Timeout on TFS Warehouse building job

Have you ever experienced the following exception?

“Microsoft.TeamFoundation.Warehouse.WarehouseException: TF221122: An error occurred running job Work Item Tracking Warehouse Sync for team project collection or Team Foundation server <TFS_COLLECTION>. —> Microsoft.TeamFoundation.WorkItemTracking.Server.SqlCommandTimeOutException: Timeout expired”.

I’ve done these days and it was incredible hard to find out a solution: it looked like the job was stopped because every time I run this query, the result didn’t change.

SELECT COUNT(*)FROM[Tfs_Warehouse].[dbo].[DimWorkItem]

Going deeper into the issue, I’ve discovered that everyday the warehouse building job was failing because of a SQL timeout. I’ve tried to rebuild the warehouse, stop job and run it manually, disable all the job and run only that one but nothing helped.

Finally, I’ve found the solution, manually creating two indexes on the TFS collection database (please, don’t ask me why they weren’t already in TFS database):


ON [dbo].[WorkItemsWere]([PartitionId],[ID],[Rev])

INCLUDE ([Revised Date],[Changed Date],[AreaID],[State],[Authorized Date])



ON [dbo].[WorkItemsLatest]([PartitionId],[ID],[Rev])

INCLUDE ([Revised Date],[Changed Date],[AreaID],[State],[Authorized Date])


After running it, the warehouse started immediately to be populated again! Nice!


KB2750149 causes problems on HTTPS connections behind TMG proxy/firewall

I’ve been experiencing a lot of troubles authenticating to Team Foundation Server of my company for five months, and today I’ve finally got the cause of them and the solution.
Our TFS is installed on a Windows Server 2012 and published over HTTPS and we can get it through a TMG 2010 proxy/firewall.

Some months ago we migrated our old TFS 2010 to the new version and at the same time, some clients from Windows 7 to Windows 8: it was when we started having those problems!
If we tried to connect to it using Visual Studio 2012 we received the strange error: “TF30063: You are not authorized to access [project]”.
What’s this?!? I was using the TFS admin credentials!

I fought against it for a long time trying a lot of solution from the web but none of them solved the issue:

  • Someone suggests to clear the IE cache.
  • Someone suggests to modify settings on IIS
  • Someone suggests to install TMG client
  • Someone suggests to clear credentials saved in Credential Manager
  • Someone suggests to add TFS website to Intranet zone on IE
  • I’ve installed and uninstalled several times Team Explorer 2012 and 2010

None of them fixed the problem. Anyway last week I got the right way and today I’ve finally solved it: the issue is related to the KB2750149. This update has some known issue with the Failover Cluster Server fixed by the KB2803748…and now we’ve found another one!

After having uninstalled this update and restarted my pc I was able to connect to TFS again. Unfortunately this is a very important update solving several issues about .NET framework 4.5, so be very careful before uninstalling it!

Publish Team Foundation Server 2010, Sharepoint 2010 and Project Server 2010 over SSL/HTTPS

Some days ago I was asked to publish our Team Foundation Server 2010 on the web over a secure communication protocol (SSL/HTTPS). I read the Alan’s blog and the Rudi Groenewald’s blog about the same argument but none of them fits my situation at all.

The environment we have is more complex than those they describe. The general architecture is the following:

  • a TFS server (I’ll simply call it TFS) that hosts the following services/tier: Team Foundation application tier and Reporting Services application tier instance,
  • a Sharepoint server (I’ll simply call it TFSSP) that hosts the following services/application: a Sharepoint 2010 farm with a Project Server 2010 instance;
  • a SQL Server 2008 R2 server (I’ll simply call it TFSDT) that hosts all databases for Sharepoint, TFS and Project Server.
    At the end of the procedure, we want to have the following sites published:


  1. Have the FQDN you want to use: for this guide I will use “mydomain.net
  2. Have the needed rules configured on the firewall/DNS of your network, in order to allow connections to servers: we asked our system administrator to allow connection to TFS through port 443 and 8088 and to TFSSP through 443.

Procedure overview:

  1. Create a certificate from a Microsoft Certificate Services Server (I installed one because we hadn’t had it);
  2. Configuring IIS servers on TFS and TFSSP;
  3. Configuring Sharepoint Web Application;
  4. Configuring Reporting Services server;
  5. Configuring Team Foundation Server instance.

1. Installing Microsoft Certificate Services Server and create a certificate

I installed a certification authority server on TFS because we hadn’t had one in our network.

