Integrate Team Foundation Server with SharePoint Products Without Administrative Permissions

Security requirements in your organization might affect how you integrate Visual Studio Team Foundation Server and SharePoint Products. Integration between Team Foundation Server and SharePoint Products is simplest if you can configure the service account for Team Foundation (referred to as TFSService) as a farm administrator and add user and service accounts to the appropriate groups in both products. However, Team Foundation Server does not require this level of permissions to operate. You can work with a farm administrator for SharePoint Products to configure integration between the two products without any user in Team Foundation Server or any of its service accounts belonging to the Farm Administrators group. However, this approach has the following implications:

  • The farm administrator must create a Web application for Team Foundation Server to use and manage its requirements for Team Foundation Server.

  • The administrator for Team Foundation must manually add the service accounts that SharePoint Products uses to the SharePoint Web Application Services group in Team Foundation Server. When TFSService is a member of the Farm Administrators group, the service accounts for SharePoint Products are automatically populated into the appropriate groups in Team Foundation Server when the access grant is created. However, without this permission level, Team Foundation Server cannot determine the service accounts that SharePoint Products uses or add them to any groups. The accounts must be added before the access grant between the two applications can be completed.

  • The administrator for Team Foundation cannot automatically create a site collection when creating a team project collection. The farm administrator must either create the site collection on behalf of the administrator for Team Foundation or configure the application to allow others to create site collections (self-service site creation). Then the administrator for Team Foundation must use the Advanced option to specify the site collection in the Create a New Team Project Collection Wizard.

As the administrator for Team Foundation, you and the farm administrator must perform steps in a specific sequence to configure settings that are compatible with Team Foundation Server. Both you and the farm administrator must each perform the required configuration tasks for your software. If you are adding a server that is running Microsoft Office SharePoint Server 2007 or Microsoft SharePoint Server 2010, additional steps will be required. You and the farm administrator must also coordinate what service accounts to use and perform additional steps before the reports and dashboards will function correctly for associated projects in Team Foundation Server.

Note

The procedures in this topic are designed for a deployment where SharePoint Products and Team Foundation Server are managed separately and permissions for the software are restricted. If your deployment does not require this level of security restrictions between Team Foundation Server and SharePoint Products, see Add Integration with SharePoint Products to a Deployment of Team Foundation Server.

The procedures in this topic are divided between those that the farm administrator must perform and those that the administrator for Team Foundation must perform. Similarly, the permissions that are required to perform the procedures are divided between those two roles.

Note

You can manually integrate Team Foundation Server and SharePoint Products by following the steps in this procedure. As an alternative, you can use a configuration tool to automatically integrate Team Foundation Server with either Microsoft Office SharePoint Server 2007 or SharePoint Server 2010 if your deployment topology is compatible with the default settings that the tool requires. For more information, see the following page on the Microsoft website: Visual Studio Team Foundation Server 2010 Pre-configuration Tool for Office SharePoint Server 2007 and SharePoint Server 2010.

In this topic

To add a server that is running SharePoint Products to a deployment of Team Foundation Server without granting administrative permissions to the service account for Team Foundation, complete the following procedures in the sequence listed:

  1. Required Permissions

  2. Farm Administrator Creates a Web Application for Use By Team Foundation Server

  3. Farm Administrator Configures Settings for Dashboard Compatibility

  4. (Optional) Farm Administrator Enables Self-Service Site Creation on the Web Application

  5. Farm Administrator Installs and Configures Team Foundation Server Extensions for SharePoint Products

  6. Team Foundation Administrator Adds the Service Accounts That SharePoint Products Uses to the SharePoint Web Application Services Group

  7. Farm Administrator Adds the Enterprise Application Definition

  8. Farm Administrator Grants Access for Team Foundation Server

  9. Team Foundation Administrator Grants Access for the SharePoint Web Application

  10. Team Foundation Administrator Configures Existing Team Project Collections

  11. Team Foundation Administrator Configures Existing Team Projects

Required Permissions

To perform the following procedures, the farm administrator must be a member of the following groups or have the following permissions:

  • a member of the Administrators security group on the server or servers that are running SharePoint Products

  • a member of the Farm Administrators group for the farm to which the administrator is configuring a Web application and changing settings for SharePoint Products

To perform the following procedures, the administrator for Team Foundation must be a member of the following groups or have the following permissions:

  • a member of the Administrators security group on the server that is running the application tier for Team Foundation Server

  • a member of the Team Foundation Administrators group

In addition to these permissions, both the farm administrator and the administrator for Team Foundation might need to address the following requirements on a computer that is running Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7:

  • To follow a command-line procedure, you might need to open an elevated Command Prompt by clicking Start, right-clicking Command Prompt, and clicking Run as Administrator.

