Setting up HTTPS with Secure Sockets Layer (SSL) for Team Foundation Server
You can strengthen the security of your deployment of Visual Studio Team Foundation Server by configuring the services that it uses to utilize Hypertext Transfer Protocol Secure (HTTPS) with Secure Sockets Layer (SSL). You can configure your deployment either to require this protocol, which maximizes the security of your deployment, or to support HTTPS with SSL in addition to the default protocol, HTTP. Before you choose a configuration, you should carefully review the advantages and disadvantages that this topic describes. After you identify the configuration that best meets the security needs of your organization, you can follow the steps in this topic to configure your deployment.
In this topic
Conceptual information
Advantages of Supporting HTTPS with SSL in Addition to HTTP
Advantages of Requiring HTTPS with SSL for All Connections
Disadvantages of Supporting or Requiring HTTPS with SSL
Prerequisites
Assumptions
Server configuration
Obtaining a Certificate
Requesting a Certificate
Installing and Assigning the Certificate
Configuring Your Firewall
Configuring SQL Server Reporting Services
Configuring Your Deployment to Support HTTPS with SSL in Addition to HTTP
Optional configuration
Testing Access to Your Deployment (Optional)
Configuring Your Deployment to Require HTTPS with SSL (Optional)
Build configuration
Installing the Certificate on Build Servers
Updating the Build Configuration
Configuring Client Computers
Advantages of Supporting HTTPS with SSL in Addition to HTTP
If you configure your deployment to support both protocols, users whose computers have been configured for HTTPS with SSL will connect by using that protocol, which makes your deployment more secure. In addition, users whose computers are configured for HTTP only can still connect to your deployment. Although you should not deploy this configuration over public networks, you can gain the following advantages by continuing to support HTTP connections in a controlled network environment:
You can increase the security of your deployment over time by configuring client computers for HTTPS with SSL as your schedule permits. If you take a phased approach, you do not need to upgrade all computers at the same time, and users whose computers have not yet been upgraded can still connect to the deployment.
You can more easily configure and maintain Team Foundation Server.
Calls from one Web service to another are faster over HTTP than over HTTPS with SSL. Therefore, you can continue to support HTTP connections from client computers for which the performance requirements outweigh the security risks.
Advantages of Requiring HTTPS with SSL for All Connections
If you require HTTPS with SSL for all connections, you gain the following advantages:
All web connections between the application tier, the data tier, and the client tier for Team Foundation are more secure because they require certificates.
You can control access more easily by configuring certificates to expire when a project phase is expected to end.
Disadvantages of Supporting or Requiring HTTPS with SSL
Before you configure your deployment to support or require HTTPS with SSL, you should consider the following disadvantages:
You might complicate ongoing administration tasks. For example, you might have to reconfigure your deployment to stop supporting HTTPS with SSL before you can apply service packs or other updates.
You must not only configure but also manage a certification authority (CA) and certificate trusts. You can use Certificate Services in Windows Server 2003 and Windows Server 2008, but you might not want to invest the time and resources that deploying a secure public key infrastructure (PKI) requires.
You must spend significant time setting up and testing either of these configurations, and troubleshooting your deployment will become more difficult.
If you continue to support both protocols, external connections might not be encrypted if the application tier for Team Foundation is not appropriately secured.
If you require HTTPS with SSL, your deployment's performance will be slower.
Configuring Your Deployment to Support or Require HTTPS with SSL
The procedures in this topic describe one process for requesting, issuing, and assigning certificates that are required for SSL connections in Team Foundation Server. If you are using different software than what this topic describes, you might need to perform different steps. To support external connections to your deployment of Team Foundation Server, you must also enable Basic authentication, Digest authentication, or both in Internet Information Services (IIS).
By following the procedures in this topic, you will accomplish the following tasks:
Obtain certificates for your deployment of Team Foundation Server and the websites that it uses.
Install and assign the certificates.