  1. Log on to TFS as an administrator.
  2. Click Start, point to Administrative Tools, and then click Server Manager.
  3. In the Roles Summary section, click Add roles.
  4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
  5. On the Select Role Services page, select the Certification Authority check box, and then click Next.
  6. On the Specify Setup Type page, click Enterprise, and then click Next.
  7. On the Specify CA Type page, click Root CA, and then click Next.
  8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers: I accepted the default values by clicking Next twice.
  9. In the Common name for this CA box, type the common name of the CA, TFS, and then click Next.
  10. On the Set the Certificate Validity Period page, feel free to adjust the validity period or leave the default and then click Next.
  11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
  12. After verifying the information on the Confirm Installation Options page, click Install.
  13. Review the information on the confirmation screen to verify that the installation was successful After then, I create the certificate for the TFS web server:
  14. Open up the IIS Manager (on TFS) and select the server;
  15. Select “Server Certificates
  16. In the Actions pane, select “Create Domain Certificate
  17. Follow the steps in the “Create Certificate” dialog to create a request. I use the following values:
    • Common name: tfs.mydomain.net
    • Organization: mydomain
    • Organizational unit: mydomain
    • City/locality: Rome
    • State/province: Rome
    • Country region: IT
    • Online Certification Authority: domain-tfs-CA\tfs
    • Friendly name: tfs.mydomain.net
  18. Click OK if an error window is prompted and go to Certification Authority services, under the folder Pending Requests;
  19. Select the pending request for the certificate, right click and select All Tasks->Issue;
  20. Under the folder Issued Certificates, select the issued certificate, right click and select All Tasks->Export Binary data and save it on a local folder;
  21. In the Server Certificates on IIS, select “Complete Certificate Request” to import the certificate file;
  22. Then select the certificate you’ve just imported, right click and select Export to export both the certificate and primary key in order to import them to IIS on TFSSP;

Finally I exported the root certificate from the authority because I will need to install it on clients in order to be able to connect with Visual Studio.

  1. On TFS server, log on as administrator
  2. Run command prompt and type:  certutil -ca.cert C:\\tfs-ca.cer
  3. The tfs-ca.cer certificate must be installed on clients in order to connect with Visual Studio

2. Configuring IIS servers on TFS and TFSSP

On TFS we need to set the SSL bindings:

  1. Open IIS Manager;
  2. Select “Default Web Site” and select “Bindings” in the Action Pane;
  3. Click “Add” in the “Site Bindings” pop-up.
  4. Change the following values:
    • Type: hhtps
    • Port: 443
    • SSL Certificate: tfs-cert
  5. Click “Ok” in the Add Site Binding and “Close” in “Site Bindings
  6. Perform the same steps for the “Team Foundation Server” website except use port 8088 instead of 443.

On TFSSP we need to import the certificate from TFS and set the SSL bindings:

  1. Open IIS Manager;
  2. Select “Server Certificates
  3. In the Actions pane, select “Import”, browse to the previously exported certificate and type the password;
  4. Select the sharepoint web application (for example, “Sharepoint – 80”) and select “Bindings” in the Action Pane;
  5. Click “Add” in the “Site Bindings” pop-up.
  6. Change the following values:
    • Type: hhtps
    • Port: 443
    • SSL Certificate: tfs-cert
  7. Click “Ok” in the Add Site Binding and “Close” in “Site Bindings
    Moreover, on the TFSSP server, install the certificate into the Trusted Root Certificate Authority.

3. Configuring Sharepoint Web Application

To configure Sharepoint web application:

  1. Open up SharePoint Central Administration;
  2. Click on Configure alternate access mapping under System Settings;
  3. Click on Edit Public URLs;
  4. Select the Sharepoint – 80 web application;
  5. Set https://tfssp.mydomain.net as Default;
  6. Click Save;
  7. Return to SharePoint Central Administration;
  8. Click on Security and then on Manage Trust;
  9. In the ribbon interface, go to Trust Relationships Tab and click on New button;
  10. In the Root Certificate to trust relationship section, click on Browse;
  11. Select the certificate that you have exported;
  12. Set a name for the certificate, like “TFS certificate” and click on OK;
    Great! Now you should be able to navigate both to https://tfs.mydomain.net:8088/tfs/web and https://tfssp.mydomain.net/.With the following two steps, you will configure Reporting Services and change the links showed on the Team Foundation Web Access home page and the links sent by Team Foundation alert service.

4. Configuring Reporting Services server

To configure Reporting Services to allow https traffic:

  1. On TFS, open up Reporting Services Configuration Manager
  2. Select Web Service URL
  3. In the right panel, select “tfs-cert” as the SSL Certificate and 443 as the SSL Port.
  4. Select Apply
  5. Select Report Manager URL
  6. In the right panel, select Advanced
  7. In the Advanced Multiple Web Site Configuration window that pops up click Add under the Multiple SSL Identities for Report Manager
  8. The Add a Report Manager SSL Binding window will pop-up, just select “tfs-cert” and it will automatically get the URL from the certificate.
  9. Click OK until you get back to the main Reporting Services Configuration window.

