none
TF31002: Unable to connect to this Team Foundation Server

    Question

  • We are getting the following error when trying to connect to TFS from a developer machine:

    TF31002: Unable to connect to this Team Foundation Server: tfsserver.

     

    Team Foundation Server Url: http://tfsserver:8080.

     

    Possible reasons for failure include:

     

    - The Team Foundation Server name, port number or protocol is incorrect.

    - The Team Foundation Server is offline.

    - Password is expired or incorrect.

     

    For further information, contact the Team Foundation Server administrator.

    It works fine when connecting from the server.

    Jason

    Monday, October 16, 2006 2:52 PM

Answers

  • Are you setting up a new domain to host TFS?  One thing that can cause subtle problems is not having the DC properly registered in the forest. 

    One way to diagnose these sorts of issues is to use Windows to query AD.  For W2K3, the steps look something like this:

    1) Log in to the TFS application tier machine with a domain account
    2) Open Windows Explorer
    3) Right click on a folder and select Sharing and Security
    4) Select Share this folder  and then click the Permissions button
    5) Click the Add button
    6) Click the Advanced button

    The Locations button should bring up a dialog with all of the domains that are visible to the machine.  Try using the Find Now button to run AD queries for objects in different domains and make sure that the results are as you expect.


    The fact that anonymous access in IIS fixes the problem definitely does point to some sort of security configuration issue.  I would take a look at the IIS logs for clues.  A normal NTLM handshake from a client machine has three parts.  The first exchange shows the client sending an anonymous request ('-' for the user immediately following the port number 8080) looking for the serverstatus.asmx page, and the server responding with a 401.2 (the very end of an IIS log entry).  The next exchange is again with an anonymous user and the return value is a 401.1.  Finally, you should see a third request for serverstatus.asmx with the domain\username next to the port number and an HTTP 200 given in response from the server.  Since things are not working on your system, you will not see the 200, but the username that appears in that third line and the response code may give us the data we need to solve the problem.

    One other thing to try is to log in to the TFS AT machine, navigate to the TFS tools directory and type this command: tfssecurity /server:<servername> /imx all:.  Note, there is a colon ":" at the end of the command and you will have to replace <servername> with the name of your server.  This is the command line way of listing the members of the Team Foundation Valid Users group.

     

    Friday, October 20, 2006 11:58 PM

All replies

  • A few things to check-

    1. Are there any error messages in the Application Event Log on the AT?
    2. Are you running as the same user in both cases? On a related note, is your TFS service account a domain account or local account, and is the account you're running as domain or local?
    3. Are there appropriate exceptions in the Windows Firewall on the AT if it's running?
    4. From the client machine, can you navigate to http://tfsserver:8080/services/v1.0/ServerStatus.asmx?

    Hope this helps-

    Cheers,
    Adam

    Monday, October 16, 2006 5:23 PM
  • Adam,

    1. There were no errors logged in the Event Log of the client and the server.

    2. Yes, I am logging onto the client with the same account as I logged onto the server with...it's a domain admin account.

    3. I have temporarily disabled the Windows Firewall to eliminate it as potential; however, I continue to get the error whether the firewall is enabled or disabled.

    4. From the client machine, I am able to navigate to http://tfsserver:8080/services/v1.0/ServerStatus.asmx web service.

    This error occurs on every developer machine.

    Any additional ideas you have that might resolve this issue would be greatly appreciated.

    Thanks.

    Jason

    Monday, October 16, 2006 6:23 PM
  • Interesting-- a few follow up questions:

    1. Is the service account for the ATDT a domain account?
    2. Are all users in the same domain, or are there multiple domains involved?
    3. Are there any local users on the Application Tier with the same name as the domain account you're logging in as?
    4. Has connection ever worked from a machine other than the server?

    Cheers,
    Adam

    Monday, October 16, 2006 6:46 PM
  • 1. Yes, the service account (TFSSERVICE) is a domain account.

