Setting up Team Foundation Server 2008 on Windows Server 2008 to Require HTTPS and Secure Sockets Layer (SSL)

  • Article

October 2009

Ruidong Li and Elizabeth Murray, Microsoft

Use these procedures to walk through configuring Team Foundation clients to use HTTPS and Secure Sockets Layer (SSL) connections to connect to Visual Studio Team System 2008 Team Foundation Server installed on Windows Server 2008 with Internet Information Services 7.

To support external connections to your Team Foundation Server deployments, you must configure Internet Information Services (IIS) to enable Basic authentication, Digest authentication, or both. Additionally, you can configure an Internet Server Application Programming Interface (ISAPI) filter. For more information, see this page on the Microsoft Web site: Team Foundation Server, Basic Authentication, and Digest Authentication.

For information about how to set up Team Foundation Server for Visual Studio Team System 2008 on Windows 2003 with IIS 6.0, see Walkthrough: Setting up Team Foundation Server to Require HTTPS and Secure Sockets Layer (SSL).

Throughout this walkthrough, you will accomplish the following activities:

  1. Create a certificate request for Team Foundation Server Web sites.
  2. Install and assign the certificate.
  3. Configure Team Foundation Server to require HTTPS and SSL.
  4. Install the certificate (and certificate chain) on client computers.
  5. Test the certificate.

Prerequisites

To complete this walkthrough:

  • The servers in the deployment are running Windows Server 2008 and IIS 7.0.
  • The deployment uses SQL Server 2005 or SQL Server 2008 and Windows SharePoint Services 3.0.
  • Both Windows SharePoint Services 3.0 and Certificate Services are installed and configured on the application-tier server for Team Foundation.
  • The logical components of the application and data tiers for Team Foundation must be installed and operational. This walkthrough refers to the server or servers that are running the logical components of the Team Foundation application tier as the Team Foundation application-tier server. Also, this walkthrough refers to the server or servers that are running the logical components of the Team Foundation data tier as the Team Foundation data-tier server. Depending on your deployment configuration, the application-tier and data-tier servers for Team Foundation might be the same physical server or one or more different physical servers. For more information, see the installation guide for Team Foundation, which you can download from the following page on the Microsoft Web site: Installation Guide for Team Foundation.
  • You must have a certification authority (CA) available to issue certificates. This walkthrough assumes you already have a certification authority. If you do not have a certification authority, you can install Microsoft Certificate Services and configure a certification authority. For more information, see this page on the Microsoft Web site: Certificate Services.
  • If you configure a build agent for SSL connections, the following are required:
    • Team Foundation Build and Team Explorer must be installed and operational.
    • A certificate must have been issued for the build agent.
    • Windows Support Tools must be installed on the build computer. These tools are required to associate a certificate with the IP address and port. For more information, see the following page on the Microsoft Web site: Windows Support Tools.

Required Permissions

To complete this procedure, you must be a member of the Administrators group on the application-tier and data-tier servers for Team Foundation and a member of the Team Foundation Administrators group. To configure a build agent for SSL connections, you must be a member of the Administrators group on the build computer. For more information about permissions, see this page on the Microsoft Web site: Team Foundation Server Permissions.

Assumptions

This walkthrough assumes that the following conditions are true:

  • The data-tier and application-tier servers for Team Foundation have been installed and deployed in a secure environment and configured according to security best practices.
  • The administrator who is configuring Team Foundation Server with SSL is familiar with public key infrastructures (PKIs) and certificates, including requesting, issuing, and assigning certificates. For more information about PKI and certificates, see the following page on the Microsoft Web site: Public Key Infrastructure.
  • The administrator is familiar with configuring Internet Information Services (IIS), Microsoft SQL Server, and network settings, and has a working knowledge of the network topology of the development environment.

Procedures

Creating a Certificate Request for Team Foundation Server Web Sites

On the application-tier server, you must create a certificate request for Team Foundation Server by using Internet Information Services (IIS) Manager.

To create a certificate request for Team Foundation Server Web sites

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Click ComputerName**(Local Computer)**, and then double-click Server Certificates in the IIS section of the center pane.

  3. In Server Certificates, under Actions, click Create Certificate Request.

  4. On the Distinguished Name Properties page, in Common name, type the computer name or URL for the application-tier server.

    Important

    Make sure that the common name matches the computer name or URL of the application-tier server. If these values do not match, Team Explorer will not be able to connect to Team Foundation Server.

  5. Specify values for Organization, Organizational unit, City/locality, State/province, and Country/region, and then click Next.