  • To follow a procedure that requires Internet Explorer, you might need to start it as an administrator by clicking Start, clicking All Programs, right-clicking Internet Explorer, and then clicking Run as administrator.

  • To access SharePoint Central Administration, Report Manager, reports, or Web sites for SQL Server Reporting Services, you might need to add these sites to the list of trusted sites in Internet Explorer.

For more information, see the following topic on the Microsoft Web site: User Account Control.

Create a Web Application for Use with Team Foundation Server

Integration between SharePoint Products and Team Foundation Server requires a Web application that is configured with the settings that Team Foundation Server requires. The farm administrator must manually create this Web application and site collection for use by Team Foundation Server.

To create a Web application and site collection

  1. Create a SharePoint Web application that uses port 80, uses NTLM for authentication, and has a unique name that also indicates the port number.

  2. Create a site collection on that Web application that has a unique name.

    For more information about how to create a SharePoint Web application and a site collection for use with Team Foundation Server, see Create SharePoint Web Applications and Sites for Use with Team Foundation Server.

Configure Office SharePoint Server Dashboards for Compatibility with Team Foundation Server

If you want to use a server that is running Windows SharePoint Services 3.0 to support the deployment of Team Foundation Server, you should skip this section.

To use an existing deployment of Microsoft Office SharePoint Server 2007 with the deployment of Team Foundation Server, the farm administrator must configure SharePoint Products with the settings that Team Foundation Server requires. Otherwise, team project portals might not have all the functionality that you expect or might not function correctly.

You can configure Microsoft Office SharePoint Server 2007 for use with Team Foundation Server if you follow these procedures carefully. The configuration process is complex and requires careful planning and coordination between both administrators. You must determine the accounts to use as service accounts, administrative accounts, and group accounts. The requirements for accounts are discussed in detail, both in the abstract and in an example, in Interactions Between SharePoint Products and Team Foundation Server. Both administrators should review the information carefully and understand the requirements before the farm administrator begins the configuration.

To configure Microsoft Office SharePoint Server so that reports and dashboards will display correctly in Team Foundation Server

  • In SharePoint Central Administration, enable the services and configure the settings that Team Foundation Server requires.

    For more information about how to configure Microsoft Office SharePoint Server 2007 to support reports and dashboards, see Configure Settings for Dashboard Compatibility.

    Note

    On servers that are running SharePoint Products on Windows Server 2008 or Windows Server 2008 R2, you must also enable the Desktop Experience feature before Microsoft Office applications will interoperate correctly with Team Foundation Server. For more information, see Desktop Experience Overview.

(Optional) Enable Users to Create Sites on the Web Application

After the farm administrator has created and configured a Web application, the farm administrator can enable self-service site creation on each Web application that will support Team Foundation Server. This configuration will enable users who have the appropriate permissions on the Web application to create a site collection before they create a team project collection. Because the service account for Team Foundation is not a member of the Farm Administrators group, users cannot automatically create a site collection when they create a team project collection. The site collection must be created before the project collection is created, and users must then use the Advanced option to specify the site collection in the Create a New Team Project Collection Wizard.

You do not have to enable self-service site creation. However, this approach allows more flexibility in the deployment. Farm administrators can delegate the creation of site collections to the administrators for Team Foundation. Without this division of responsibility, the farm administrator must create a site collection every time an administrator for Team Foundation wants to create a team project collection that is integrated with SharePoint Products.

To enable self-service site creation, the farm administrator must also grant the Root Visitors permission to either the domain account of the administrator for Team Foundation or to the Active Directory group that contains all administrators for Team Foundation. The farm administrator must also create a root site for the site collection before enabling self-service site creation.

To enable self-service site creation

  1. Open SharePoint Central Administration, and then click Application Management.

    The Application Management page appears.

