When you add a new TFS user he/she may not have access to other, external components or services that TFS integrates with. Namely, this new user may not have permission to use Reporting or the Team Project Portal. In this post, I describe the steps that I have taken to add a new user across all components.

Assumptions

1. You have already created an AD User (and added them to an AD Group, I call mine TFSUsers).

2. You have gone into TFS Administion and added this group or user to the appropriate permission level. I add mine to the "[TFS Project Name] Team" group, which by default is assigned the "Contributors" rights.

Here are the steps then,

SHAREPOINT

1. Launch into the TFS Administration Web page as shown below.

Figure 1.

2. Click on the "Go to project portal" link as shown in Figure 1. Sign on with credentials allowed to administer the SharePoint portal. You will then be taken to the following SharePoint site.

Figure 2.

3. Click on "Site Actions" as shown in Figure 2. and then click on "Site Permissions" as shown in Figure 3.

Figure 3.

4. Now follow the steps shown in Figure 4 to grant the AD Group or User the appropriate permission(s).

Figure 4.

REPORTING

1. Click on "View Reports" as shown in Figure 1. Sign on with the appropriate administrative credentials to the Reporting site, as you are taken to the following page as shown in Figure 5.

Figure 5.

2. Click on "Folder Settings" as shown in Figure 5 as you are taken to the Role Assignments page shown in Figure 6.

Figure 6.

3. Click on "New Role Assignment" as shown in Figure 6, and then assign the appropriate role to the AD Group or User.

Figure 7.

That's all folks! Now your added user or group should have appropriate permissions to work with Team Foundation Server.

Introduction

In my scenario, I have chosen to deploy the Standard TFS 2012 product on a SINGLE SERVER machine (by far, the most popular deployment scenario supporting shops with 500 developers or less). I am using a virtual server served up by Hyper-V and configured to 2 processors and 10 GB memory (SharePoint + TFS requires it). As the standard deployment process is fairly self-explanatory and straight-forward I will concentrate more on the configuration steps post TFS deployment. However, here are some best practices that I can suggest. (Remember, my deployment uses Windows Server 2008 R2 on a Hyper-V virtual server with 2 processors and 10 GB memory allocated to it. If you do not want to deploy SharePoint and Reporting, you will need at least 4 GB memory.)

   1.      Start with a clean Windows Server 2008 R2 (virtual) machine.

   2.      Install all patches using Windows Update AND Microsoft Update.

   3.      Enable the Application Server and Web Server Roles.

   4.      Install the .Net Framework 3.5 Feature.

   5.      Install all patches using Windows Update AND Microsoft Update.

   6.      Create or prepare a local or domain login and make sure password never expires or changes.

   7.      Give this login (let’s say, DOMAIN\tfsservice) the right to Logon as a service via the Local Policy snap-in.

   8.      Install SQL Server 2008 or 2012 (I installed 2012). Make sure that you install at least the following (use the service account you created above e.g. DOMAIN\tfsservice):

a.       Database Engine

b.      Reporting Services

c.       Analysis Services

d.      Full Text Indexing

   9.      Install all patches using Windows Update AND Microsoft Update.

   10.  Install TFS 2012 using the single-server, Standard option.

   11.  Configure TFS 2012 for SharePoint and Reporting using the service account you created above e.g. DOMAIN\tfsservice). Make sure that it runs.

   12.  If you get repeated prompts for login from a browser to the SharePoint Central Administration or TFS Web Access on the server you installed TFS, you may need to implement the “loopback hack”. Refer to Microsoft’s KB article here: http://support.microsoft.com/kb/896861

   13.  At this point, you should have a fully functional, non-SSL TFS deployment that you can test using the Team Explorer within Visual Studio, TFS Web Access from a browser, TFS Administration Console Application layer, SharePoint extension and SharePoint configuration. This is the point that we will start from to enable SSL access.

Figure 1. The Application Tier Holy Grail from the TFS Admin Console.

Pre-requisites

In order for us to SSL-enable our TFS deployment we will first need a few things in place.

   1.      We will need a SSL Certificate issued from either Windows Certificate Authority that you deploy on your domain or from a Trusted Certificate Provider. Make sure that the common name for the certificate points to the Fully Qualified Domain Name (FQDN) of your TFS server.

   2.      We will use some ports for the various web applications on the TFS server, namely (and you can choose any available ports, this is just an example)

a.       SharePoint Default Site (or alternately named site): 6443

b.      SharePoint Central Administration Site: 7443

c.       Reporting Services Site: 8443

d.      Team Foundation Server Web Access site: 443

   3.      You will want to make sure that these ports are allowed in through any and all firewalls in your infrastructure. In the minimum you must create an Inbound Rule in the local TFS Server by running wf.msc to allow TCP ports 6443, 7443, 8443, 443 inbound. Also, don't forget to allow all communications to your database services through any firewalls as applicable. For more information on firewall ports for SQL Server, here is a link for SQL Server 2012: http://technet.microsoft.com/en-us/library/cc646023.aspx.