    2. All users are in the same domain.

    3. There are no local user accounts with same name.

    4. A connection has never been established from any machine other than the server.

    Jason

    Monday, October 16, 2006 8:02 PM
  • One other suggestion that should hopefully get you a more precise error message-

    From a Visual Studio Command Prompt, run "tf.exe dir $/ /server:http://servername:8080/" (If you don't have the full Visual Studio installed, you can find tf.exe under %programfiles%\Microsoft Visual Studio 2005\Common7\IDE\.)

    From the information so far, it sounds like the domain user you're logged into the clients as isn't a member of any Team Foundation Server group, but that doesn't explain why connection works as that user on the server. Hopefully the output from the above command will provide a bit more insight.

    Cheers,
    Adam

    Monday, October 16, 2006 8:30 PM
  • Adam,

    Here are the results of the tf command:

    Team Foundation Server http://frstfs:8080/ does not exist or is not accessible at this time.
    Technical information (for administrator):

    The underlying connection was closed: A connection that was expected to be kep
    t alive was closed by the server.

    From what I can tell the user account is a member of the Team Foundation Licensed Users group.

    Jason

    Monday, October 16, 2006 9:22 PM
  • It appears to have something to do with how directory security is defined for Team Foundation Server within IIS. If I enable both anonymous access and integrated windows authenication, I am able to connect to TFS; however, this obvisiously not a viable solution. Is there something I can do to troubleshoot Integrated Windows Authentication and TFS?

    Jason

    Tuesday, October 17, 2006 1:42 PM
  • For one of my test ATs, I have the authentication for the Team Foundation Server site set up only to use "Integrated Windows authentication."

    What is the functional level of your domain? There are some issues with mixed mode domain controllers, as well as with NT domains.

    Cheers,
    Adam

    Tuesday, October 17, 2006 5:24 PM
  • Adam,

    According to what I found under "Active Directory Domains and Trusts", the current forest functional level is set to "Windows 2000". Does it need to be raised to "Windows 2003"?

    Jason

    Tuesday, October 17, 2006 5:43 PM
  • I'm going to pass this along to another person internally who knows more about IIS as it now seems that's where the issue resides. In the meantime, you might want to check to make sure your Team Foundation Server web site properties has "Enable HTTP Keep-Alives" checked. My AT has 3,600 set for the connection timeout.

    Best of luck-

    Cheers,
    Adam

    Tuesday, October 17, 2006 5:56 PM
  • Are you setting up a new domain to host TFS?  One thing that can cause subtle problems is not having the DC properly registered in the forest. 

    One way to diagnose these sorts of issues is to use Windows to query AD.  For W2K3, the steps look something like this:

    1) Log in to the TFS application tier machine with a domain account
    2) Open Windows Explorer
    3) Right click on a folder and select Sharing and Security
    4) Select Share this folder  and then click the Permissions button
    5) Click the Add button
    6) Click the Advanced button

    The Locations button should bring up a dialog with all of the domains that are visible to the machine.  Try using the Find Now button to run AD queries for objects in different domains and make sure that the results are as you expect.


    The fact that anonymous access in IIS fixes the problem definitely does point to some sort of security configuration issue.  I would take a look at the IIS logs for clues.  A normal NTLM handshake from a client machine has three parts.  The first exchange shows the client sending an anonymous request ('-' for the user immediately following the port number 8080) looking for the serverstatus.asmx page, and the server responding with a 401.2 (the very end of an IIS log entry).  The next exchange is again with an anonymous user and the return value is a 401.1.  Finally, you should see a third request for serverstatus.asmx with the domain\username next to the port number and an HTTP 200 given in response from the server.  Since things are not working on your system, you will not see the 200, but the username that appears in that third line and the response code may give us the data we need to solve the problem.

    One other thing to try is to log in to the TFS AT machine, navigate to the TFS tools directory and type this command: tfssecurity /server:<servername> /imx all:.  Note, there is a colon ":" at the end of the command and you will have to replace <servername> with the name of your server.  This is the command line way of listing the members of the Team Foundation Valid Users group.

