Rob Caron

Developer-related topics and other stuff.

Accessing Team Foundation Server Remotely

Accessing Team Foundation Server Remotely

  • Comments 39

Team Foundation client applications, such as Team Explorer, access Team Foundation Server functionality through a collection of Web services hosted on Internet Information Services (IIS) 6.0. The initial RTM release of Team Foundation Server only supports Integrated Windows Authentication, which allows clients to use their Windows credentials to access this functionality.


Integrated Windows Authentication is an ideal choice for most deployment scenarios in a corporate environment, but it is not an optimal choice in Internet scenarios due to limitations resulting from proxy servers, firewalls, and trusted connections. For this reason, we originally planned to support Basic and Digest authentication as well. For more information, see Integrated Windows Authentication (IIS 6.0).


Unfortunately, we were not able to complete this implementation in time to ship with the initial RTM release of Team Foundation Server. We are continuing to work on adding this support in the near future, which should be available sometime soon after the release of Team Foundation Server. However, this means that Team Foundation Server does not immediately support some scenarios, such as accessing Team Foundation Server through a proxy that does not maintain a connection between the client and server.


This does not mean that Team Foundation Server is not accessible from across the Internet. You can use a Virtual Private Network (VPN) should your scenario require accessing Team Foundation Server from outside your local intranet. Alternatively, and subject to your own risk analysis, you may opt to expose your Team Foundation Server directly to the Internet and require the use of encrypted connections (e.g., HTTPS using SSL/TLS); however, you may be thwarted by proxies on the client side of the equation, such as those provided by Internet Service Providers (ISPs).

If your intended use of Team Foundation Server requires support for Basic or Digest authentication, we would like to hear your feedback on the importance of these authentication mechanisms in your deployment scenarios.

[Now available as a KB article:] 


  • Distributed access should be a cornerstone feature of TFS.  Very poor planning on Microsoft's part.
  • Wow, that's one of the biggest reasons I was looking to get TFS installed and have spent the better part of the day reading up on it.  Glad I didn't dive in and install it.  

    Extremely disappointed.

  • DavidKean_MS (Moderator): We'll be starting our chat about Visual Studio Team Edition for Software Developer...
  • I have a scenario where I have developers working on the same project from multiple sites. My team is entirely distributed and none of us work in the same location. Due to my developers setups, VNP isn't a viable option either.

    This is basically going to force us to adopt VSS 2005 but we will be loosing out on the work item tracking etc which is one of the most important features of TFS for us.

    Until TFS supports remote connectivity there's absolutely no point in adopting it, from our point of view anyway.
  • We are currently migrating to Team system from the Visual SourceSafe.  We have developers in offices...
  • Rob/all - I finally have a TFS environment set up that involves two different non-trusting domains, where the TFS server is in our "main" domain and the clients are in a different domain. There is no trust between them. Then I configured the Proxy server on a machine that is not a member of either domain, but is located at the remote location (over in India along with the TFS client workstations). Everything is working great - although I know this is not supported by MS:)

    The trick was getting the right combination of local versus domain accounts. The local accounts had to be configured properly to allow pass-through authentication. The local accounts included the proxy service account.

    I created a Visio diagram of how I got it to work. If you would like to see it, let me know on this blog.
  • Hi Jamie,

    We have a very similar scenario with yours'. Would you please share your visio diagram with me. my e-mail is faysalbasci(-&at&-) Thanks in advance
  • Jamie -

    I would also very much like to see your visio diagram on how you set this up.

    kevinw -AT-

    Thank you!
  • This is a huge problem, not being able to operate VSTS across the internet without a VPN. It eliminates a lot of use scenarios for us. I'm glad to hear you plan to add this in this functionality in the near future.
  • Jamie,

    could you please forward the visio diagram of the solution to this dreadfull problem - my e-mail is "dusan at finsoft dot com".

    I am following Team System forums, and there are a lot of answers to people that can't be bothered to read the documentation, but whenever a fundamental question like this is asked it stays unanswered.

    This is more of Microsoft behaviour from early nineties than what we were used to in .NET era. Really disappointing.
  • I have a similar scenario with yours. Could you please share your visio diagram with me. My email is
  • In Brian Harry’s recent Tech Ed 2006 and Stuff in the pipe for Team Foundation Server...
  • Is this still true? You can't access TFS using basic or digest authentication. I found some information that you could set up this if you moved the TFS into a workgroup. If this is all still true then when will you be able to have basic or digest authentication within a domain?
  • Alan - See:
  • Jamie could you send me a copy of your Visio as I am facing a similar problem. joshua DOT allanson AT gmail DOT com. Thanks
Page 2 of 3 (39 items) 123
Leave a Comment
  • Please add 2 and 2 and type the answer here:
  • Post