How to: Configure Team Foundation Server for HTTPS and SSL Only

You can configure Team Foundation Server to use only HTTPS and Secure Sockets Layer (SSL) and to disallow HTTP connections.To do this, you must first configure Team Foundation Server to allow HTTPS and SSL, and then you must perform the additional steps to require HTTPS and SSL.

You must complete the procedures found in Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL) before continuing with the procedures in the following section.

Important

If you configure Team Foundation Server to use any customized ports, such as HTTPS and SSL, you will not be able to install any service packs for Team Foundation Server after you make those changes. Installation of service packs will fail. You must reconfigure Team Foundation Server to its default settings before you can apply service packs for Team Foundation Server.

Required Permissions

You must be a member of the Administrators group on the Team Foundation application-tier and data-tier servers and a member of the Team Foundation Administrators group to complete this procedure. For more information about permissions, see Team Foundation Server Permissions.

To configure the Team Foundation Server Web site to require SSL

  1. On the Team Foundation application-tier server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand <computername> (local computer) and then expand Web sites.

  3. Right-click Team Foundation Server and then click Properties.

  4. In Team Foundation Server Properties, click the Directory Security tab.

  5. On the Directory Security tab, under Secure Communications, click Edit.

  6. In Secure Communications, select Require secure channel (SSL). Make sure that Ignore client certificates is selected, and then click OK.

  7. Click OK to close the Team Foundation Server Properties dialog box.

    Note

    If an Inheritance Overrides dialog box appears after clicking OK, click Select All, and then click OK.

To edit the Web.Config file for HTTPS and SSL only

  1. On the Team Foundation application-tier server, open a browser and open the drive:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services directory.

  2. Right-click the Web.Config file and then click Edit. If it is necessary, select an editor with which to edit the file.

  3. In the Web.Config file, search for the TFSNameUrl element. Edit the value for the element by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS.

    For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

    Important

    Make sure that you provide the correct port number for the server certificate you assigned to the Team Foundation Server Web site. SSL port values must be different for each server certificate you install, so the default port number might not be the correct number for the Team Foundation Server Web site certificate.

  4. If you have configured e-mail notification alerts, in the Web.Config file, search for the TFSUrlPublic element. Uncomment the element and configure the appropriate values for your deployment.

    For example, if your company Web site was www.contoso.com and your deployment used the standard port for HTTP proxy, you would configure the key as follows:

    <add key="TFSURLPublic" value=https://www.contoso.com:8081"/>

  5. Save the file and close the file editor.

To update the TFSServerScheduler.exe.config file for HTTPS and SSL

  1. On the Team Foundation application-tier server, open a browser and open the drive:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\TFSServerScheduler directory.

  2. Right-click the TFSServerScheduler.exe.config file and then click Edit. If it is necessary, select an editor with which to edit the file.

  3. In the TFSServerScheduler.exe.config file, search for the BisDomainUrl element. Change the name of the element to TFSNameUrl, and edit its value by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS.

    For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

    Note

    If you have installed Service Pack 1 (SP1) for Team Foundation Server, there will be no element named BisDomainUrl. The element requiring modification is named TFSNameUrl in SP1.

  4. Save the file and close the file editor.

To update the CoverAn.exe.config file for HTTPS and SSL

  1. On the Team Foundation application-tier server, open a browser and open the drive:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\CoverAn directory.

  2. Right-click the CoverAn.exe.config file, and then click Edit. If it is necessary, select an editor with which to edit the file.

  3. In the CoverAn.exe.config file, search for the TFSNameUrl element. Edit its value by changing http to https and changing the port number to match the SSL port assigned to the Team Foundation Server Web site in IIS.

    For example, if your Team Foundation application-tier server was named Contoso1 and your deployment used the standard port for HTTPS for the Team Foundation Server Web site, you would configure the key as follows:

    <add key="TFSNameUrl" value=https://Contoso1:443"/>

  4. Save the file and close the file editor.

To update SQL Server Management Studio

  1. On the Team Foundation data-tier server, open SQL Server Management Studio. To open SQL Server Management Studio, click Start, click All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.

  2. On the Connect to Server dialog box, select Database Engine for the Server type. Select the appropriate server name and authentication scheme for the server. Provide a valid user name and password if you are required to by your SQL Server, and then click Connect.

  3. In Object Explorer, expand Databases, expand TfsIntegration, and expand Tables.

  4. In Tables, right-click tbl_subscription, and then click Open Table.

    The dbo.tbl_subscription table opens for editing.

  5. In the table, under event type, find BuildCompletionEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS.

    For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/WorkItemTracking/v1.0/Integration.asmx

  6. In the table, under event type, find DataChangedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS.

    For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/WorkItemTracking/V1.0/SyncEventsListener.asmx

  7. In the table, under event type, find ProjectCreatedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS.

    For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/Warehouse/v1.0/warehousecontroller.asmx

  8. In the table, under event type, find the second instance of DataChangedEvent. Edit the entry for address to match the new https value for the Team Foundation Server Web site, including the value that you specified for the SSL port in IIS.

    For example, if you specified port 443 for the Team Foundation Server Web site SSL port value in IIS, and your application-tier server was named Contoso1, you would edit the value as follows:

    https://Contoso1:443/VersionControl/v1.0/Integration.asmx

  9. On the File menu, click Save All.

  10. Close SQL Server Manager.

To configure Report Server for SSL connections

  1. On the Team Foundation application-tier server, click Start, click Programs, click Microsoft SQL Server 2005, click Configuration Tools, and then click Reporting Services Configuration.

  2. In the Report Server Installation Instance Selection dialog box, make sure that the machine and instance names are correct, and then click Connect.

  3. In the Explorer pane, click Report Server Virtual Directory.

  4. In Report Server Virtual Directory Settings, select Require Secure Socket Layer (SSL) connections. In Require For, select 1 - Connections. In Certificate Name, type the name of your Team Foundation application-tier, and then click Apply.

Close Reporting Services Configuration Manager.

Next Steps

  • After configuring Team Foundation Server to require HTTPS and SSL, you must configure any build servers or Team Foundation Server Proxy servers in your deployment. You must install a certificate and configure the certification authority as a Trusted Root Certificate Authority on each build server and proxy server. For more information, see Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL).

  • In addition to configuring build and proxy servers, you must configure any client computers that connect to Team Foundation Server. You must install a certificate and configure the certification authority as a Trusted Root Certificate Authority on each client computer, as well as manually clear the client cache. For more information, see Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL).

    Important

    Do not clear the cache for Team Foundation clients installed on the Team Foundation Server itself.

  • After you have finished configuring all computers, consider creating a test project on the Team Foundation Server and connecting to that test project from a client computer to make sure that you have configured all components correctly.

See Also

Tasks

Walkthrough: Setting up Team Foundation Server with Secure Sockets Layer (SSL)

Concepts

Team Foundation Server Security Architecture
Team Foundation Server Permissions
Team Foundation Server Default Groups, Permissions, and Roles

Other Resources

Troubleshooting Team Foundation Server