   4.      You must also prepare your SharePoint site to allow your external host access to it. You can view a video describing this here: http://tinyurl.com/8qa67sx Here, allow your FQDN (e.g. www.mytfs.com) inbound recognition by adding that FQDN as the host name and enabling SSL access on port 6443 if you are using the ports above.

   5.      Next, you will need to configure Reporting Services using its configuration tool to use SSL on port 8443 (again, if you are using the ports defined above). Reporting services will automatically retrieve the FQDN from the certificate you pick. Make sure that you pick the right certificate. http://tinyurl.com/9dujbnc

Get er done

    Configure the Alternate Access Mapping in SharePoint for the Central Administration and your Default SharePoint websites.

Figure 2. Configuring Alternate Access Mapping Collection in SharePoint.

   1.      Bind the sites in IIS Manager. In your IIS 7.5 management console, for each of your web sites (Default SharePoint, SharePoint Admin, Team Foundation Server), do the following:

Figure 3. SSL Binding for the TFS Site in IIS.

a.       Click on binding, choose Https as the protocol and specify the appropriate ports (as suggested in pre-requisites, #2 above). I would further suggest that you do not enforce only SSL to be used though the SSL Settings in the IIS console, instead try using URL Rewrite to redirect your users to the secure site. You can download URL Rewrite from iis.net downloads.

b.  Edit the directory security and make changes to DISABLE Anonymous Authentication and ENABLE Integrated and Basic Authentication.

   2.      Launch the TFS Administrator Console as an Administrator and click on the Application Tier/URL configuration dialog. Here provide the secure URL to your TFS web access site and leave the server to server communication account.

   3.      Next follow the following to update your web.config in the Message Queue web folder. Make sure you backup your existing web.config:

·  Open the web.config file for Team Foundation Server in any plain-text editor, such as Notepad. By default, this file is located in the following directory: %PROGRAMFILES%\Microsoft Team Foundation Server 2012\Application Tier\Message Queue\web.config.

·  Remove the following endpoints from the file:

        <!-- An empty relative address means the endpoint will pick up the base address of the svc file -->

        <endpoint address=""

                  binding="customBinding"

                  bindingConfiguration="TfsSoapBinding"

                  contract="Microsoft.TeamFoundation.Framework.Server.WebServices.MessageQueueWebService" />

        <!-- An empty relative address means the endpoint will pick up the base address of the svc file -->

        <endpoint address=""

                  binding="customBinding"

                  bindingConfiguration="TfsSoapBinding"

                  contract="Microsoft.TeamFoundation.Framework.Server.WebServices.MessageQueueWebService2" />

·  Navigate to the <system.serviceM

odel> section, and add the following protocol mappings:

<protocolMapping>

      <remove scheme="http" />

     <add scheme="http" binding="customBinding" bindingConfiguration="TfsSoapBinding"/>

      <add scheme="https" binding="customBinding" bindingConfiguration="TfsSoapBindingHttps"/>

</protocolMapping>

·  In the same <system.serviceModel> section, add the following binding to <customBinding>:

<binding name="TfsSoapBindingHttps">

          <textMessageEncoding messageVersion="Soap12WSAddressing10" />

          <httpsTransport authenticationScheme="IntegratedWindowsAuthentication" manualAddressing="true" />

</binding>

   4.      Next, from within the TFS Administrative Console, go to SharePoint extensions and add a new access to the secure SharePoint default site that you had created in step Pre-requisites #4 above. Remove the old access mapping.

Figure 4. Configure Extensions for SharePoint Products.

   5.      Next, from within the TFS Administrative Console, go to SharePoint configuration and use the new extension and secure URL’s.

Figure 5. SharePoint Web Application Configuration.

Post Installation Lessons Learned

1.      Do NOT use a service account for Reporting Services. Instead USE the NETWORK ACCOUNT. Otherwise you may get errors when you try to create a Team Project complaining that the Report Folder could not be created.

Figure 6. Use NETWORK SERVICE for your Reporting Services, Service Account.

Figure 7. Reporting Tier configured in TFS Admin Console.

2. Configure your Build setup as necessary.

Figure 8. Build Configuration.

3. Configure your Lab Management as necessary.

4. Configure your Proxy as necessary (TIP. Only use Proxy if you have a fair amount of remote users who will be accessing your TFS site from that location).

5. Back up all databases and your configuration.

Good luck, and please do share your experiences here as well.

I don’t know how many times I have run into the situation where I have installed SQL Server Express 2008 and now need to install SQL Server Express Management Studio 2008. Each time it takes me a while to figure it out and then, in my exhilaration, I forget to document it only to tear my hair out (whatever’s left of it) the next time I am in the same situation.

Well, this time I am documenting this, if nothing else, for the sake of my own sanity and scalp.

The trick is to NOT choose the option to, “Add features to an existing instance of SQL Server 2008”!

After you launch the installer, choose Installation from the “SQL Server Installation Center” and select, “New SQL Server stand-alone installation or add features to an existing installation.”

Wait for SQL Server to process the operation, finish the process and run the “Setup Support Rules/Files”. Complete the process and choose, “Perform a new installation of SQL Server 2008”. Click through the wizard until you get to see the “Shared Features” and check/select the “Management Tools – Basic” option.

Complete the installation.