Configure Team Foundation Server.
Configure Team Foundation Build.
Configure client computers.
Prerequisites
To perform the procedures in this topic, you must first meet the following requirements:
The logical components in the data and application tiers of Team Foundation must be installed and operational. These tiers include IIS, SQL Server, SharePoint Products, Team Foundation Build, and SQL Server Reporting Services if your deployment includes these components. The procedures in this topic refer to the server or servers that are running the logical components in the application tier for Team Foundation as the application-tier server for Team Foundation. The procedures in this topic refer to the server or servers that are running the logical components in the data tier for Team Foundation as the data-tier server for Team Foundation. The application and data tiers might be running on the same server or multiple servers. For more information, see Installing Team Foundation Components.
You must have a certification authority (CA) from which you can issue certificates. This topic assumes that you are using Certificate Services as your CA, but you can use any CA that you have configured for your deployment. If you do not have a certification authority, you can install Certificate Services and configure one. For more information, see the one of the following sets of documentation on the Microsoft website:
For Windows Server 2003: Certificate Services
For Windows Server 2008: Active Directory Certificate Services and Public Key Management
Required Permissions
To complete these procedures, you must belong to the Team Foundation Administrators group, and you must belong to the Administrators group on the application-tier and data-tier server or servers for Team Foundation. To configure a build server, you must belong to the Administrators group on that server. If your deployment uses SharePoint Products, you must belong to the Administrators group on the server that hosts SharePoint Central Administration. You must also belong to the Farm Administrators group. For more information about permissions, see Team Foundation Server Permissions.
Assumptions
The procedures in this topic assume that the following conditions are true:
The data-tier and application-tier server or servers have been installed and deployed in a secure environment and configured according to security best practices.
You are familiar with how to configure and manage PKIs and requesting, issuing, and assigning certificates. For more information, see the following page on the Microsoft website: Public Key Infrastructure.
You have a working knowledge of the network topology of the development environment, and you are familiar with configuring network settings, IIS, and SQL Server.
Obtaining a Certificate
Before you configure your deployment to use HTTPS with SSL, you must obtain and install a server certificate for the servers in your deployment. To obtain a server certificate, you must install and configure your own certification authority, or you must use a certification authority from an external organization that you trust.
For more information about how to install a certification authority, see the following topics on the Microsoft website:
For Windows Server 2003: Certificate Services
For Windows Server 2008: Active Directory Certificate Services and Public Key Management
Requesting a Certificate
After you enlist in a certification authority, you must either request a certificate by using IIS Manager, or you must manually install the certificate on each of the following servers in your deployment:
Each application-tier server.
Each server that is running Team Foundation Server Proxy, if any are configured for your deployment.
Each server that is running Team Foundation Build Service as either a build controller or a build agent, if any are configured for your deployment.
Each server that is running SharePoint Products, if any are configured for your deployment.
The server that is running Reporting Services, if one is configured for your deployment.
To request a certificate in IIS
Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand Web Sites or Sites, and navigate to the website for which you want to request a certificate.
For example, to request a certificate for an application-tier server, you navigate to Team Foundation Server. To request a certificate for a proxy server, you navigate to Microsoft Team Foundation Server Proxy.
Follow the appropriate instructions for your version of IIS to request or create a server certificate that meets the security needs of your organization:
If you are using IIS 7.0, prepare a server certificate for IIS 7.0, specify a name for the request, download the certificate, and save it to a secure location on your server.
For more information, see Configuring Server Certificates in IIS 7.0.
If you are using IIS 6.0, download the certificate, and save it to a secure location on your server.
For more information, see Configuring Server Certificates for SSL (IIS 6.0).
Installing and Assigning the Certificate
Before you can use SSL with Team Foundation, you must install the server certificate on the websites that Team Foundation uses, such as the websites in the following list:
Default Web Site
Team Foundation Server
Microsoft Team Foundation Server Proxy
SharePoint Central Administration
After you install the certificate, you must explicitly bind or assign it to each website, enable the authentication methods that you want to use for each website, and then configure HTTPS for each website.