  6. On the Cryptographic Service Provider Properties page, click Next.

  7. On the File Name page, specify the location where you want the certificate request file saved and the name of the file, and then click Finish.

    Note

    Make sure that you save the certificate request file to a network share or other location that can be accessed from the CA computer.

Issuing a Certificate Request and Creating a Binary Certificate File

After you have created a certificate request, you must have the CA issue a certificate based on the request. After a certificate is created, you can assign it to the appropriate Team Foundation Server Web sites by using Internet Information Services (IIS).

Note

The procedures for issuing a certificate will vary depending on the CA that you use in your deployment.

Installing and Assigning the Certificate

Before you can use SSL with Team Foundation Server, you must install the server certificate on the Team Foundation Server Web site and then configure HTTPS on all Web sites that are related to Team Foundation Server. These related Web sites include the following sites:

  • Default Web site
  • SharePoint Central Administration
  • Reporting Service

Installing the Server Certificate

Follow these steps to install the server certificate on the computer that has IIS that hosts the Team Foundation Server Web site.

To install the server certificate on the application-tier server

  1. On the application-tier server for Team Foundation, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Click ComputerName**(Local Computer)**, and then double-click Server Certificates in the center pane.

  3. Under Actions, click Complete Certificate Request.

  4. On the Specify Certificate Authority Response page, under File name containing the certification authority’s response, browse to the directory that contains the binary certificate that you saved during the previous procedure, and click the binary certificate file.

  5. Under Friendly name, type a name for the certificate such as “Team Foundation Server” and then click OK.

Assigning the Certificate to Default Web Site

Follow these steps to assign the certificate to the Default Web site.

To set up HTTPS on the Default Web site and require SSL

  1. On the application-tier server for Team Foundation, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand ComputerName**(local computer)**, and then expand Sites.

  3. Click Default Web Site to highlight it, and then click Binding in the Actions window.

  4. In the Site Bindings dialog box, click Add.

  5. In the Add Site Binding dialog box, under Type, click https.

  6. In Port, accept the default port, or specify a different value.

    Important

    Consider using a port number other than the default, because using a default port number can reduce the security of your deployment. Make a note of the SSL port value. SSL port values must be different for each server certificate that you install. For example, if you accept the default port value of 443 for the default Web site, you must assign a different port value for the Team Foundation Server Web site and the SharePoint Central Administration Web site.

  7. In the SSL certificate list, click the server certificate that you installed in the previous step, and then click OK.

  8. In Site Bindings, click Close.

  9. In the Default Web Site Home window, double-click SSL Settings in the center pane.

  10. Select Require SSL, and make sure that the Ignore option is selected under client certificates.

  11. In the Actions pane, click Apply.

  12. Under Connections, click the Default Web Site node to return to the Default Web Site Home window.

  13. Double-click Authentication in the center pane, and make sure that Anonymous Authentication is disabled.

  14. Enable Windows Authentication, and then enable Digest Authentication, Basic Authentication, or both, as appropriate for your deployment. Disable other choices.

    For more information about authentication methods and Team Foundation Server, see the following page on the Microsoft Web site: Team Foundation Server, Basic Authentication, and Digest Authentication.

    Note

    You must configure Digest Authentication correctly or attempts to access Team Foundation Server will fail. Do not enable Digest Authentication unless your deployment meets all the requirements for it. For more information, see the following page on the Microsoft Web site: Configure Digest Authentication (IIS 7).

  15. Repeat steps 1-14 for the SharePoint Central Administration and the Team Foundation Server Web sites.

    Important

    Specify a different port for each site.

Configure Alternate Access Mappings in SharePoint Products

The default installation settings for Alternate Access Mappings in SharePoint Products will have entries for the default site and for the Central Administration Site set as non-SSL values. You must update the existing values or add values as appropriate for your installation.

To update Alternate Access Mappings for SSL

  1. Click Start, click Administrative Tools, and then click SharePoint 3.0 Central Administration.

  2. Click Operations.

  3. Under Global Configuration, click Alternate Access Mappings.

  4. Click the internal URL for Default Web site.

  5. In the URL protocol, host and port box, change the address for the Default Web site from http to https, change the port number to the SSL port number for the Default Web site, and then click OK.

  6. In the Alternative Access Mapping Collection list, select Show All.

  7. Click the internal URL for SharePoint Central Administration.

  8. In the URL protocol, host and port box, change the address of the Web site for SharePoint Central Admin from http to https.