  2. Under Application Security, click Self-service site management.

  3. On the Self-Service Site Management page, click the Web application that you created for use with Team Foundation Server.

  4. In Enable Self-Service Site Creation, click On, and then click OK.

  5. In a browser, browse to the Web application that you created for Team Foundation Server (http://WebApplicationName:PortNumber/default.aspx).

  6. On the Home page, click Site actions, and then click Site Settings.

  7. On the Site Settings page, under Users and Permissions, click People and groups.

  8. On the People and Groups page, click New.

  9. On the Add Users page, under Users/Groups, type either the domain account of the administrator for Team Foundation or the Active Directory group that contains all administrators for Team Foundation.

  10. Under Give Permission, under Add users to a SharePoint group, click Root Visitors, and then click OK.

Install Extensions

After the farm administrator has configured self-service site creation, the farm administrator must install the Team Foundation Server Extensions for SharePoint Products on the server that is running SharePoint Products. If more than one server will support Team Foundation Server, the farm administrator must install the extensions on each server that is running SharePoint Products.

Note

If the server that hosts the Web application is part of a Web farm, you must install the extensions on each server in that farm. As you install the extensions on each server, an error message appears at the end of each installation until you install the extensions on every server in the farm. This behavior is expected, and it will stop when you install the extensions on the final server in the farm.

To install Team Foundation Server Extensions for SharePoint Products

  • For more information, see the installation guide for Team Foundation. To download the most recent version of this guide, see this page on the Microsoft Web site: Installation Guide for Team Foundation.

Configure the Enterprise Application Definition

If you want to use a server that is running Windows SharePoint Services 3.0 to support the deployment of Team Foundation Server, you should skip this section.

If you want to use a server that is running Microsoft Office SharePoint Server 2007, the farm administrator must configure the enterprise application definition that the farm administrator created for Team Foundation Server. The farm administrator must configure this definition for reports and dashboards to appear correctly in the team project portals that the administrator for Team Foundation or the project administrator will create to support the projects that already exist in Team Foundation Server.

To configure the enterprise application definition

  1. On the server where you have installed the Team Foundation Server Extensions for SharePoint Products, open the administration console for Team Foundation.

    For more information, see Open the Team Foundation Administration Console.

  2. Click Extensions for SharePoint Products, and then click the SharePoint Web application for which you want to configure the enterprise application definition.

  3. Click Modify access, type the name of the definition, and then click OK.

Grant Access for Team Foundation Server

The farm administrator must configure the SharePoint Web application to grant the access that Team Foundation Server requires for successful integration. The access grants between Team Foundation Server and SharePoint Products are paired. The process will not be complete and integration will not be successful until both administrators perform their configuration tasks. The farm administrator grants the necessary access for the Web application and the administrator for Team Foundation grants the necessary access for the Web application in Team Foundation Server.The administrator for Team Foundation must also add the service accounts that SharePoint Products uses to the SharePoint Web Application Services group in Team Foundation Server. Therefore, the farm administrator must communicate that account information to the administrator for Team Foundation.

To configure access between a SharePoint Web application and Team Foundation Server

  1. Configure access for the SharePoint Web application.

    For more information, see Add a SharePoint Web Application to Your Deployment. In that topic, follow the steps in the section "To grant access between a SharePoint Web application and Team Foundation Server."

  2. Provide the name and the domain of the account that is configured as the service account for the Web application to the administrator for Team Foundation, and notify that person when the configuration is complete.

Add the Service Accounts That SharePoint Products Uses to the SharePoint Web Application Services Group

Before you can complete the access grant between a SharePoint Web application and Team Foundation Server, you must add the service account for the Web application to the SharePoint Web Application Services group in Team Foundation Server.

Note

This step is required if the service account for Team Foundation Server is not a member of the Farm Administrators group. 

To add service accounts for a SharePoint Web application to the SharePoint Web Application Services group

  1. On the server where you have installed the application tier for Team Foundation Server, open the administration console for Team Foundation.

    For more information, see Open the Team Foundation Administration Console.

  2. Expand the tree, and click SharePoint Web Applications.

  3. In the SharePoint Web Applications pane, under Service Accounts for SharePoint Web Applications, click Add Members.

    The Select Users, Computers, or Groups dialog box opens.

