How to connect Team Explorer 2008 Client to a TFS 2010 Server that requires client certificates
One question that has come up recently is how do you connect a 2008 Team Explorer client to a TFS 2010 server that requires client certificates. While such a connection is possible, we do not have any tools to facilitate you in setting up this type of connection. (We have tools to facilitate this process for connecting Team Explorer 2008 to TFS 2008 and Team Explorer 2010 to TFS 2010.) As a result, you will need modify the registry by hand.
Before modifying the registry you first need to install the Team Explorer 2008 forward compatibility update. You can get this here: https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cf13ea45-d17b-4edc-8e6c-6c5b208ec54d
Information about what this patch contains can be found here: https://blogs.msdn.com/teams_wit_tools/archive/2009/10/19/compatibility-matrix-for-2010-beta-2-team-foundation-server-to-team-explorer-2008-and-2005.aspx
NOTE: If you are not using client certificates, then you are done.
If you are using client certificates, then you will need the following information
1) The FQDN of the TFS server you want to connect to, including the team project collection. So, if your tfs server name was https://www.contoso.com:8081/tfs and you had the project collection DefaultCollection, then the FQDN you would use would be https://www.contoso.com:8081/tfs/DefaultCollection. In the commands below, we refer to this value as [fqdn.servername] .
2) The thumbprint for the client certificate you want to use. To see your list of available client certificates follow these steps
a. Open the MMC by running mmc.exe (either from the command prompt or the run dialog).
b. Add the certificate snap in
i. Go to File->Add/Remove Snap-in
ii. Choose Certificates from the Available snap-ins pane
iii. Click Add>
iv. Choose My User account and click Finish in the pop up
v. Click OK in the “Add or Remove Snap-ins window”
c. Expand the Certificates – Current User on the left pane.
d. Expand Personal in the left pane.
e. Click on Certificates in the left pane.
f. Double click on the desired certificate in the right pane (NOTE: Smart card certificates typically have “smart card” as one of the values in their intended purposes.)
g. Go to the Details tab.
h. Click on the Thumbprint value (in the top pane towards the bottom)
i. Copy the value in the bottom pane. (it should look something like “1a 25 99 60 e9 8d 60 1a ab 40 2d 23 72 a6 e2 b7 99 1f 25 6b”)
j. Paste this value into notepad.exe.
k. Remove the spaces (so it now looks like "1a259960e98d601aab402d2372a6e2b7991f256b”)
l. Copy the new non-spaces value.
We’ll refer to this “no-space” thumbprint as [thumbprint] in the commands below.
3) Run the following two commands (where [fqdn.servername] and [thumbprint] are replaced appropriately).
reg add hkcu\SOFTWARE\Microsoft\VisualStudio\9.0\TeamFoundation\Servers /v [fqdn.servername] /t REG_SZ /d [fqdn.servername]
reg add hkcu\SOFTWARE\Microsoft\VisualStudio\9.0\TeamFoundation\Servers\ [fqdn.servername] \ClientCertificates /v thumbprint /t REG_SZ /d [thumbprint]
So, if you used the values above it would like
reg add hkcu\SOFTWARE\Microsoft\VisualStudio\9.0\TeamFoundation\Servers /v https://www.contoso.com:8081/tfs/DefaultCollection /t REG_SZ /d https://www.contoso.com:8081/tfs/DefaultCollection
reg add hkcu\SOFTWARE\Microsoft\VisualStudio\9.0\TeamFoundation\Servers\**https://www.contoso.com:8081/tfs/DefaultCollection**\\ClientCertificates /v thumbprint /t REG_SZ /d 1a259960e98d601aab402d2372a6e2b7991f256b
If you run into any problems configuring this, please don’t hesitate to ask for help
--Aaron
Comments
- Anonymous
July 29, 2010
Hi Aaron I am trying to connect from both a VS2008 and a VS2010 instance to a TFS 2010 server but from outside the domain over https using a client cert on the dev machine. I went through the steps needed to create and install the cert but when I attempt to connect from outside the domain it wont. When I ran tfsconfig.exe on the dev machine, it does not pick up the cert at all. Does the client cert need to be exportable? Is that why teh ViewCertificate button is greyed out in the dialog? The cert is currently sitting in the Trusted Root authority on my dev machine. For VS 2008 I used tweakui and the same problem where the option to select client cert was greyed out. Same issue with VS 2010. What could I be missing if its not the exportable key that is the issue? Thanks Rachna