  9. Change the port number to the SSL port number for the Web site for SharePoint Central Administration, and then click OK.

Configuring the ISAPI Filter

To use the ISAPI filter, the ISAPI initialization file, AuthenticationFilter.ini, must exist in the same directory as the AuthenticationFilter.dll file that is part of Team Foundation Server. Team Foundation Server 2008 automatically creates both AuthenticationFilter.dll and AuthenticationFilter.ini for you. If you must update this file, complete the procedure "To create or update the ISAPI filter file." Otherwise, proceed to the procedure "To add the ISAPI Filter."

To update the ISAPI filter file

  1. On the application-tier server for Team Foundation, open Notepad, and then copy and paste the following text:

    [config]
RequireSecurePort=true
ProxyIPList=<ProxyAddress>;
SubnetList=<SubnetMask>;

    For the value of ProxyAddress, specify the IP address from which external network traffic to Team Foundation Server originates, such as a router, for which you want to require HTTPS/SSL and Basic authentication, Digest authentication, or both.

    Note

    If you add the ProxyIPList key to the file, the SubnetList key and its values will be ignored. For more information, see the following page on the Microsoft Web site: Team Foundation Server, Basic Authentication, and Digest Authentication.

    For the value of SubnetMask, specify the IP address/subnet mask pair or pairs for which you do not want to enforce Digest or Basic authentication.

    Note

    You can have more than one value for either ProxyAddress or SubnetMask if you separate the values with a semicolon.

  2. Save the file as AuthenticationFilter.ini in the same directory as AuthenticationFilter.dll. Example: Drive:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools.

  3. Click Start, click Run, type cmd, and then click OK.

    Note

    Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and then click Run as Administrator.

  4. At the command prompt, type the following command:

    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\TFS ISAPI Filter" /v EventMessageFile /t REG_SZ /d %windir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll /f

  5. Press ENTER.

  6. At the command prompt, type the following command:

    reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\TFS ISAPI Filter" /v TypesSupported /t REG_DWORD /d 7 /f

  7. Press ENTER.

To add the ISAPI Filter

  1. On the application-tier server for Team Foundation, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand ComputerName (local computer), expand Sites, and click Team Foundation Server

  3. Select Server Components, and then double-click ISAPI Filters.

  4. Under ISAPI Filters, click Add under Actions.

  5. In the Add ISAPI Filer window, in Filtername, type TFAuthenticationFilter.

  6. In Executable, type or browse to Drive:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools\AuthenticationFilter.dll, and then click OK.

To Configure a Firewall to Allow Network Traffic on the SSL Ports that Team Foundation Server Uses

You must configure your firewall to allow traffic on the SSL ports that you specified in IIS for the Default Web site and the Web sites for Team Foundation Server and SharePoint Central Administration.

Note

The procedures for configuring your firewall to allow SSL traffic will vary based on the firewall software and hardware that you use in your deployment.

To configure a firewall to allow network traffic on the SSL ports that Team Foundation Server uses

  • See the product documentation for your firewall to determine the steps that you must follow to allow network traffic on the SSL ports that you specified for the Default Web site and the Web sites for Team Foundation Server and SharePoint Central Administration.

Updating Team Projects for SQL Server Reporting Services

Follow these steps to update the team project Web sites for SQL Server Reporting Services so that reports appear correctly on the team project portals.

To update team project sites for SQL Report Server

  1. On the application-tier server for Team Foundation, open a Command Prompt window, and change directories to Drive:\%ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Tools\.

  2. At the command prompt, type the following command, and replace the strings in the table that follows the command:

    TfsConfigWss ConfigureReporting /SharepointSitesUri:SharePointSite /ReportsUri:Reports /ReportServerUri:ReportServer
    • SharePointSite
      The new uniform resource indicator (URI) of the site collection for SharePoint Products.
    • Reports
      The new URI for SQL Server Reporting Services.
    • ReportServer
      The new URI for the ReportsService.asmx Web service.

Updating Configuration Information for Team Foundation Server

Follow these steps to update configuration information with the https URL values for the Windows SharePoint Services and Reporting Services Web sites.

To update configuration information for Team Foundation Server

  1. On the application-tier server for Team Foundation, open a Command Prompt window, and change directories to Drive:\%ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Tools\.

