Setting up TFS with SSL/HTTPs

Another common problem that TFS admins often encounter is setting up TFS with SSL/HTTPs. You can find the official guide for setting up https here: If you aren’t familiar with setting up SSL on websites in IIS. Here are a few pointers which might be helpful:

·         If you already have a Server Authentication Certificate for your Application Tier, you can skip ahead to the section “Installing and Assigning the Certificate.”

·         Test your system *as often as possible.* It’s very easy to get into a bad state and have to undo all of your changes.

·         If you are using Reporting Server 2005. Set the SSL port for the default website to 443. (It may be possible to use a different website, but RS 2005 doesn’t play nice with that.)

·         For the “TFS website” and “SharePoint Admin site” make sure to use ports that aren’t used by other sites (e.g.,  *don’t* just use 444 & 445).

·         Despite the ordering of the documentation, the *last* thing you should do before your system is ready to go is check the box “Require Secure Channel (SSL)” for the “Default Website,” “TFS Website,” and  “SharePoint Admin Site.”

o   Most notably make sure you set up the alternative access mappings for SharePoint *before* you require SSL for the “SharePoint Admin Site,” otherwise, you won’t be able to get to the admin site.

·         Depending on the configuration of your system, you may be able to ignore the section “Configuring the ISAPI” Filter.

·         There is a problem with TFSAdminUtil ConfigureConnections in SP1. You can find more about that here:



You can find some supplemental information in the documentation on setting up SSL with client certs: (The most useful part of this documentation for setting up just SSL is “Helpful Procedures for Working with Certificates.”)




Skip to main content