locked
TFS 2008 - Successful setup, problem with SSL validation RRS feed

  • Question

  • I have successfully setup a Team Foundation Server  2008 under a Windows 2003 Server SP2 computer, single server setup. The network firewall only allow incoming data from ports 80 (HTTP) and 443 (HTTPS), and admins are not very prone to allowing more ports; so I configured Windows Sharepoint Services 3.0, Report Server and Team Foundation to use host headers with a SSL certificate with multiple SAN (Subject Alternative Names).

     

    I want users to connect to the TFS from Internet using the HTTPS connection. When I open Visual Studio and select to create a new team project, the wizard opens and connect to the server via HTTPS on port 443 nicely.

     

    The problem shows up when I click "Finish" on the wizard. After a long delay waiting for downloading the process template, I get a TF30171 explaining that it was unable to establish a trust relationship for the secure channel. In the log file I cant see a "WebException: Status: TrustFailure".

     

    Code Snippet
    --   Internal exception --
    Type: System.Net.WebException
    Message: Se ha terminado la conexión: No se puede establecer una relación de confianza para el canal seguro SSL/TLS.
    WebException: Status: TrustFailure
    Stack trace:
       at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
       at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.TeamFoundation.Proxy.Portal.Admin.GetLanguages()
       at Microsoft.VisualStudio.TeamFoundation.WssSiteCreator.CheckPermissions(ProjectCreationContext ctxt)
    -- Internal exception end --

     

     

    It looks like something is wrong with the SSL certificate, but I don't know what could be. I am able to touch the webservice via the url https://externalURL.com/Services/v1.0/ServerStatus.asmx and I get no warnings from Internet Explorer 7, the CA is correctly installed under Trusted Root Authority for the whole computer.

     

    I was wondering if TFS supports SSL certificates that uses Subject Alternative Names, as the TFS URL is not on the CN field, but it's one of the SAN items. If this is not the problem, what could be failing in my setup?

    Sunday, September 7, 2008 12:42 AM

Answers

  • The problem was that the Windows Sharepoint Administration URL has also to be in the SAN field of the certificate. After adding it the problem was solved.

     

    With that it is also implied that TFS and WSS support SSL certificates with Subject Alternate Names Smile

    Sunday, September 7, 2008 9:29 PM

All replies

  • Further research and Microsoft.VisualStudio.TeamFoundation.WssSiteCreator.CheckPermissions in the stack trace shows that the SSL validation problem is not with Client <-> TFS connection, but with TFS <-> Sharepoint one.

     

    I tried to finish the wizard using non-SSL, HTTP port 80 connection and the problem persists.

    Sunday, September 7, 2008 10:28 AM
  • The problem was that the Windows Sharepoint Administration URL has also to be in the SAN field of the certificate. After adding it the problem was solved.

     

    With that it is also implied that TFS and WSS support SSL certificates with Subject Alternate Names Smile

    Sunday, September 7, 2008 9:29 PM