5. Configuring Team Foundation Server instance

  1. On TFS, open up Team Foundation Server Administration Console
  2. Navigate to the Application Tier
  3. In the right pane, select Change URLs
  4. In the Change URLs pop up, change the Notification URL to “https://tfs.mydomain.net:8088/tfs"
  5. Click Ok, we are finished configuring the Application Tier.
  6. Navigate to the Sharepoint Web Applications
  7. In the right pane, select the “http://tfssp” application and click Change
  8. Change the Web Application URL value in the Sharepoint Web Application Settings to “https://tfssp.mydomain.net”
  9. Navigate to Reporting in the left pane.
  10. In the right pane select Edit
  11. The Reporting window will popup.  Select the Reports tab.
  12. Select the Populate URLs, this will cause the drop downs in the tab to refresh with what the Report Server has configured.
  13. Change the drop downs in the URL section to the https addresses that were created earlier
  14. Once you click Ok, be sure to click Start Jobs in the Reporting pane.


That’s all!

“Red-X” on Work Items folder in Team Explorer 2010

This morning I was working with TFS and Team Explorer 2010, when I get a very strange type of error: a red-X on the Work Items folder in Team Explorer, whereas in Team Web Access I get an access denied error over the Work Items queries…

I already got Red-X errors over Documents and Reports folders but it  was never on the Work Items folder: I learnt it’s a rare occurrence when compared to the much more prevalent Red-X on Documents and/or Reports!

Moreover I had no error information to help me start troubleshooting the problem: the work item tracking web service was working and the event logs were not throwing anything helpful. What I did was to run the witexport command: when I ran this command, it gave me an error (“TF201072: A user or group could not be found.”). Again not very helpful!

After investigating I notice it was only a problem with my client: nor colleague had a similar issue, neither I had a similar issue from another machine. This drove me to the solution: clearing the Visual Studio Cache!

The Visual Studio cache, on Windows 7 and Windows Server 2008, is under C:\Users\<user>\AppData\Local\Microsoft\Team Foundation\<version>

After removing all files under this directory all works fine, again.

Process template customization: prevent any user to change work item state unless the creator

Some day ago I was asked to implement this rule on TFS 2010: “When a work item is in Resolved state, only the creator can close it”.

Before explanation, just two more notes and remarks:

  • I need to implement this rule only for users who use Team System Web Access, not Team Explorer;
  • Only the creator (that is a single specific user) can change the work item state, not a group of users!

TFS 2010 has many features and rules to implement validation on work item states but, unfortunately, none of them fit to resolve my issue. The only solution I found is to create a custom control in order to validate the work item: not just the best solution, but it seems it works.

Let me explain the steps:

  • Create class library project to implement a work item custom control;
  • Extend the FieldControl class and implement the InvalidateDatasource method, where you will implement your validation logic; for example my code is:
WorkItem CurrentWorkItem=this.DataSource as WorkItem;
String currentUser=CurrentWorkItem.Store.TeamProjectCollection.AuthorizedIdentity.DisplayName;
String createdBy = ((Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItem)this.WorkItemDatasource).CreatedBy;
if (!String.IsNullOrEmpty(currentUser) && !currentUser.Equals(createdBy)&& isResolvedOrClosed())            
  throw new Exception("You are not allowed to update this work item. Only the owner of the activity"+
                     +" can perform this action.");

private bool isResolvedOrClosed()
 String actualState = ((Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItem)this.WorkItemDatasource).State;
 return actualState.Equals("Closed") || actualState.Equals("Resolved");
  • Create wicc file like this one:
<?xml version="1.0"?>
 <CustomControl xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  • Build the project and copy dll and wicc file into TFS Server under  C:\\Program Files\Microsoft Team Foundation Server 2010\Application Tier\Web Access\Web\App_Data\CustomControls;

While working through this investigation process I’ve found the following resources very useful, and my thanks go to their authors:

Customizing Work Items

Create custom work item control for TFS Web Access 2010 (TWA)

How to use Custom Controls in Work Item Form

Custom Controls in Work Item Types

Changing Datetime control format in Team Foundation Server 2010

I was working on a new work item template (WIT) for Team Foundation Server 2010 and I encountered a requirement for a datetime field where the user could select a the date and the time a specific activity was done. The DateTimeControl for TFS work items displays only a date picker by default, which for this particular use case was not quite accurate enough.

Searching over the web I’ve found a good post of Nick Hoggard in order to do this.

Simply, you have to set the Format and CustomFormat attribute of the control in the work item definition. That’s all!