the TFSUrlPublic element. Uncomment the element and configure the appropriate values for your deployment. For example, if your company Web site was www.contoso.com and your deployment used the standard port for HTTP proxy, you would configure the key as follows:

    <add key="TFSURLPublic" value=https://www.contoso.com:8081"/>

  6. Save the file and close the file editor.

To configure the TFSServerScheduler.exe.config file for HTTPS and SSL

  1. On the Team Foundation application-tier server, open a browser and open the drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\TFSServerScheduler** directory.

  2. Right-click the TFSServerScheduler.exe.config file and then click Edit. If it is necessary, select an editor with which to edit the file.

  3. In the TFSServerScheduler.exe.config file, search for the BisDomainUrl element. Change the name of the element to TFSNameUrl, and edit its value by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS. For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

  4. Save the file and close the file editor.

To update the CoverAn.exe.config file for HTTPS and SSL

  1. On the Team Foundation application-tier server, open a browser and open the drive**:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\CoverAn** directory.

  2. Right-click the CoverAn.exe.config file, and then click Edit. If it is necessary, select an editor with which to edit the file.

  3. In the CoverAn.exe.config file, search for the TFSNameUrl element. Edit its value by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS. For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

  4. Save the file and close the file editor.

Updating the Registry Key for SQL Report Server

Follow these steps to update the registry for SQL Report Server so that reports are displayed correctly on the team project portal sites.

Warning

Incorrectly editing the registry may severely damage the system. Before you change the registry, you should back up any valued data on the computer.

To update the registry key for SQL Report Server

  1. On the Team Foundation application-tier server, click Start, click Run, type regedit, and then click OK. Registry Editor opens.

  2. In Registry Editor, expand HKEY_LOCAL_MACHINE, expand Software, expand Microsoft, expand Visual Studio, expand 8.0, expand Team Foundation, and then click ReportServer.

  3. Right-click Key and then click Modify.

  4. In the Edit String dialog box, in Value data, change the value to reflect the https address of your Team Foundation application-tier server, and then click OK. For example, if the name of your application-tier server is Contoso1, you would change the value of the data from:

    https://Contoso1

    to

    https://Contoso1

  5. Close Registry Editor.

Updating SQL Server Management Studio

Follow these steps to update SQL Server Management Studio with the https URL values for the Windows SharePoint Services and Reporting Services Web sites.

To update SQL Server Management Studio

  1. On the Team Foundation data-tier server, open SQL Server Management Studio. To open SQL Server Management Studio, click Start, click All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.

  2. On the Connect to Server dialog box, select Database Engine for the Server type. Select the appropriate server name and authentication scheme for the server. Provide a valid user name and password if you are required to by your SQL Server installation, and then click Connect.

  3. In Object Explorer, expand Databases, expand TfsIntegration, and expand Tables.

  4. In Tables, right-click tbl_service_interface, and then click Open Table.

    The dbo.tbl_service_interface table opens for editing.

  5. In the table, under name, find ReportsService. Edit the entry for url to match the new https value for Reporting Services. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:1443/ReportServer/ReportsService.asmx

  6. In the table, under name, find BaseReportsUrl. Edit the entry for url to match the new https value for team reports. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:1443/Reports

  7. In the table, under name, find WSSAdminService. Edit the entry for url to match the new https value for Windows SharePoint Services. Make sure that you include the value that you specified for the SSL port for the SharePoint Central Administration Web site in IIS. For example, if you specified port 2443 for the SharePoint Central Administration Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:2443/_vti_adm/admin.asmx

  8. In the table, under name, find BaseServerUrl. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:1443

  9. In the table, under name, find BaseSiteUrl. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:1443/sites

  10. In the table, under name, find DataSourceServer. Edit the entry for url to match the new https value for the default Web site for the Team Foundation application-tier server. Make sure that you include the value that you specified for the SSL port for the Default Web site in IIS. For example, if you specified port 1443 for the Default Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would modify the value as follows:

    https://Contoso1:1443/ReportServer

  11. In the table, under event type, find BuildCompletionEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS. For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/WorkItemTracking/v1.0/Integration.asmx

  12. In the table, under event type, find DataChangedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS. For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/WorkItemTracking/V1.0/SyncEventsListener.asmx

  13. In the table, under event type, find ProjectCreatedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS. For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/Warehouse/v1.0/warehousecontroller.asmx

  14. In the table, under event type, find the second instance of DataChangedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS. For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/VersionControl/v1.0/Integration.asmx

  15. On the File menu click Save All.

  16. Close SQL Server Manager.

Configuring Reporting Services for SSL Connections

Follow these steps to configure Reporting Services to require SSL.

To configure Report Server for SSL connections

  1. On the Team Foundation application-tier server, click Start, click Programs, click Microsoft SQL Server 2005, click Configuration Tools, and then click Reporting Services Configuration.