  2. Type the following command, and replace these strings:

    TfsAdminUtil ConfigureConnections /ATUri:BaseServerURL /SharepointUri:BaseSiteURL /SharepointSitesUri:SharePointSite /SharepointAdminUri:SharePointAdministration /ReportsUri:Reports /ReportServerUri:ReportServer
    • BaseServerURL
      The new URI for the Web server for the application-tier server for Team Foundation.
    • BaseSiteURL
      The new URI for the Default Web site for the application-tier server.
    • SharePointSite
      The new URI for the SharePoint Products site collection.
    • SharePointAdministration
      The new URI for the SharePoint Central Administration Web site.
    • Reports
      The new URI for Reporting Services.
    • ReportServer
      The new URI for the ReportsService.asmx Web service.

    Note

    If you are using a named instance, you must specify it as part of the values for Reports and ReportServer. Do not remove or change the name of the named instance.

Example

For example, suppose you specified the following port values:

Item Port Value

Team Foundation SSL Web site

8081

IIS SSL Web site

443

SharePoint Central Administration

17013

Assuming your application-tier server was named Contoso1, you would modify the values based on the following text:

TfsAdminUtil ConfigureConnections /ATUri:https://Contoso1:8081 /SharepointUri:https://Contoso1:443 /SharepointSitesUri:https://Contoso1:443/Sites /SharepointAdminUri:https://Contoso1:17013 /ReportsUri:https://Contoso1:443/Reports /ReportServerUri:https://Contoso1:443/ReportServer

Note

The ConfigureConnections command has several additional options, such as updating the public Web address that is used in e-mail alerts. For more information, see the following page on the Microsoft Web site: ConfigureConnections Command.

Configuring Reporting Services for SSL Connections

Follow these steps to configure SQL Server 2008 Reporting Services.

To configure SQL Server 2008 Reporting Services for SSL connections

  1. On the application-tier server for Team Foundation, click Start, click All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and then click Reporting Services Configuration Manager.

  2. In the Reporting Services Configuration Connection dialog box, make sure that the computer and instance names are correct, and then click Connect.

  3. In the Explorer pane, click Web Service URL.

  4. In the Report Server Web Service SiteIdentification section, in the SSL Certificate list, click the server certificate that you installed in IIS in the previous steps.

  5. In SSL Port, type the port number that you specified for the Default Web site, and then click Apply.

  6. In the Explorer pane, click Report Manager URL.

  7. In Report Manager Site Identification, click Advanced.

  8. In Multiple SSL Identities for Report Manager, click Add.

  9. In the Certificate list, click the certificate, and then click OK.

  10. Click OK to close the Advanced Multiple Web Site Configuration dialog box.

  11. Close Reporting Services Configuration Manager.

Note

Each computer (whether build server, proxy server, or client computer) that will connect to Team Foundation Server must trust the CA that issued the certificates for the Web sites for Team Foundation Server. To do this, browse to the Web site for the CA and install the certificate chain for the CA server.

Installing the Certificate on Build Computers

If you installed Team Foundation Build Services on one or more servers, you must install the certificate on each of those servers.

Note

To perform builds over SSL, the certificate must be installed in the trusted root store on both the build computer for the account on which the build service is running and the computer that initiates the build.

To install the certificate on a build computer

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

    A security message dialog box appears.

  3. In the Security Alert dialog box, click View Certificate.

  4. In the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the CA.

    The CA should be the top node of the certification hierarchy, and a red X should appear next to the name. This X indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store.

  6. Click View Certificate.

  7. In the Certificate dialog box, click Install Certificate.

  8. In the Certificate Import Wizard, click Next.

  9. On the Certificate Store page, click Place all certificates in the following store, and then click Browse.

  10. In Select Certificate Store, select Show physical stores.

  11. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  12. On the Certificate Store page, click Next.

  13. On the Completing the Certificate Import Wizard page, click Finish.

  14. If the Certificate Import Wizard dialog box appears, click OK.

  15. On the Certificate dialog box, click OK.

    The Certificate dialog box for the top node certification hierarchy closes.

  16. On the Certificate dialog box, click OK.

    The Certificate dialog box for the subservient certificate closes.

  17. On Security Alert, click No.

  18. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

    If the ServerStatus Web Service page opens, you have installed the certificate and the certification authority correctly.

  19. Close the browser.

Configuring a Build Agent for SSL Connections

To configure a build agent for SSL connections, you must configure an HTTPS certificate for each combination of IP address and port. If all build agents share the same port on the build computer, you must configure only a single certificate. If you run more than one build agent on more than one port, you must configure a certificate for each port.

