Setting up TFS with SSL/HTTPs

Another common problem that TFS admins often encounter is setting up TFS with SSL/HTTPs. You can find the official guide for setting up https here: https://msdn.microsoft.com/en-us/library/aa833873.aspx. If you aren’t familiar with setting up SSL on websites in IIS. Here are a few pointers which might be helpful:

· If you already have a Server Authentication Certificate for your Application Tier, you can skip ahead to the section “Installing and Assigning the Certificate.”

· Test your system *as often as possible. * It’s very easy to get into a bad state and have to undo all of your changes.

· If you are using Reporting Server 2005. Set the SSL port for the default website to 443. (It may be possible to use a different website, but RS 2005 doesn’t play nice with that.)

· For the “TFS website” and “SharePoint Admin site” make sure to use ports that aren’t used by other sites (e.g. , *don’t* just use 444 & 445).

· Despite the ordering of the documentation, the *last* thing you should do before your system is ready to go is check the box “Require Secure Channel (SSL)” for the “Default Website,” “TFS Website,” and “SharePoint Admin Site.”

o Most notably make sure you set up the alternative access mappings for SharePoint *before* you require SSL for the “SharePoint Admin Site,” otherwise, you won’t be able to get to the admin site.

· Depending on the configuration of your system, you may be able to ignore the section “Configuring the ISAPI” Filter.

· There is a problem with TFSAdminUtil ConfigureConnections in SP1. You can find more about that here: https://go.microsoft.com/fwlink/?LinkID=131656

You can find some supplemental information in the documentation on setting up SSL with client certs: https://msdn.microsoft.com/en-us/library/dd407788.aspx (The most useful part of this documentation for setting up just SSL is “Helpful Procedures for Working with Certificates.”)

--Aaron