  4. In Enter the object names to select, type the accounts that you want to add, and then click OK.

Grant Access for the Web Application

The administrator for Team Foundation must add the Web application to Team Foundation Server and add the service account that SharePoint Products uses to the SharePoint Web Application Services group. This task is the second part of the configuration process, after which the access grants will be configured on both sides.

To configure access between Team Foundation Server and a SharePoint Web application

Configure Existing Team Project Collections

After the administrator for Team Foundation has added a SharePoint Web application to the deployment of Team Foundation Server, that administrator can add that Web application as a resource for any team project collections in that deployment. By adding the Web application to a collection, that administrator enables project administrators to automatically create and populate a SharePoint site as the team project portal for a new or existing project in that collection.

Note

You cannot create a site collection as part of creating a team project collection unless the service account for Team Foundation is a member of the Farm Administrators group. For more information, see Create a Team Project Collection.

To add a SharePoint Web application and a default root location in which project administrators create team project portals

Configure Existing Team Projects

After a SharePoint Web application has been added to a team project collection, either the administrator for Team Foundation or a project administrator can configure any of the projects in that collection with a team project portal on that SharePoint Web application. To configure a portal, the administrator must first create a SharePoint site for the team project on the Web application and then add that site to the project. The administrator must then manually configure the features for the site so that the reports and dashboards for the project will function correctly.

To create a SharePoint site for use with Team Foundation Server

  1. Open Internet Explorer.

  2. In the address bar, type the address of the top-level site on the SharePoint Web application where you want to create the site.

  3. Click Site Actions, and then click Create.

    The Create Page page appears.

  4. Under Web Pages, click Sites and Workspaces.

    The New SharePoint Site page appears.

  5. In Title and Description, type a title and a description for the site.

  6. In Web Site Address, type a URL for this site.

    The URL name will automatically be prefaced with the address of the Web application.

  7. In Permissions, specify the user permissions that are appropriate for your new site, and then click Create.

  8. On the Template Selection page, specify the template that is appropriate to the process that you want to follow.

    For example, click Agile Dashboard if you are creating a Web site for a project that uses Agile techniques.

  9. Click OK.

    Note

    The site will immediately open after you create it, but some of its features will not appear correctly. This behavior is expected and will remain this way until you finish adding the site as a portal for a team project.

To add the SharePoint site as a portal to an existing team project

  1. In Team Explorer, right-click the name of the project, point to Team Project Settings, and then click Portal Settings.

  2. On the Project Portal tab, select the Enable project portal check box.

  3. Click Use this SharePoint site, and then click Configure URL.

  4. In the Web application list, click a SharePoint Web application.

  5. In Relative site path, type the relative path of the SharePoint site that you created for this team project.

    As you type the path, it appears at the end of the value in URL.

  6. In URL, click the link.

    A browser window opens.

  7. Verify that the Web site that appears is the site that you want to use, close the window, and then click OK.

  8. If you want this SharePoint site to show data for this project, select the Reports and dashboards refer to data for this team project check box.

    Important

    If you select this check box and another team project is already using that site, you will cause serious consequences for that team project. By selecting this check box, you will redirect all automated reports and data on this portal to reflect the data for this team project instead of the other team project. You must ensure that no other team projects use this SharePoint site, or you must verify with the owner of the other team project that you should make this change. To redirect the reports and data, you must also be a member of the Project Administrator group in both projects.

  9. Click OK, right-click the team project, and then click Show Project Portal.

    The team project portal opens in a new browser window.

  10. Click Site Actions, and then click Site Settings.

  11. Under Site Administration, click Site features.

  12. In the list of site features, find each feature that you want to activate for this portal, and then click Activate.

See Also

Tasks

Add Integration with SharePoint Products to a Deployment of Team Foundation Server

Modify or Remove Access Between a SharePoint Web Application and Team Foundation Server

Concepts

Interactions Between SharePoint Products and Team Foundation Server

Roles in SharePoint Products

Extensions for SharePoint Products

Configure Settings for Dashboard Compatibility

The Team Foundation Administration Console

Team Foundation Server Architecture

Service Accounts and Dependencies in Team Foundation Server

Team Foundation Server Permissions

Other Resources

Configuring Resources to Support Team Projects