     

    Friday, October 20, 2006 11:58 PM
  • If you're like me it takes a while to realize this post is about TFS 2005 and not about TFS 2010.  If you are reading this and are trying to connect to TFS 2010 from SQL Server's BIDS 2008, then you need to check this web site:

    1) Install Team Explorer 2008 (Make sure you have the TFS version of Visual Studio Installed)
    2) Update TFS 2008 to Service Pack 1
    3) Install Service Pack 1 for Visual Studio (BIDS 2008) NOTE  if you can't install forward compatibility REINSTALL SP1 for VS 2008   http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10986
    4) Install the Forward Compatibility Pack for Vs2008 (BIDS) It is also important to make sure your tfs administrator has installed the TFS forward Compatibility pack on the server for BIDS 2008 -
    If you still cannot connect use the following registry hack.

    Here is some additional information to clear up the registry confusion.

    http://www.jmedved.com/2009/11/visual-studio-2008-and-team-foundation-server-2010/

    Once you install everything, you can try adding Team Foundation Server 2010 as destination, but you will be greeted with error “TF31002: Unable to connect to this Team Foundation Server …”. Reason behind this is that old Team Explorer 2008 does not know anything about collections.

    Solution would be to add it as full path (e.g “http://server:8080/tfs/collection”). I could not do it because every time I entered full path, I also got error “TF30335: The server name cannot contain characters ‘/’ or ‘:’ …”. Since official way would not work it was time to come up with alternative.

    In order to add TFS 2010 server, you will need to exit Visual Studio 2008 and go into Registry editor. Find key “HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\9.0\TeamFoundation\Servers” and at this location just add string value. Name of this value will be what Team Explorer 2008 will use for display. It’s value is full address of your server. It should be something like “http://server:8080/tfs/collection”.

    This value - it would the the missing value under the Default string under Servers.  My first attempt produces "Value cannot be Null.  Parameter Name: Name"

    http://coderjournal.com/2010/02/connecting-visual-studio-2008-to-team-foundation-server-2010/

    “HKEY_CURRENT_USER/Software/Microsoft/VisualStudio/9.0/TeamFoundation/Servers”

    Add a new String Value in there and make the name of it the name that you want to call your server connection. Make the Value “http://127.0.0.1:8080/tfs/DefaultCollection“. Replace the 127.0.0.1 with the ipaddress or name of your server. Replace the tfs with the server’s instance(default is tfs). Replace the DefaultCollection with whatever your collection is named (default is DefaultCollection).

    Make sure to close VS2008 first so it picks up the changes when you load it after editing the registry… Now open VS2008 -> View -> Team Explorer. Click on the + in the new pane and TFS asks you to login.

    -----------------------------------------------------------------------------------------

    It took a while to realize the above meant name the String Value itself to be <servername> and the value of <servername> would be: http://<servername>:8080/tfs/defaultcollection At this point you get two errors: TF35001 and TF253022.  [If Servers is not a key under TeamFoundation, just add it] These are due to the TFS admin ignoring what you said above - which was to install the forward compatibility pack.  Get that fixed then while you wait, ignore these and note the next screen now shows your TFS Server. Then do the View from the toolbar - and "plus" your TFS as above.  Once your TFS admin has installed the forward compat pack, this will become a lot easier.  I also ran a repair against Team Explorer 2008 to be sure all was well in that arena.  At that point Red Gate's SQL Prompt gave me a message about TextMgrP.dll being unregistered.  I also downloaded Team Explorer 2010 because I did not wish to install VS2010. (It's a BIDS 2008 thing.)  Essentially, you can just install the TFS references by adding these String Values to your registry.  Once they are are there, they show up magically in your TFS link in BIDS.


    R, J

    • Edited by Crakdkorn Tuesday, November 08, 2011 3:18 PM needed testing.
    Tuesday, November 08, 2011 1:19 PM