WSS & SSL

Hot Topic

Projects wont debug and I get no error message
Change the postioning of the image.
How to display the time on a separate form
true newbie - basic questions
Removing User option under "Assigned To"
Running TFS on Virtual Server
array & class
Item of 'Prerequisited' choose to install
Getting started with C++ Express - Please help!
SQLConnection anomalies

VS Team System

Link to TFS SP 1 Beta Download?
Panel Troubles
Unit Tests and Integration Tests - Different Projects?
Project Organization
call event
how to code movenext, moveprevious...etc when we populate datagrid?
Selecting the three largest variables from a group of ten
re- teddy bear
DHTML controls
Unpublished changes in Project

WSS & SSL

I am fighting with the TFS setup for the fourth day in a row. I am making progress, but now I hit a brick wall.

In IIS I added a SSL binding to the Default Web Site that hosts the WSS stuff by setting SecureBindings to ":443:www.tfs.fnu.mycompany.com"

That worked and I can now access the WSS stuff via the https protocoll on port 443.

I then updated the TFS registration info with tfsreg, in particular for the WSS stuff I changed the ServiceInterface for BaseServerUrl and BaseSiteUrl to the new https DNS name.

I can browse projects just fine, all over port 443 and SSL. But project creation doesn't work. I narrowed it down to the following problem. Team Explorer seems to call the /_vti_adm/admin.asmx on the WSS administration site to create the new WSS site for a new project. It passes in the URL for that new project. Since I changed the TFS registration, it of course passes in a URL that starts with https. But, apparently, WSS can't handle that and replies that it can't find a virtual server that matches this. This seems to be a problem of WSS SP2 in general, that the whole admin part cannot deal with https URLs.

For example, http://localhost:17012/vsgeneralsettings.aspx VirtualServer=https://www.tfs.fnu.mycompany.com also doesn't work on the server, while the same with http for the WSS reference works. I also found some posts in newsgroups where people suggest as a workaround that one uses the IP address of the server when calling the admin.asmx web services. I could of course put the IP address in the TFS registration so that the client uses that for site creation (i.e. uses the IP address to construct the URL of the site it wants to create), but of course in the end I don't want the client to use the proper DNS name.

So, my dilemma seems to be: WSS has a bug that prevents creation of new sites via the admin.asmx when the address of the new site starts with https. But that is what the Team Explorer client attempts to do, if I register the https address with tfsreg. What can I do



Answer this question

WSS & SSL

  • dayjur

    Thanks for pointing me to the sharepoint community. I justed posted a entry into the microsoft.public.sharepoint.windowsservices newsgroup (by davidacoder, "WSS2, SSL and host headers"). It would be great if you could try to get someone from the WSS team to look into this and maybe try to work out together with them what is going on!

    Best,

    David

  • RHolt

    Bill, I just marked your answer as not helpful. I am not sure about the customs here. I do appretiate your help here a lot of course and find the answer helpful in that sense. But it didn't solve my problem, so I hope that is the right way to indicate that.

    Best, David

  • oman

    I have had the same problem with not being able to create new projects after setting up TFS for access over SSL. I have not set up the sharepoint administration site to run over ssl and also I have set up different dns names for the Sharepoint site (Default Web Site) and the Team Foundation Site.

    Default web site: tfsweb01.mycompany.com
    Team foundation site: tfs01.mycompany.com
    Sharepoint adminsitration: no name set up

    This morning after reading you post and adding a host header to the WSS site everything started working! So running:

    cscript.exe adsutil.exe set /w3svc/1/SecureBindings ":443:tfsweb01.mycompany.com"

    solved our problem for now. I have not tested this fully yet but I will post here if we run into any additional problems with this setup.

    This has been set up in a test environment and I have not documented all the steps required to reproduce this for us. All the SSL and name configuration steps were taken from the following sites:
    http://ognjenbajic.com/blog/doc/vsts/enabling%20team%20foundation%20system%20ssl.htm
    http://geekswithblogs.net/etiennetremblay/archive/2006/07/28/86542.aspx

    In the coming weeks we will be performing a clean install on a new server and hopefully I will be able to recreate this configuration and document the steps required to set it up more fully.

  • mahima

    Hi David,

    Have you had any luck with support from the sharepoint side I'd like to resolve this thread if the problem lies in the sharepoint domain.

    Thanks.



  • Kenneth Lai

    This is the message I just posted to the sharepoint newsgroups, just to have it here as well:

    Dear all,

    I am trying to get a quite tricky Team Foundation Server installation going.
    I am stuck with a WSS problem and hope to find some help here.

    I managed to narrow the problem down so that it is not related to the Team
    Foundation Server anymore.