  2. In the Report Server Installation Instance Selection dialog box, make sure that the computer and instance names are correct, and then click Connect.

  3. In the Explorer pane, click Report Server Virtual Directory.

  4. In Report Server Virtual Directory Settings, select Require Secure Socket Layer (SSL) connections. In Require For, select 1 - Connections. In Certificate Name, type the name of your Team Foundation application-tier, and then click Apply.

  5. Close Reporting Services Configuration Manager.

Installing the Certificate on Build Computers

If you installed Build Services on one or more servers, you must install the certificate on each of those servers.

Note

In order to perform builds over SSL, the certificate must be installed in the trusted root store on both the build computer for the account on which the build service is running and the computer that initiates the build.

To install the certificate on build computers

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  3. A security message dialog box appears. On Security Alert, click View Certificate.

  4. On the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.

  6. On the Certificate dialog box, click Install Certificate.

    The Certificate Import Wizard opens. Click Next.

  7. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  8. In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  9. On the Certificate Store page, click Next.

  10. On the Completing the Certificate Import Wizard page, click Finish.

  11. A Certificate Import Wizard dialog box might appear confirming that the import was successful. If the dialog box appears, click OK.

  12. On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.

  13. On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.

  14. On Security Alert, click No.

  15. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  16. The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.

Installing the Certificate on Team Foundation Server Proxy Computers

If you installed Team Foundation Server Proxy on one or more computers, you must install the certificate on each of those computers.

To install the certificate on Team Foundation Server Proxy computers

  1. Log on to the Team Foundation Server Proxy server by using an account that is a member of the Administrators group on that computer.

  2. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  3. A security message dialog box appears. On Security Alert, click View Certificate.

  4. On the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.

  6. On the Certificate dialog box, click Install Certificate.

    The Certificate Import Wizard opens. Click Next.

  7. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  8. In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  9. On the Certificate Store page, click Next.

  10. On the Completing the Certificate Import Wizard page, click Finish.

  11. A Certificate Import Wizard dialog box might appear confirming that the import was successful. If this dialog box appears, click OK.

  12. On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.

  13. On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.

  14. On Security Alert, click No.

  15. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  16. The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.

Installing the Certificate on Client Computers

Every client computer that accesses Team Foundation Server must have the certificate installed locally. Additionally, if the client computer has previously accessed a Team Foundation Server team project, you must clear the client cache for every user who uses the computer to connect to Team Foundation Server before that user will be able to connect to Team Foundation Server.

Important

Do not follow this procedure for Team Foundation clients installed on the Team Foundation Server itself.

To install the certificate on Team Foundation client computers

  1. Log on to the Team Foundation client computer by using an account that is a member of the Administrators group on that computer.

  2. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  3. A security message dialog box appears. On Security Alert, click View Certificate.

  4. On the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the certification authority. This should be the top node of the certification hierarchy, and there should be a red X next to the name. This indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store. Click View Certificate.

  6. On the Certificate dialog box, click Install Certificate.

    The Certificate Import Wizard opens. Click Next.

  7. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  8. In Select Certificate Store, select Show physical stores. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  9. On the Certificate Store page, click Next.

  10. On the Completing the Certificate Import Wizard page, click Finish.

  11. A Certificate Import Wizard dialog box might appear confirming that the import was successful. If the dialog box appears, click OK.

  12. On the Certificate dialog box, click OK. The Certificate dialog box for the top node certification hierarchy will close.

  13. On the Certificate dialog box, click OK. The Certificate dialog box for the subservient certificate will close.

  14. On Security Alert, click No.

  15. Open a browser and open the following Web site, where CertificateServer is the name of your certificate server, and port is the SSL port number you assigned to the certification authority:

    https:// CertificateServer : port /services/v1.0/serverstatus.asmx

  16. The ServerStatus Web Service page should open. This confirms that you have installed the certificate and the certification authority correctly. Close the browser.

To clear the cache on Team Foundation client computers

  1. Log on to the Team Foundation client computer by using the user credentials of the user you want to update.

  2. On the Team Foundation client computer, close all open instances of Visual Studio.

  3. Open a browser and open the following folder:

    drive :\Documents and Settings\ username \Local Settings\Application Data\Microsoft\Team Foundation\1.0\Cache

  4. Delete the contents of the Cache directory. Make sure that you delete all subfolders.

  5. Click Start, click Run, type devenv /resetuserdata, and then click OK.

  6. Repeat these steps for every user account on the computer that accesses Team Foundation Server.

    Note

    You might want to consider distributing instructions on how to clear the cache to all of your Team Foundation Server users so that they can clear the cache for themselves.

See Also

Tasks

Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL) and an ISAPI Filter

Concepts

Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL)
Team Foundation Server, Basic Authentication, and Digest Authentication

Other Resources

Team Foundation Administration Walkthroughs
Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL)