Integrating TFS with a SharePoint web app configured with SSL offloading

We had an interesting issue recently. It was a TFS 2013 server integrated with a SharePoint web application that had its SSL offloaded to its NLB. You can find more about this here.
In this setup the communication between the NLB and the SharePoint machines happened on a non-SSL connection. But the NLB strictly accepted only secure SSL connections.

The issue was that our customer wasn’t able to create new projects. It was failing with an exception similar to below

Event Description: TF30162: Task "SharePointPortal" from Group "Portal" failed
Exception Type: Microsoft.TeamFoundation.Client.PcwException
Exception Message: An error occurred in the New Team Project Wizard while attempting to create a folder on the following SharePoint Web application: sharepoint.tfs.com.
Exception Details: The Project Creation Wizard encountered a problem while uploading documents to the following server running SharePoint Products: sharepoint.tfs.com. The reason for the failure cannot be determined at this time. Because the operation failed, the wizard was not able to finish creating the team project.

Stack Trace:
at Microsoft.VisualStudio.TeamFoundation.PCW.WssSiteCreator.Execute(ProjectCreationContext context, XmlNode taskXml)
at Microsoft.VisualStudio.TeamFoundation.PCW.ProjectCreationEngine.TaskExecutor.PerformTask(IProjectComponentCreator componentCreator, ProjectCreationContext context, XmlNode taskXml)
at Microsoft.VisualStudio.TeamFoundation.PCW.ProjectCreationEngine.RunTask(Object taskObj)
-- Inner Exception --
Exception Message: Exception of type 'Microsoft.SharePoint.SoapServer.SoapServerException' was thrown. (type SoapException)SoapException Details: <detail><errorstring xmlns="https://schemas.microsoft.com/sharepoint/soap/">Cannot access a closed Stream.</errorstring></detail>
Exception Stack Trace:
at Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.HandleReply(TfsClientOperation operation, TfsMessage message, Object[]& outputs)
at Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.Invoke(TfsClientOperation operation, Object[] parameters, TimeSpan timeout, Object[]& outputs)
at Microsoft.TeamFoundation.Client.SharePoint.Lists.UpdateListItems(String listName, XmlNode updates)
at Microsoft.TeamFoundation.Client.SharePoint.WssUtilities.CreateFolder(DocumentLibraryInfo docLibInfo, String folderUrl)
at Microsoft.VisualStudio.TeamFoundation.PCW.WssSiteCreator.CreateFolder(WssCreationContextWrapper contextWrapper, DocumentLibraryInfo docLibInfo, String folder)
at icrosoft.VisualStudio.TeamFoundation.PCW.WssSiteCreator.HandleFolderCreation(WssCreationContextWrapper contextWrapper, XmlNode taskNode)
at Microsoft.VisualStudio.TeamFoundation.PCW.WssSiteCreator.Execute(ProjectCreationContext context, XmlNode taskXml)

TFS was integrated with SharePoint and the project creation was failing only when a SharePoint site is created along with the project.
We went ahead and checked the SharePoint logs to check on the “Cannot access a closed Stream”

SOAP exception:
System.ObjectDisposedException: Cannot access a closed Stream.
at System.IO.MemoryStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at System.IO.StreamWriter.Flush(Boolean flushStream, Boolean flushEncoder)
at System.IO.StreamWriter.Dispose(Boolean disposing)
at System.IO.StreamWriter.Close()
at System.Xml.XmlTextWriter.Close()
at Microsoft.SharePoint.SoapServer.ListDataImpl.ConstructCaml(String strListName, String strXmlData, Boolean useHarmonicaKnowledge, Boolean useVersionHistory)
at Microsoft.SharePoint.SoapServer.ListDataImpl.UpdateListItems(String strListName, String strXmlData)
at Microsoft.SharePoint.SoapServer.ListDataValidatorImpl.UpdateListItems(String strListName, String strXmlData)
at Microsoft.SharePoint.SoapServer.Lists.UpdateListItems(String listName, SoapXmlElement updates)

Also from the ULS logs

• We see that site was created
• Features are being activated on the site
• The error happened when the first document was being uploaded to the team site
• After the error the site was cleaned up too

Creating a project and then linking it with SharePoint as described by this blog succeeded too.

This made us check the SSL on the SharePoint NLB. We didn’t face the same error if the offloading was turned off i.e. if both the SharePoint WFE and NLB used only non-secure connections.
This wasn’t a solution (as security is important), so we went ahead and checked the traffic on the three components – TFS server, SharePoint WFEs and the NLB using network monitoring tool.
We didn’t see any explicit connection closures on the netmon traces.
To our surprise all the functionality within SharePoint worked fine with the NLB URL.

After a lot of troubleshooting we found out  that root cause was in the way the web-application was configured(thanks a ton to Vishal Bhajaj from the SP team at MSFT).
More precisely, the issue was due to alternate access mappings on the web application.
We changed it to the following

• Default external URL – https://NLB
• Internal URL – https://NLB so that the connections can be made on this between NLB and SP WFEs.

The reason being TFS internally uses the default external URL of the SharePoint web app for making its connections (you would have seen only this mapping shown on the TFS Extensions).
This helped us fix the error with the connections made between TFS and SharePoint and in-turn the project creation error.

Content created by Venkata Narasimhan
Content reviewed by Romit Gulati