Depending on your deployment configuration, you might need to install and configure the certificate on more than one computer. For example, your deployment might include Team Foundation Build and SharePoint Products on a different computer from the application-tier server. In this case, you must install and configure the server certificate on not only the server that hosts SharePoint Products but also the computers that host the build controller and build agents.
Installing the Server Certificate
By following these steps, you will install the server certificate or certificates that you want to use for your deployment of Team Foundation Server.
To install the server certificate on a website
On the server that hosts the website that you want to configure, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Perform one of the following steps:
If you are using IIS 7.0, import the server certificate from the Server Certificates pane.
For more information, see Import a Server Certificate (IIS 7).
If you are using IIS 6.0, you must import the certificate when you enable HTTPS. Continue to the next procedure.
For more information, see Install a Server Certificate (IIS 6.0) and Assign a Server Certificate to a Web Site (IIS 6.0).
Enabling Authentication Methods, Enabling HTTPS, and Specifying the Certificate for the Websites That Your Deployment Uses
By following these steps, you can set up the authentication methods that you want to use, and you can enable HTTPS in IIS for the websites that your deployment uses. These websites might be hosted on separate servers. You must perform these steps on each website that you configured in the previous procedure.
After you configure HTTPS, you can additionally secure your deployment by removing HTTP from the list of bindings for each website that you configure.
Depending on your certification hierarchy and public key infrastructure, you should also configure IIS for client certificate authentication. For more information, see Certificates (IIS 6.0), Certificate Services, and Certificates.
Your deployment of SharePoint Products might require additional configuration, such as alternate access mappings and forms authentication, to operate correctly with HTTPS, SSL, and certificates. For more information, see What Every SharePoint Administrator Needs to Know About Alternate Access Mappings, Forms Authentication in SharePoint Products and Technologies, and the configuration topic for your version of SharePoint Products:
Configure alternate access mapping (Windows SharePoint Services 3.0)
Configure alternate access mapping (Office SharePoint Server 2007)
How Do I: Configure an Alternate Access Mapping in SharePoint Server 2010? (video)
To set up HTTPS and specify the certificate
On the server that hosts the website that you want to configure, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Perform one of the following sets of steps:
For deployments that use IIS 7.0:
Expand ComputerName, expand Web Sites, right-click the website that you want to configure, and then click Edit Bindings.
In Site Bindings, click Add.
The Add Site Binding dialog box appears.
In the Type list, click https.
(Optional.) In Port, type a different port number.
Important
The default port number for SSL connections is 443, but you must assign a unique port number for each of the following sites: Default Web Site, Team Foundation Server, Microsoft Team Foundation Server Proxy (if your deployment uses it), and SharePoint Central Administration.
You should record the SSL port number for each website that you configure because you will need to specify these numbers in the administration console for Team Foundation.
In SSL Certificate, click the certificate that you imported, and then click OK.
In Site Bindings, click Close.
On the Home page for the website that you are configuring, open the Features view.
Under IIS, click Authentication.
Right-click an authentication method that you want to configure, and then click Enable, Disable, or Edit to enable, disable, or perform additional configuration on the method.
For deployments that use IIS 6.0:
Expand ComputerName (local computer), and then expand Web Sites.
Right-click the website that you want to configure, and then click Properties.
In the Properties dialog box, click the Directory Security tab.
Under Secure Communications, click Server Certificate.
On the first page of the Web Server Certificate Wizard, click Next.
On the Server Certificate page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, click the certificate that you want to import, and then click Next.
You might have to scroll to show the Friendly Name column in the list.
On the SSL Port page, retain the default value, or type a different value, and then click Next.
Important
The default port number for SSL connections is 443, but you must assign a unique port number for each of the following sites: Default Web Site, Team Foundation Server, Team Foundation Server Proxy (if your deployment uses it), and SharePoint Central Administration.
