Adfa

Enabling SSL in TFS 2012 Express

Published: 11/3/2012 11:47:12 AM

Enabling SSL in TFS 2012 is basically the same as enabling SSL in IIS. TFS uses IIS to provide access to your team project collections, and you will therefor use the IIS manager to bind a certificate to TFS. This guide assumes that the certificate is created and installed on the server.

Configuring IIS

  1. First we need to make sure that the HTTPS protocol is configured and bound to a port. Open the IIS manager and right-click on the "Sites" > "Team Foundation Server" node. Select "Edit Bindings..." in the context menu.
  2. In the "Site Bindings" form, select "Add..." to add a new binding. Select "https" as type, "All unassigned" as IP address, enter a suitable port number (443 is SSL default) and select your certificate in the "SSL certificate" dropdown.
    Warning: If you use port 443 and have other web sites that also uses 443 for SSL (remember that 443 is the default SSL port so chances are that its already used) then you will run into problems. To avoid these problems, make sure that the SSL port you select here are not used elsewhere.
  3. Once the https binding is in place you can try to navigate to your TFS by using the https protocol (for example: https://yourservername/tfs/)
  4. At this point the SSL protocol is optional (clients can still choose to connect using regular HTTP), but if you want to force the clients to use SSL then you can double-click on the "SSL Settings" icon in the features view of the "Team Foundation Server" web site and check the "Require SSL" checkbox. Clients that attempts to connect using HTTP will then recieve an HTTP 403 error.

Your clients should now be able to use https to connect to TFS. However, there are certain links within TFS that still assumes that the http protocol is valid. The most common place is the build reports, which will redirect you to the http version of TFS whenever you want to see build details. To fix this you can open the Team Foundation Server Express Administration Console

Configuring TFS

  1. Open the TFS Administration Console and navigate to the "Application Tier" node. To the right you will see a summary of the settings. Locate the "Notification URL" and "Web Access URL" and verify that they are using the http protocol.
  2. Click the "Change URLs" link to the right. This will open up a dialog where you can change the "Notification URL" and "Server URL". Update the URLs so that it uses the https protocol with the correct SSL port. Click "OK".
  3. The build details should now be opened with the https protocol (you might need to restart your TFS client and/or services for the changes to take effect). However, the build controller itself might have problem reaching the project collections, making builds queue up.
  4. To fix the build controller you need to start by stopping the controller. This can be done by selecting the "Build Configuration" node and stop the Build Service. Once stopped, click the "Properties" link to open up the configuration.
  5. In the "Communications" section, update the "Provide Build Services for Project Collection:" value so that is uses https and the correct SSL port.
    Note: I got an error when I used "localhost" in the address because my SSL certificate was issued to my real servername. If you get errors that indicates that the certificate couldnt be validated, make sure the servername used in the URL is the same as the name in the certificate.
  6. When I was configuring the TFS I was still unable to build things at this point, it just kept on piling up in the queue. The fix for this was not obvious at first, but after some searching on the internet I finally found this blog post that provided the solution. It turns out that I had to open "C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\Message Queue\web.config" and modify the following section by adding an 's' to the httpTransport element:
    <customBinding>
   <binding name="TfsSoapBinding">
      <textMessageEncoding messageVersion="Soap12WSAddressing10" />
      <httpsTransport authenticationScheme="Basic" manualAddressing="true" />
   </binding>
</customBinding>
  7. After you restart the IIS web site ("Team Foundation Server") the builds should begin to work again.
  8. If you have enabled SSL on your SQL Server you can also modify the connection string to use encryption as well. This is done by opening the "C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\Web Services\web.config" configuration file and update the "applicationDatabase" key in the appSettings element. Encryption is enabled by appending "Encrypt=true;" to the connection string: 
    <appSettings>
   <add key="applicationDatabase" value="Data Source=.;Initial Catalog=Tfs_Configuration;
                                         Integrated Security=True;Encrypt=True;" />
</appSettings>

Got comments? Post them here!

Name:

Name is optional but recommended.
E-mail:

E-mail is optional and will not be shown in the comment. It will only be used if the comment requires me to contact you directly.
Comment:
Enter text:
Recent posts

2/21/2015
Working with GPIO in C# on Raspberry Pi 2

1/29/2014
Using Sony SmartTags with a Nokia Lumia

11/23/2013
Client certificate trouble in IIS

6/12/2013
Deploying web applications with TFS and MSBuild

6/8/2013
WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping


Blog archive
February 2015 (1)
January 2014 (1)
November 2013 (1)
June 2013 (2)
February 2013 (2)
January 2013 (2)
November 2012 (2)
October 2012 (2)
September 2012 (4)

Popular tags
Security (5)
IIS (4)
Troubleshooting (3)
MVC (2)
TFS 2012 (2)