Error 0x80072F19 while using Source Safe 2005 Beta 2 via SSL
Hi,
I use the Source Safe 2005 Beta 2 via SSL, source safe database has users with names Admin and Administrator with a not empty passwords. If I connect to this database from logged on user named Administrator, then I able to use this database (password not required, and I don't understand why), but if I use the same database from logged on user named, for example,Test, then I see the following error:
"Cannot contact the Visual SourceSafe Internet Web Service or cannot access the specified database. The server returned the following error code: 0x80072F19"
How to fix this issue?
Hi Sergey,
It is likely that your VSS database has enabled "Use network name for automatic user log in" (in SSAdmin, Tools/Options/General). That could explain why from the Administrator account you are able to use VSS remote without typing the password.
As for the 0x80072F19, it means ERROR_INTERNET_SEC_CERT_REV_FAILED.
It is possible that the URL for the revocation information for your certificate is unresponsive, and the connection is cancelled.
I would also check if there is a difference between the two accounts for this InternetExplorer setting: Tools/Options/Advanced/Security section/Check for server certificate registration. If the revocation url cannot be made accessible, you can try turning off that check for the user Test and see if that helps.
Alin
Hi Alin,Thank you for the answers.
>
It is likely that your VSS database has enabled "Use network name for automatic user log in" (in SSAdmin, Tools/Options/General). That could explain why from the Administrator account you are able to use VSS remote without typing the password.After unchecking this check box, when I attempt connect to the VSS DB from the client (from Visual Studio) I see the following message:"Visual SourceSafe Internet plug-in could not connect to the specified database.
To use integrated authentication, the database administrator will need to create a user matching your Windows logon name and will need to enable automatic login using network names.
If you want to use a name different from your logon name, the database administrator will need to require secure communication using SSL."But VSS WebService already has marked checkbox "Require secure channel (SSL)" in the virtual directory settings.
I think I should describe a full story:
I have computer in my company named MyCompany, and I need use Source Safe 2005 Beta 2 through the Internet. When MyCompany's DefaultWebSite has certificate named MyCompany I can use a VSS from any computer in our network using url
https://MyCompany/SourceSafe/VssService.asmx.
BUT, ideally, I need access to this VSS from the Internet.
Our company has url, for example MyCompany.com.ua. We have a router, which redirects all queries on port 443 to our internal machine MyCompany. When I’ve tried to use VSS from computer located out of our network, using url https://MyCompany.com.ua/SourceSafe/VssService.asmx I saw the security alert in IE:
"The name on the security certificate is invalid or does not match the name of the site". And error in the Visual Studio: “The SourceSafe Web Service cannot be accessed because the server name specified in the following address does not match the machine name for which the SSL certificate was issued. https://MyCompany.com.ua/SourceSafe/VssService.asmx”. That is true, because I’ve used url MyCompany.com.ua, but certificate’s name is just MyCompany. I’ve thought, that I can create certificate named MyCompany.com.ua and use it with Server Side source safe, but when I’m trying to enable SSL in the Source Safe (Server->Configure->Require Secure communication using SSL) I see the following error: “Failed to enforce SSL requirement on IIS. VSS Web Service is disabled on the machine. Configure IIS to allow SSL connections and enable the VSS Web Service from the SourceSafe Admin”. So, as I can understand – for successfully enabling this option in the Source Safe Server, the name of certificate must be equal to the computer’s name. But I still need the SourceSafe outside from our network J. I tried trick Source Safe the following way: I’ve configured this VSS SSL option while security certificate was named MyCompany, then I’ve uninstalled this certificate, requested and installed new one with a name MyCompany.com.ua and installed it.
After implementing all steps described in this story, I’ve created this thread. Could you please help me to use Source Safe via Internet in my situation?
Hi Sergey,
Thank you for describing the situation so detailed.
Your first scenario (when the SSL certificate is issued to MyCompany and you try to access the webservice as https://MyCompany.com.ua/SourceSafe/VssService.asmx) is not supported in VSS. I know VSS is more restrictive than IE here, but it may be safer this way.
Your second scenario (when SSL certificate is issued to MyCompany.com.ua) is supported. Theoretically, to enable Internet service in the above scenario, you'll have to do this:
- obtain the certificate for the server named 'MyCompany.com.ua'
- install the certificate on the machine MyCompany (using IIS Manager)
- in SSAdmin, open Server/Configure, check all 3 boxes, type in the Server edit field the name for which the certificate was issued (MyCompany.com.ua) and click Ok
- the clients (both internal and external) will need to access the database as https://MyCompany.com.ua/SourceSafe/VssService.asmx
This works fine with latest CTP drops.
However, beta2 had problems enabling the service, so you may be able to do the last step incrementally, e.g.:
- enable first the service on the machine and on the database (it seems you have already done that, using the machine name in the server's edit field)
- open again the Server/Configure the dialog, type in the server name for which the certificate was issued (MyCompany.com.ua), check the RequireSSL checkbox, then Ok the dialog.
If this does not work, you can enable the service manually for SSL:
- enable the service on the machine and database without requiring SSL
- in IIS manager, add the certificate for MyCompany.com.ua for the site
- go to IIS Manager, right click SourceSafe folder, select Properties.
- In the tab DirectorySecurity, click Edit button.
- check the 'Require Secure channel' and '128 bits encryption' checkboxes, then ok all the dialogs.
- manually edit the srcsafe.ini and change the server name to MyCompany.com.ua
- on the clients, you may need to re-add the database. In the AddVSSDatabase Wizard make sure you use the name of the server MyCompany.com.ua to match the name in the certificate.
I hope this helps,
Alin
>...
If this does not work, you can enable the service manually for SSL:
- enable the service on the machine and database without requiring SSL
- in IIS manager, add the certificate for MyCompany.com.ua for the site
- go to IIS Manager, right click SourceSafe folder, select Properties.
- In the tab DirectorySecurity, click Edit button.
- check the 'Require Secure channel' and '128 bits encryption' checkboxes, then ok all the dialogs.
- manually edit the srcsafe.ini and change the server name to MyCompany.com.ua
- on the clients, you may need to re-add the database. In the AddVSSDatabase Wizard make sure you use the name of the server MyCompany.com.ua to match the name in the certificate.I have done these steps, and saw the following message in the Visual Studio:
"Visual SourceSafe Internet plug-in could not connect to the specified database.
To use integrated authentication, the database administrator will need to create a user matching your Windows logon name and will need to enable automatic login using network names. If you want to use a name different from your Windows logon name, the database administrator will need to require secure communication using SSL."Looks like these steps did not help me.
And one more question: Can I use a server part from the July CTP and client part from the Beta 2?
Hi,
By changing the server name in srcsafe.ini I meant changing the Web_Service url.
I would also make sure that in VisualStudio you have Tools/Options/SourceControl/PluginSettings/Advanced -> "Always use SSL to connect to the server" checked out.
If none of these fix the problem, I'm out of ideas what could be wrong.
You cannot use client from Beta2 and server part from a more recent CTP because there were some changes in the remote functions arguments that made them incompatible.
Alin
>By changing the server name in srcsafe.ini I meant changing the Web_Service url.
I would also make sure that in VisualStudio you have Tools/Options/SourceControl/PluginSettings/Advanced -> "Always use SSL to connect to the server" checked out.
Unfortunately this not helped me. Anyway, thanks for your attention, Alin.