You should record the SSL port number for each website that you configure because you will need to specify these numbers in the administration console for Team Foundation.
On the Certificate Summary page, review the information, and then click Next.
Click Finish.
The wizard closes.
On the Directory Security tab, under Authentication and access control, click Edit.
In the Authentication Methods dialog box, make sure that the Enable anonymous access check box is cleared.
In Authenticated access, select the check boxes for Integrated Windows authentication and either Digest authentication for Windows domain servers, Basic authentication, or both, as appropriate to your deployment. Clear any other check boxes, and then click OK.
For more information, see Team Foundation Server, Authentication, and Access.
Click OK to close the Properties dialog box.
Note
If an Inheritance Overrides dialog box appears after you click OK, click Select All, and then click OK.
Configuring Your Firewall
You must configure your firewall to allow traffic through the SSL ports that you just specified in IIS. For more information, see the documentation for your firewall.
Configure SQL Server Reporting Services
If your deployment uses reporting, you must configure SQL Server Reporting Services to support HTTPS with SSL and to use the port that you specified in IIS for Team Foundation Server. Otherwise, the report server will not function correctly for your deployment. For more information, see Configuring a Report Server for Secure Sockets Layer (SSL) Connections.
Tip
If your deployment does not use reporting, you can skip this procedure.
Configuring Your Deployment
Follow these steps to configure your deployment with the HTTPS ports and values that you configured in IIS for the default and Team Foundation Server websites.
To reconfigure Team Foundation Server
Open the administration console for Team Foundation.
For more information, see Open the Team Foundation Administration Console.
Under Team Foundation, expand the name of the server, and then click Application Tier.
In Application Tier Summary, click Change URLs.
The Change URLs window opens.
In Notification URL, type the HTTPS URL that you configured for the Team Foundation Server website in IIS.
For example, you might have configured the website to use port 443. In this case, you type https://ServerName:443/tfs. Make sure that you use the fully qualified domain name of the server instead of localhost.
Click Test, and then click OK if the test passes.
To require HTTPS, click Use in Server URL, and then type the HTTPS URL that you configured for the Team Foundation Server website.
Make sure that you use the fully qualified domain name of the server instead of localhost.
Click Test, and then click OK if the test passes.
If your deployment uses SharePoint Products, click SharePoint Web Applications in the administration console.
In SharePoint Web Applications, in the Name list, click a web application, and then click Change.
The SharePoint Web Application Settings page opens.
In Web Application URL, change the URL to the HTTPS value for the application.
In Central Administration URL, change the URL to the HTTPS value for the Central Administration website.
(Optional.) In Friendly Name, change the value to reflect the HTTPS address of this application.
Click OK.
Repeat the previous five steps for every SharePoint web application in your deployment.
If your deployment uses Reporting Services, in the administration console, click Reporting.
In Reporting, click Edit.
If the Take Offline dialog box opens, click OK.
The Reporting window opens.
Click the Reports tab. In URLs for Report Server, type the HTTPS URLs for Web Service and Report Manager, and then click OK.
Test Access to Your Deployment (Optional)
You can test whether your changes are functioning as you expect. This step is optional but recommended.
To test access to your deployment
On the server that hosts the application tier, open a web browser.
In the address bar, type the URL that you use to connect to your deployment through Team Web Access.
Note
You can find this URL on the Application Tier node in the administration console for Team Foundation.
Verify whether you can access your team project collections and projects from Team Web Access.
If you cannot access your deployment through Team Web Access, review the steps that you just completed, and make sure that you have made all configuration changes correctly.
Configuring Your Deployment to Require HTTPS with SSL (Optional)
You can require all connections to your deployment to use HTTPS with SSL. This additional security is optional but recommended.