    Here are the steps to reproduce:

    1. Install Windows Server 2003 R2
    2. Install IIS with Asp.Net (no Frontpage of course)
    3. Install .Net 2.0
    4. Install Sharepoint SP2 in typical mode

    So far so good, everyhting works fine as expected

    5. Use SelfSSL to create a wildcard certficate for the Default Web site. The
    name used is *.mycompany.com
    6. Remove the Binding to port 443 from the Default Web Site in IIS Manager
    7. Create another IIS site that listens on port 8080 and points to some
    other directory. This one is obviously not WSS extended
    8. Import the newly created SSL certificate into this site within IIS
    manager
    9. Remove the Binding to port 443 from the new iis site
    10. Configure the default and the new iis site to listen on port 443, but
    assign different host headers. This is supported with Windows Server 2003
    SP1 for wild card certificates. So, issue the following two commands
    "cscript.exe adsutil.vbs set /w3svc/1/SecureBindings
    ":443:www.mycompany.com" and "cscript.exe adsutil.vbs set
    /w3svc/7837823/SecureBindings ":443:www2.mycompany.com"
    11. Open sharepoint central administration, click on "Configure virtual
    server settings", pick the default web site and then click on "Virtual
    server general settings". This should navigate you to something like
    "http://localhost:16573/vsgeneralsettings.aspx VirtualServer=http://COMPUTERNAME"
    12. Now replace the VirtualServer parameter in that URL with the DNS name
    you used for the host header binding of the Default web site, i.e.
    http://localhost:16573/vsgeneralsettings.aspx VirtualServer=https://www.mycompany.com

    And that doesn't work, I get an error "The server instance specified was not
    found. Please specify the server's address and port."

    Now, you might ask why on earth I need that ;) Here is the problem: Visual
    Studio Team Explorer connects to the sharepoint admin site during project
    creation to create a new site for the new TFS project. It essentially issues
    (via the web service in the wss admin site) the command "create new site at
    this address". And the "this address" part of that command uses whatever
    address I have configured as the public address for the WSS server I use for
    my TFS server. I can only configure one DNS name for the WSS server in TFS,
    so I have to use the address that the clients are supposed to use. And that
    is the DNS name used in the host header binding for site 1. But this
    configuration can only work when the WSS admin site can operate successfully
    when I pass in that URL for the operations. I am not clear I express myself
    very clearly, so please follow up with questions!

    Any help would be greatly appreciated!

    Best,
    David


  • Nico Kerschbaumer

    No, this is still not resolved. I am just replying to a further question in the sharepoint newsgroups, but I'd like to keep this here open until resolved. Is that ok If we find a solution to this, it would be an incredibly neat TFS setup!

    Best,

    David

  • Bagles1

    I have not gotten any helpful reply to my question in the sharepoint newsgroup. Could you please try to find someone from the sharepoint team to look into this It would possibly be simpler if he/she would answer here in the TFS forum.

    Thanks,
    David

  • jiangtao.liu

    I am not really sure how the not helpful flag gets interpreted, but the fact that a post remains in the unanswered state is generally enough to keep it on the radar.

    Yes, what you describe is all outside of TFS. You are dealing with SharePoint configuration at this point. The SharePoint experts hang out here:

    http://msdn.microsoft.com/sharepoint/community/

    The SharePoint ISAPI filter sinks all traffic on port 80 in this configuration. I would guess that you need to map out the sites you are adding to the Default Site using the SharePoint managed paths feature to get traffic to flow as you expect: http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stsk01.mspx mfr=true.

  • _Quimbly_

    Alright, I narrowed the problem futher down.

    Here are my steps:

    I did a clean install of single server deployment of TFS according to the instructions.

    For each of the three IIS sites I set the SSL port, a different one for each.

    I then switched on SSL for each of the three sites in IIS manager.

    I configured WSS to use SSL with the "stsadm -o setadminport -port 17014 -ssl" option, just to make sure.

    Central Sharepoint admin works fine at that point.

    I then set the WSS site to use a host header, like this:

    cscript.exe adsutil.exe set /w3svc/1/SecureBindings ":443:www.tfs.mycompany.com"

    Now, if I access the WSS admin via https://localhost:17014 and then click Configure Virtual Server Settings -> Default Web Site -> Virtual Server General Settings, I get an error saying "The server instance specified was not found. Please specify the server's address and port." If I access the WSS admin via https://www.tfs.mycompany.com:17014, that is with the domain name I used for the host header of the WSS site, the same thing works. Which I find terribly strange, and which looks like a bug to me already. The admin site should work regardless of how I access it, right !

    If I then set the host header for the team foundation web services site like this

    cscript.exe adsutil.exe set /w3svc/3/SecureBindings ":443:webservices.tfs.mycompany.com"

    the WSS admin gives me the same error I got when I previously accessed it via the localhost route, even in the case when I access it with via the www.tfs.mycompany.com name.

    So, I get the impression that the WSS admin site breaks if there are two IIS sites (one of them a WSS site) that use the same port but different host headers. All of this seems to be completly pre-TFS issues, right

    I know there is also this host header mode for WSS, but I don't understand it... Maybe someone can help out And if you could get someone from the WSS team to confirm whether my reasoning here is right, that would be great too!

  • Nicolas Iacovides

    You might take a look at Ogjen's blog post on configuring TFS for SSL:

    http://ognjenbajic.com/blog/doc/vsts/enabling%20team%20foundation%20system%20ssl.htm

    Moving the SharePoint admin site to SSL might be the thing that is missing.
  • WSS & SSL
Answer this question