You configure a build agent to require SSL by performing the following tasks in sequence:

  1. Create and configure the build agent to require HTTPS.
  2. Stop the Visual Studio Team Foundation Build service.
  3. Modify the build service configuration to require HTTPS.
  4. Associate a certificate with the IP address and port.
  5. Configure the port and protocol for the build agent.
  6. Restart the Visual Studio Team Foundation Build service.
  7. Verify the SSL configuration.

To configure the build agent to require HTTPS

  1. Open the Manage Build Agents dialog box, and select the Require Secure Channel (HTTPS) check box.

    For more information, see the following page on the Microsoft Web site: How to: Create and Manage Build Agents.

  2. Click Edit.

    The Build Agent Properties dialog box appears.

  3. In the Agent status list, click Disabled.

To stop the Visual Studio Team Foundation Build service

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. On the build computer, click Start, click Control Panel, click Administrative Tools, and then click Services.

  3. In the Services (Local) pane, right-click Visual Studio Team Foundation Build, and then click Properties.

    The Visual Studio Team Foundation Build Properties (Local Computer) dialog box opens.

  4. Under Service Status, click Stop.

To modify the build service configuration to require HTTPS

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. Open Drive:\Program Files\Microsoft Visual Studio 2008\Common7\IDE\PrivateAssemblies, right-click TfsBuildservice.config.exe, and then click Open.

    The file opens in the XML editor for Visual Studio.

  3. In the <appSettings> section, change the value of the RequireSecureChannel key to "true".

    For example, change the key definition to the following string:

    <add key="RequireSecureChannel" value="true" />

  4. Save your changes, and close the file.

To associate an SSL certificate to an IP address and port number

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. Open the Certificates snap-in, and find an X.509 certificate that has an intended purpose of client authentication.

    For more information, see the following page on the Microsoft Web site: How To: Retrieve the Thumbprint of a Certificate.

  3. Copy the thumbprint of the certificate into a text editor, such as Notepad.

  4. Remove all spaces between the hexadecimal characters.

    You can perform this task by using the text editor's find-and-replace feature to replace each space with a null character.

  5. On the build computer, click Start, click All Programs, click Windows Support Tools, and then click Command Prompt.

  6. Run the HttpCfg.exe tool in "set" mode on the SSL store to bind the certificate to a port number.

    The tool uses the thumbprint to identify the certificate, as the following example shows:

    httpcfg set ssl /i 0.0.0.0:9191 /h ThumbprintWithNoSpaces

    The /i parameter has the syntax of IPAddress:Port and instructs the tool to set the certificate to port 9191 of the build computer. The IP address 0.0.0.0 reserves all computer addresses for simplicity. If you need additional precision, specify the exact IP address on which the agent service is published. The /h parameter specifies the thumbprint of the certificate.

    If the client certificate must be negotiated, add the parameter/f 2, as the following example shows:

    httpcfg set ssl /i 0.0.0.0:9191 /h ThumbprintWithNoSpaces /f 2

    For more information about the syntax of the HttpCfg.exe command, see the following page on the Microsoft Web site: How To: Configure a Port with An SSL Certificate.

To configure the build agent port and protocol

  1. At a command prompt, run wcfhttpconfig freePortNumber.

    For example, type the following command:

    wcfhttpconfig free OldPortForHttp

    For more information, see the following page on the Microsoft Web site: wcfhttpconfig (Team Foundation Build).

  2. At the command prompt, run wcfhttpconfig reserveUserAccountURL.

    For example, type the following command:

    wcfhttpconfig reserve Domain\Account https://+Computer:NewPortForHttps/Build/v2.0/AgentService.asmx

  3. Add the port to the exceptions list for Windows Firewall.

To restart the Visual Studio Team Foundation Build service

  1. Log on to the build computer by using an account that is a member of the Administrators group on that computer.

  2. On the build computer, click Start, click Control Panel, click Administrative Tools, and then click Services.

  3. In the Services (Local) pane, right-click Visual Studio Team Foundation Build, and then click Properties.

    The Visual Studio Team Foundation Build Properties (Local Computer) dialog box opens.

  4. Under Service Status, click Start.

To verify the SSL configuration

  1. Open the Manage Build Agents dialog box.

    For more information, see How to: Create and Manage Build Agents.

  2. Click Edit.

    The Build Agent Properties dialog box appears.

  3. In the Agent status list, click Enabled.

  4. Verify whether communication is occurring by using the build agent to run a build.

    For more information, see How to: Queue or Start a Build Definition.

Installing the Certificate on Team Foundation Server Proxy Computers

If you installed Team Foundation Server Proxy on one or more computers, you must install the certificate on each of those computers.