To require SSL connections
On the server that hosts the website that you want to configure, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Follow the appropriate steps for your version of IIS:
For deployments that use IIS 7.0:
Expand ComputerName, expand Web Sites, and then click the website that you want to configure.
On the home page for that website, click SSL Settings.
In the SSL Settings pane, select the Require SSL check box.
(Optional) Select the Require 128-bit SSL check box.
In Client Certificates, click Ignore, Accept, or Require, depending on the security requirements of your deployment.
In Actions, click Apply.
Repeat these steps for each website for which you want to require SSL.
For deployments that use IIS 6.0:
Expand ComputerName (local computer), and then double-click Web Sites.
Right-click the website that you want to configure, and then click Properties.
In the Properties dialog box, click the Directory Security tab.
Under Secure Communications, select the Require secure channel (SSL) check box, and then click OK.
Note
If an Inheritance Overrides dialog box appears after you click OK, click Select All, and then click OK.
Repeat these steps for each website for which you want to require SSL.
Installing the Certificate on Build Servers
If you installed Team Foundation Build Service on one or more servers, you must install the certificate in the Trusted Root Certification Authorities store of each server. For more information, see Obtaining a Certificate and Installing and Assigning the Certificate earlier in this topic. Both the controller and the agent require a certificate with a private key with which to identify themselves in HTTPS connections.
Note
To perform builds over SSL, the certificate must be installed in the trusted root store on both the build controller and the build agent.
Updating Build Configurations
To configure Team Foundation Build for SSL connections, you must configure the build service to use the HTTPS URL that you configured for the application tier and the collection that the build configuration supports. You must configure this URL for each build configuration in your deployment.
To change a build configuration to use HTTPS
On the server that hosts the build configuration that you want to configure, open the administration console for Team Foundation.
Under Team Foundation, expand the name of the server, and then click Build Configuration.
The Build Configuration pane appears.
Under the service configuration, click Stop, and then click Properties.
The Build Service Properties dialog box opens.
In Communications, make sure that the URL for the team project collection is using the correct HTTPS address and full server name.
In Local Build Service Endpoint (incoming), click Change.
The Build Service Endpoint dialog box opens.
In Endpoint Details, verify that the port number matches your configuration details.
In Protocol, click HTTPS.
In the SSL Certificates list, click the certificate that you installed and configured for use with this deployment, and then click OK.
In the Build Service Properties dialog box, click Start.
Configuring Client Computers
On every client computer from which users access Team Foundation, you must install the certificate locally and clear the client cache for any user who has accessed Team Foundation from that computer. Otherwise, users will not be able to connect to Team Foundation from that computer. For more information, see Manage Trusted Root Certificates.
Important
Do not follow this procedure for computers that are running both Team Foundation Server and one or more clients of Team Foundation.
To install the certificate on a client computer
Log on to the computer by using an account that belongs to the Administrators group on that computer.
Install the certificate into the Trusted Root Certification Authorities folder for the local computer.
For more information, see the documentation for your operating system and your certification authority.
To clear the cache on a client computer
Log on to the computer by using the credentials of the user whose cache you want to clear.
Close any open instances of Visual Studio.
In a browser window, open the following folder:
Drive**:\Users\UserName\AppData\Local\Microsoft\Team Foundation\3.0\Cache**
Delete the contents of the Cache directory. Make sure that you delete all subfolders.
Click Start, click Run, type devenv /resetuserdata, and then click OK.
Repeat these steps for the account of every user who has accessed Team Foundation from that computer.
Note
You might want to distribute instructions for clearing the cache to all of your Team Foundation users so that they can clear the caches for themselves.
To connect client computers to the reconfigured deployment
In Visual Studio, connect to Team Foundation Server by using the new HTTPS URL.
For more information, see Connect to and Access Team Projects in Team Foundation Server.
See Also
Other Resources
Securing Team Foundation Server with HTTPS and Secure Sockets Layer (SSL)
Team Foundation Server, HTTPS, and Secure Sockets Layer (SSL)