How hard is it to enable TFS to start using secure connections, if its not already? Does doing so affect SQL configuration also? How can we force SSL to be required?
Im looking over this reference material
https://msdn.microsoft.com/en-us/library/aa833872%28v=vs.120%29.aspx#DisAd
Reading the above, I get the impression that MS is trying to discourage someone from using SSL for TFS over the internet?
Then I stumbled on to this blocg post
http://www.jwsecure.com/2009/01/29/using-tfs-via-the-internet/
Summary = just get a ssl cert and force ssl and port-forward a high port to 443
thoughts?
Firstly, the MSDN article you posted above shows you the detailed steps on how to set up HTTPS with SSL for TFS. To summarize main steps include:
Install a certification authority, obtain and install a server certificate for servers.
Request, install and configure websites with a certificate for Team Foundation Server using Internet Information Services (IIS) Manager.
Configure Team Foundation Server to require HTTPS and SSL.
Install the certificate on client computers.
You can also check this walkthrough: https://msdn.microsoft.com/en-us/library/aa833873.aspx
Secondly, you don't need to configure SQL Server. But if you have SQL Reporting Service, you need to configure it to support HTTPS with SSL.
Thirdly, to enable TFS to be available with external connections, you need to configure it with HTTPS with SSL. Also with it, web connections to TFS are more secure. However, these process needs more administrator's configuration & maintenance work. So you need to determine whether to use it based on your requirement.
Related
I have an OpenID Connect server (OpenIDdict) and an asp.net core webapp in containers behind a TLS termination proxy. In production, all communication between the webapp and the OIDC server can go through the 'outside', based on their public names. However, in development, I'm using self signed certificates that aren't trusted by the containers running the apps, only by my host pc. Because of that, in development, the webapp can redirect the browser to the OIDC server just fine, but when it, for instance, needs to call the token endpoint, it will fail, because the certificate isn't trusted.
A possible solution would be to have the server to server communication go through the internal container network, but I haven't been able to get that to work. Is there a way to make the asp.net core OpenID Connect middleware use a different url (and protocol) for server to server communication?
Another solution would be to install the self signed certificates in the containers, but because that's only needed in development, it seems bad practice to burden the images with that. Is that assessment correct?
I'm hoping I'm missing the most obvious solution. Any ideas?
This is what I ended up doing:
I added a custom domain to the hosts file of my pc, pointing to itself.
Using openssl, I created a rootDevCA.crt and added it to the trusted root on my pc and in all the container images.
With that root certificate, I signed a new certificate for the custom domain and supplied that (including its key) to the proxy.
As long as I keep the key file for the root certificate far away from my source code, there should be no security issues.
Currently we are running TFS2013 version. As per our organization support standards we are no longer recommended to enable SSL 2.0 & SSL 3.0 and as an alternative to SSL, need to implement the strongest proven version of TLS when encrypting a data transmission via ftp, the web, email or other technologies.
If we disable the SSL and implement the TSL will it affect the TFS builds or release in any way?
We are using OPSHub free version for migrating On-Premises TFS 2013 to cloud (VSO 2015).
During Opshub installation we got an error message "Unable to connect to remote server, check the internet connectivity or Proxy settings and try again".
We found the following link http://www.opshub.com/main/ovsomu-proxy regarding this issue and we contacted our network team to get the proxy server details (to put them in the environment variable _JAVA_OPTIONS), but they would like to know how Opshub connects to internet and all the inbound and outbound connections from Opshub, which port it uses and if the data is encrypted during installation and migration etc. Can Opshub support help us out in providing this information?
OpsHub use the standard VSTS ports of https which is encrypted with SSL. There are no inbound coms.
I would however not recommend the OpsHub tool as you will quickly run into an upsell from them. If it works for you then awesome, but if they as you for money then switch to the TFS Integration Tools that are free and supported by the TFS product team.
Yes, OVSMU requires to connect to the OpsHub website during installation for Verification Code generation process. (Thereafter, it does not connect to our website)
Once, the utility has been installed, it occupies two ports 8989 and 9090 as long as the tool is running. For communication with end points, it uses the default TFS and VSTS ports.
We want to migrate our custom steps from XAML build to new build task in TFS2015 on-premise. I installed NodeJS and tfx-cli but when tfx-cli want to connect to TFS I need to provide pat (personal access token) but I cannot find where I can get it. All samples is for VSO but not for on-premise TFS2015. Is it possible to get PAT from on-premise TFS2015?
TFS 2015 doesn't support Personal Access Tokens, this feature was introduced with TFS 2017. In the mean time you'll either need to configure basic auth and use that (only enable basic auth if your TFS server is running over SSL), Or use the trick below to trick the command lien tools to authenticate by lettign an NTLM proxy (like Fiddler) handle the auth for you.
If you do not want to configure Basic Authentication on your TFS server (which many people don't want due to security concerns), then you can use a neat trick to let Fiddler handle your authentication:
Then enter:
C:\>set http_proxy=http://localhost:8888
C:\>tfx login --auth-type basic --service-url http://jessehouwing:8080/tfs/DefaultCollection
You'll be prompted for a username and a password, it doesn't really matter what you enter, fiddler will handle the authentication for you in the background:
More detailed steps outlined on my blog.
If you're battling self-signed certificates, which is also a common problem when using tfx against a on-premise TFS server, make sure you're using a recent enough version of Node and point it to an aditional cert store using environment variables:
As of Node.js 7.3.0 (and the LTS versions 6.10.0 and 4.8.0) it is now possible to add extra well-known certificates to Node.js with an environment variable. This can be useful in cloud or other deployment environments to add trusted certificates as a matter of policy (as opposed to explicit coding), or on personal machines, for example, to add the CAs for proxy servers.
See the CLI documentation for more information on using NODE_EXTRA_CA_CERTS, as well as the original pull-request.
NODE_EXTRA_CA_CERTS=file#
Added in: v7.3.0
When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates in file. The file should consist of one or more trusted certificates in PEM format. A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.
Note that neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.
There's another option for tfx-cli to connect to the TFS instance, and it is basic authentication. Just use the following format:
tfx login --auth-type basic --username myuser --password mypassword --service-url http://tfscollectionurl
Here is the quote from Github:
You can alternatively use basic auth by passing --auth-type basic
(read Configuring Basic Auth). NTLM will come soon.
Note: Using this feature will store your login credentials on disk in
plain text.
when I go to application tier, configure installed features ,start wizard,
it will ask whether I would like to have sharepoint on this machine or not, I go for it and the error displays is:
TF400081: Cannot connect to the Internet. An Internet connection is needed to be able to install SharePoint.
We are using a proxy on the network to access the internet, when I look in the log it says:
Exception Message: The remote server returned an error: (407) Proxy Authentication Required. (type WebException)Status: ProtocolError
Response Status Code: ProxyAuthenticationRequired
how can I run the standard configuration wizard do that it gets authenticated by the proxy?
This is because it's trying to download all the prerequisites for sharepoint. It may just be easier to do an offline install by manually installing the prereqs yourself.
http://blogs.technet.com/b/patrick_heyde/archive/2010/03/02/install-sharepoint-2010-without-internet-access.aspx
There is two ways:
1. switch off require authentication for your server on proxy
install your own intermediate proxy (Proxomitron.info for example) on you work computer and make TFS server to connect to you proxy instead of corporate.
And configure an intermediate proxy to bypass all connection without authentication.