Accessing Team System via the Internet


If you want to provide remote access to Team System over the internet, you may be in for a surprise:

Microsoft only officially supports remote access to Team Sysem through VPN!

That's kind of a bummer. Rob Caron elaborates:
Team Foundation client applications, such as Team Explorer, access Team Foundation Server functionality through a collection of Web services hosted on Internet Information Services (IIS) 6.0. The initial RTM release of Team Foundation Server only supports Integrated Windows Authentication, which allows clients to use their Windows credentials to access this functionality.
 
Integrated Windows Authentication [previously known as NTLM] is an ideal choice for most deployment scenarios in a corporate environment, but it is not an optimal choice in Internet scenarios due to limitations resulting from proxy servers, firewalls, and trusted connections. For this reason, we originally planned to support Basic and Digest authentication as well.

Unfortunately, we were not able to complete this implementation in time to ship with the initial RTM release of Team Foundation Server. We are continuing to work on adding this support in the near future, which should be available sometime soon after the release of Team Foundation Server. However, this means that Team Foundation Server does not immediately support some scenarios, such as accessing Team Foundation Server through a proxy that does not maintain a connection between the client and server.
Team Foundation Server is driven through a collection of web services, which you can plainly see if you browse IIS on the web tier:



This is all standard IIS 6 stuff, which means you can expose these web services securely through HTTPS and SSL. Right click the website and select Properties, then visit the Directory Security tab. It's right there under the Secure communications group:



But there's a catch: some proxies don't properly pass NTLM/IWA credentials, so even though users may be able to get to these web services via HTTPS and SSL, they may not be able to successfully authenticate. It all depends what kind of proxies they're passing through on the way to your site.

There's a walkthrough on setting up SSL for Team Foundation Server on the Configuration and Management of Team Foundation Server Quickstart page, but clicking on that link results in, err..
well, nothing. Yet. I'm sure eventually there will be an article of the high quality we typically expect from MSDN in the spot of that.. placeholder text.

In the meantime, I found Ognjen Bajic's Word-to-HTML transcribed walkthrough, Enabling Team Foundation Server SSL. I think it's a bit more complex than it needs to be, but it's definitely a good starting point for those of us interested in exposing VSTS through the internet without VPN.

posted on Tuesday, April 18, 2006 12:35 PM by jatwood

Comments

# VSTS Links - 04/19/2006

Manish Agarwal talks about configuring desktop builds for building specific solutions in Team Build....
Wednesday, April 19, 2006 6:13 AM by Team System News

# re: Accessing Team System via the Internet

I experimented with the access over the internet scenario also and was disappointed at the end. The doc Ognjen posted on his site helped - but is not enough. I tried it with RTM not beta 3 - which makes a difference at some points but the main problem I focussed was the change of the server name from netbios e.g. tfsserver to fqdn accessible from internet e.g. tfsserver.mydomain.com
The webservices worked - but the reporting site and sharepoint did not completely. Especially sharepoint had problems with the change. I had a scenario up and running with SSL over the internet for existing projects - but then the create new projects wizard did not run anymore (sharepoint...).

My lessons learned:
The authentication issue can be resolved by putting the tfs server into the trusted sites zone on the clients and changing the NTLM-setting to automatically (not prompt) for this zone.

The addressing problem could be resolved by replacing the netbios server name with fqdn within the configuration (using TFSreg.exe) and within registry (reporting server).
But it does not work with the project creation wizard.

For the authentication issue, I tried using client certificates and map them to user accounts - but I did not manage to get this working...

Finally, I gave up at this point, wiped the machine, set it up for intranet access only and created a VPN for my development partners.... I currently evaluate the Teamplain Addon and try to get all of the sharepoint and reporting functions up and running over the internet with SSL.

To work arround the integrated authentication issue, I put the server into a workgroup and did not add it to the AD forest. This enables users from external forests/domains to log on if the there are local accounts on the machine with same account name and password as they use on their machines. Dirty thing - but it works at the moment.

And finally - I cannot understand at all, why Microsoft had the "access over the internet using SSL and FQDN" not in scope from the beginning - maybe because they only use the product within their Corp net....

Hopefully, there will be a solution at a later time...

for further questions you can drop me an email at info@inventit-ag.de

cheers,
Thomas
Wednesday, April 19, 2006 12:57 PM by Thomas

# re: Accessing Team System via the Internet

The article leaves some questions. It doesn't support basic auth at all? Even with SSL I still need to use Integrated Auth?
Saturday, April 22, 2006 5:40 PM by AlmCoder

# re: Accessing Team System via the Internet

> for further questions you can drop me an email at info@inventit-ag.de

Thanks for the info, Thomas!

> It doesn't support basic auth at all?

That's right. Team Sytem does NOT support basic auth. That's the root of the issue..
Tuesday, April 25, 2006 12:15 PM by Jeff Atwood

# re: Accessing Team System via the Internet

Note that as of Service Pack 1, Team System *does* support basic auth. Yay!
Monday, January 22, 2007 3:51 PM by Jeff Atwood