Note

In addition to the following procedure, you must configure any firewalls for the proxy computer to allow traffic on the SSL ports that you specified for Team Foundation Server. The procedures for configuring your firewall in this manner will vary based on the firewall software and hardware that you use in your deployment.

To install the certificate on computers that are running Team Foundation Server Proxy

  1. Log on to the computer that is running Team Foundation Server Proxy with an account that is a member of the Administrators group on that computer.

  2. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

  3. In the Security Alert dialog box, click View Certificate.

  4. In the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the certification authority.

    This entry should be the top node of the certification hierarchy, and a red X should appear next to the name. This X indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store.

  6. Click View Certificate.

  7. In the Certificate dialog box, click Install Certificate.

  8. In the Certificate Import Wizard, click Next.

  9. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  10. In Select Certificate Store, select Show physical stores.

  11. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  12. On the Certificate Store page, click Next.

  13. On the Completing the Certificate Import Wizard page, click Finish.

  14. If the Certificate Import Wizard dialog box appears, click OK.

  15. In the Certificate dialog box, click OK.

    The Certificate dialog box for the top node certification hierarchy closes.

  16. In the Certificate dialog box, click OK.

    The Certificate dialog box for the subservient certificate will close.

  17. In the Security Alert dialog box, click No.

  18. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

  19. If the ServerStatus Web Service page opens, you have installed the certificate and the certification authority correctly.

  20. Close the browser.

Installing the Certificate on Client Computers

Every client computer that accesses Team Foundation Server must have the certificate installed locally. Additionally, if the client computer has previously accessed a team project in Team Foundation Server, you must clear the client cache for every user who uses the computer to connect to Team Foundation Server. Otherwise, that user will not be able to connect to Team Foundation Server.

Important

Do not follow this procedure for Team Foundation clients that are installed on the server that is running Team Foundation Server.

To install the certificate on computers that are running one or more clients of Team Foundation

  1. Log on to the client computer by using an account that is a member of the Administrators group on that computer.

  2. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

  3. In the Security Alert dialog box, click View Certificate.

  4. In the Certificate dialog box, click the Certification Path tab.

  5. In Certification path, click the certification authority.

    This entry should be the top node of the certification hierarchy, and a red X should appear next to the name. This X indicates that the certification authority is not trusted because it is not in the Trusted Root Certification Authorities store.

    Click View Certificate.

  6. In the Certificate dialog box, click Install Certificate.

  7. In the Certificate Import Wizard, click Next.

  8. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

  9. In Select Certificate Store, select Show physical stores.

  10. In Select the certificate store you want to use, expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

  11. On the Certificate Store page, click Next.

  12. On the Completing the Certificate Import Wizard page, click Finish.

  13. If the Certificate Import Wizard dialog box appears, click OK.

  14. In the Certificate dialog box, click OK.

    The Certificate dialog box for the top node certification hierarchy closes.

  15. In the Certificate dialog box, click OK.

    The Certificate dialog box for the subservient certificate closes.

  16. In the Security Alert dialog box, click No.

  17. In a browser, open the following Web site, where TeamFoundationAT is the name of your application-tier server, and Port is the SSL port number that you assigned to the Web site for Team Foundation Server:

    https://TeamFoundationAT:Port/services/v1.0/serverstatus.asmx

  18. If the ServerStatus Web Service page opens, you have installed the certificate and the certification authority correctly.

  19. Close the browser.

Note

You might want to distribute instructions about how to clear the cache to all your users of Team Foundation Server so that they can clear their own caches.

To clear the cache on computers that are running one or more clients of Team Foundation

  1. Log on to the client computer with the credentials of the user whose cache you want to clear.

  2. On the client computer, close all open instances of Visual Studio.

  3. In a browser, open the following folder:

    For Windows XP or Windows Server 2003:

    Drive**:\Documents and Settings\UserName\Local Settings\Application Data\Microsoft\Team Foundation\2.0\Cache**

    For Windows Vista or Windows Server 2008:

    Drive**:\Users\UserName\AppData\Local\Microsoft\Team Foundation\2.0\Cache**

  4. Delete the contents of the Cache directory, which includes all subfolders.

  5. Click Start, click Run, type devenv /resetuserdata, and then click OK.

  6. Repeat these steps for every user account on the client computer.

See Also

Other Resources

Walkthrough: Setting up Team Foundation Server to Require HTTPS and Secure Sockets Layer (SSL)