1

My team and I have been attempting to publish our TFS http endpoint through a reverse proxy. TFS is authenticating using NTLM authentication, basic authentication is not encouraged: https://learn.microsoft.com/en-us/vsts/integrate/get-started/auth/tfs-basic-auth. Since NTLM is stateful going through a reverse proxy has challenges. Ignoring the long history of this issue, here is the current situation:

We're running TFS 2017 using NTLM authentication to the backend domain, TFS is hosted on Windows Server 2016. The reverse proxy server is in a DMZ network separating it from the TFS server via a firewall, but there is a firewall rule opening port TCP 8080 to the TFS server from the reverse proxy server and reverse proxy server is a member of the same backend domain as TFS. On the reverse proxy server, we're using IIS 7 with URL rewrite plugin as the reverse proxy technology on a Windows Server 2008 R2.

The TFS endpoint, altered here for the sake of discussion, is: http://backendserver.example.com:8080/tfs/. The reverse proxy site, again altered here, is http://reverseproxy.example.com:8081/. The rewrite rule is to filter on regular expression: tfs/(.*) and the rewrite url is http://backendserver.example.com:8080/{R.0}. All the other settings are largely unchanged.

So when we access the tfs endpoint directly (from the reverse proxy) it works fine, firewall is open so the regular url works fine (listed above). However when we try the reverse proxy endpoint (http://reverseproxy.example.com:8081/tfs/), we continually get reprompted for authentication with 401 errors. When we try running this same reverse proxy url but as a redirect (url rewrite -> Edit Inbound Rule -> Action -> Action Type -> Redirect) it properly redirects the homepage to TFS, authentication succeeds, and all other pages in TFS, when requested, properly load without additional authentication challenges.

Does anyone have any idea why these 401 errors are occurring? My account isn't being locked out after multiple failed attempts, so I have reason to believe that these failures are not coming from the backend domain itself. Thanks everyone.

Adam Stephenson
  • 11
  • 2
  • Do you turn on Windows Authentication and ASP.NET Impersonation? – Cece Dong - MSFT Jan 30 '18 at 09:01
  • For Authentication, the IIS reverse proxy is currently set to Anonymous only (the user still gets challenges but from the backend server), however we have tried with Windows Authentication enabled as well and it doesn't seem to make a difference. For .NET impersonation, I tried enabling it to see if it would change the behavior, and when trying to hit http://reverseproxy.example.com:8081/tfs/ it directly throws a http error 500.24. – Adam Stephenson Jan 30 '18 at 15:50
  • How about changing the app pool for your application to use classic mode instead of integrated mode, and restart iis? And check this case to see whether it helps you: https://stackoverflow.com/questions/23720447/tfs-2013-not-working-with-iis-reverse-proxy. – Cece Dong - MSFT Feb 01 '18 at 09:06
  • Having very similar problem, share there is no answer here... – mcfedr Jan 24 '19 at 08:48
  • Have you found an answer on this topic yet? – it-person May 02 '20 at 17:44

0 Answers0