Build, WIT, and SCC failure after configuring TFS 2008 for SSL


 

Today my certificate expired on one of my SSL TF servers. I decided to become my own certificate authority so I went through the process of installing the certificate authority, creating a request from IIS on the TF server, etc. I put the cert on all the web sites, set up SSRS and WSS alternate access mappings, ran the command line tools, etc. on the server…. installed the cert & CA cert on my client, cleaned the cache and then tried to connect – only reports and documents worked. WIT, Build, and SCC were all RED-Xed. Looking in the event log on the AT I found this error below. I searched around the web a lot on it, found a bunch of stuff but nothing that was specific to me. I finally figured out that I had not installed the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” store on the TFS AT. Once I did that, issue resolved.

Hope this helps.

–Trev

 

Log Name:      Application
Source:        TFS Build
Date:          5/26/2010 4:48:31 PM
Event ID:      3028
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <MY TF SERVER>
Description:
TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 5/26/2010 8:48:31 PM
Machine: <MY TF SERVER>
Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110
Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
  Process Name: w3wp
  Process Id: 4112
  Thread Id: 908
  Account name: <TFS SERVICE ACCOUNT>

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
Web Request Details
    Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST]
    User Agent: Team Foundation (devenv.exe, 9.0.30729.1)
    Headers: Content-Length=411&Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&Accept-Encoding=gzip&Accept-Language=en-US&Expect=100-continue&Host=<MY TF SERVER>%3a8081&User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&X-TFS-Version=1.0.0.0&X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d
    Path: /Build/v2.0/BuildService.asmx
    Local Request: True
    Host Address: fe80::310e:3ac1:fdec:fed5%11
    User: <MY DOMAIN\ME>[authentication type: NTLM]

Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)

Exception Stack Trace:    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache()
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetRegistrationEntry(String toolName)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetDatabaseConnectionString(String toolName, String dbName)

Inner Exception Details:

Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)

Exception Stack Trace:    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="TFS Build" />
    <EventID Qualifiers="0">3028</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-26T20:48:31.000Z" />
    <EventRecordID>52122</EventRecordID>
    <Channel>Application</Channel>
    <Computer><MY TF SERVER></Computer>
    <Security />
  </System>
  <EventData>
    <Data>TF53010: The following error has occurred in a Team Foundation component or extension:
Date (UTC): 5/26/2010 8:48:31 PM
Machine: <MY TF SERVER>
Application Domain: /LM/W3SVC/441732147/ROOT/Build-6-129193805111113110
Assembly: Microsoft.TeamFoundation.Common, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
  Process Name: w3wp
  Process Id: 4112
  Thread Id: 908
  Account name: <TFS SERVICE ACCOUNT>

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
Web Request Details
    Url: https://<MY TF SERVER>:8081/Build/v2.0/BuildService.asmx [method: POST]
    User Agent: Team Foundation (devenv.exe, 9.0.30729.1)
    Headers: Content-Length=411&amp;Content-Type=application%2fsoap%2bxml%3b+charset%3dutf-8&amp;Accept-Encoding=gzip&amp;Accept-Language=en-US&amp;Expect=100-continue&amp;Host=<MY TF SERVER>%3a8081&amp;User-Agent=Team+Foundation+(devenv.exe%2c+9.0.30729.1)&amp;X-TFS-Version=1.0.0.0&amp;X-TFS-Session=a02a2033-5d33-473b-9776-f3ead413859d&amp;TF-Instance=a02a2033-5d33-473b-9776-f3ead413859d
    Path: /Build/v2.0/BuildService.asmx
    Local Request: True
    Host Address: fe80::310e:3ac1:fdec:fed5%11
    User: <MY DOMAIN\ME>[authentication type: NTLM]

Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)

Exception Stack Trace:    at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache()
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct)
   at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetRegistrationEntry(String toolName)
   at Microsoft.TeamFoundation.Server.TeamFoundationApplication.GetDatabaseConnectionString(String toolName, String dbName)

Inner Exception Details:

Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)

Exception Stack Trace:    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)

</Data>
  </EventData>
</Event>

Comments (1)

  1. A reader asks: "Trevor, I am in the same situation that I want a free SSL certificate. I managed to install the certificate, but when I navigate to Web Access I get a certificate error. I read on your blog that you have to install the certificate for my newly created certification authority into the “Trusted Root Certification Authorities” Where can I find or create the certificate for my newly created certification authority."

    My Certification Authority is installed on a WS08R2 machine named "TREVISOR-01" (it's a Hypervisor machine… bet you guessed that <g>). I can export the root certification authority certificate from that machine by doing this:

    1. Log into the machine as an admin

    2. Open an elevated command prompt

    3. Execute these commands to export the root certification authority certificate to your desktop in a .cer file (changing the file name as appropriate, of course):

    CD %userprofile%desktop

    certutil  -ca.cert TREVISOR-01.cer

    If you're going to be using this cert a lot, you may want to put it in a share somewhere too (securing the share as appropriate) so other users can access it.

Skip to main content