Developer Support Team Foundation Server

Tips, tricks, thoughts and experiences from the Microsoft Team Foundation Server global support team.

Build, WIT, and SCC failure after configuring TFS 2008 for SSL

Build, WIT, and SCC failure after configuring TFS 2008 for SSL

  • Comments 1

 

Today my certificate expired on one of my SSL TF servers. I decided to become my own certificate authority so I went through the process of installing the certificate authority, creating a request from IIS on the TF server, etc. I put the cert on all the web sites, set up SSRS and WSS alternate access mappings, ran the command line tools, etc. on the server…. installed the cert & CA cert on my client, cleaned the cache and then tried to connect – only reports and documents worked. WIT, Build, and SCC were all RED-Xed. Looking in the event log on the AT I found this error below. I searched around the web a lot on it, found a bunch of stuff but nothing that was specific to me. I finally figured out that I had not installed the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” store on the TFS AT. Once I did that, issue resolved.

Hope this helps.

--Trev

 

Log Name:      Application
Source:        TFS Build
Date:          5/26/2010 4:48:31 PM
Event ID:      3028
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <MY TF SERVER>
Description:
TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 5/26/2010 8:48:31 PM
Machine: <MY TF SERVER>
Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110
Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
  Process Name: w3wp
  Process Id: 4112
  Thread Id: 908
  Account name: <TFS SERVICE ACCOUNT>

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
Web Request Details
    Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST]
    User Agent: Team Foundation (devenv.exe, 9.0.30729.1)
    Headers: Content-Length=411&Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&Accept-Encoding=gzip&Accept-Language=en-US&Expect=100-continue&Host=<MY TF SERVER>%3a8081&User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&X-TFS-Version=1.0.0.0&X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d
    Path: /Build/v2.0/BuildService.asmx
    Local Request: True
    Host Address: fe80::310e:3ac1:fdec:fed5%11
    User: <MY DOMAIN\ME>[authentication type: NTLM]

Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)

Exception Stack Trace:    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache()
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetRegistrationEntry(String toolName)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetDatabaseConnectionString(String toolName, String dbName)

Inner Exception Details:

Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)

Exception Stack Trace:    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="TFS Build" />
    <EventID Qualifiers="0">3028</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-26T20:48:31.000Z" />
    <EventRecordID>52122</EventRecordID>
    <Channel>Application</Channel>
    <Computer><MY TF SERVER></Computer>
    <Security />
  </System>
  <EventData>
    <Data>TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 5/26/2010 8:48:31 PM
Machine: <MY TF SERVER>
Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110
Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
  Process Name: w3wp
  Process Id: 4112
  Thread Id: 908
  Account name: <TFS SERVICE ACCOUNT>

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
Web Request Details
    Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST]
    User Agent: Team Foundation (devenv.exe, 9.0.30729.1)
    Headers: Content-Length=411&amp;Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&amp;Accept-Encoding=gzip&amp;Accept-Language=en-US&amp;Expect=100-continue&amp;Host=<MY TF SERVER>%3a8081&amp;User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&amp;X-TFS-Version=1.0.0.0&amp;X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&amp;TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d
    Path: /Build/v2.0/BuildService.asmx
    Local Request: True
    Host Address: fe80::310e:3ac1:fdec:fed5%11
    User: <MY DOMAIN\ME>[authentication type: NTLM]

Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)

Exception Stack Trace:    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache()
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetRegistrationEntry(String toolName)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetDatabaseConnectionString(String toolName, String dbName)

Inner Exception Details:

Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)

Exception Stack Trace:    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

</Data>
  </EventData>
</Event>

  • A reader asks: "Trevor, I am in the same situation that I want a free SSL certificate. I managed to install the certificate, but when I navigate to Web Access I get a certificate error. I read on your blog that you have to install the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” Where can I find or create the certificate for my newly created certification authority."

    My Certification Authority is installed on a WS08R2 machine named "TREVISOR-01" (it's a Hypervisor machine... bet you guessed that <g>). I can export the root certification authority certificate from that machine by doing this:

    1. Log into the machine as an admin

    2. Open an elevated command prompt

    3. Execute these commands to export the root certification authority certificate to your desktop in a .cer file (changing the file name as appropriate, of course):

    CD %userprofile%\desktop

    certutil  -ca.cert TREVISOR-01.cer

    If you're going to be using this cert a lot, you may want to put it in a share somewhere too (securing the share as appropriate) so other users can access it.

Page 1 of 1 (1 items)
Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post