As part of work recently to improve how we test the Scrum for Team System template and tools across different platforms, we have discovered there are a few additional manual steps to take when you are installing the template in a distributed environment (i.e. you are using a remote WSS 3 or MOSS 2007 server to host your Team Project Portals).
First of all, when WSS is not installed locally on the TFS App Tier machine, Integrated Windows authentication is not set for the Default Web Site. This then means that Applications created under Default Web Site inherit the ‘Enable anonymous access” authentication setting. Unfortunately this affects the correct operation of the services that underpin correct operation of Scrum for Team System v2.x.
You may also see in a Team Project portal a message that states that an account IUSR_<machinename> is not authorized or licensed to connect to the TFS server (the message may be different according to the version of TFS you have installed):
To fix this issue with the IIS 6 Management tool: On the TFS Application Tier server, navigate to the IIS Manager, Default Web Site. Right click on the ‘ScrumforTeamSystem’ application and click on Properties. On the Directory Security tab, click Edit within the ‘Authentication and access control’ region. Untick ‘Enable anonymous access’ and tick ‘Integration Windows authentication’. Press OK on all dialogs.
![clip_image002[4]](http://blogs.conchango.com/blogs/stuartpreston/clip_image0024_546C41C6.jpg "clip_image002[4]")
We will be making a fix to a future version the installer to set this explicitly but we wanted to get the information out there now so people with this issue can set things up correctly.
The second issue is that when you have a remote WSS/MOSS set up, you cannot access the Report List in a Team Project created by Scrum for Team System v2.x. Instead you receive a message as follows:
![clip_image002[10]](http://blogs.conchango.com/blogs/stuartpreston/clip_image00210_thumb_34513509.jpg "clip_image002[10]")
The reason for this in most cases is that the TFS Report List web part hosted within MOSS/WSS relies on passing through the user authentication to the Reporting Services server (typically hosted on the TFS App Tier). In a dual app-tier environment where MOSS or WSS is on a separate server, this means that Kerberos delegation must be configured, as NTLM authentication does not allow you to make cross machine calls as that user once authenticated.
As a domain administrator, using the “Active Directory Users and Computers” tool on a domain controller, find the MOSS/TFS server in the AD, and in the Properties > Delegation tab, select ‘Trust this computer for delegation to any service (Kerberos only). Your own network policies may dictate a finer set of delegation settings than listed here.
![clip_image002[14]](http://blogs.conchango.com/blogs/stuartpreston/clip_image00214_thumb_1436284C.jpg "clip_image002[14]")
No restart of any services should be required by this change. Refresh the Team Project portal page in your browser.
Once this step has been completed you may encounter a message similar to the following:
![clip_image002[12]](http://blogs.conchango.com/blogs/stuartpreston/clip_image00212_462DC8D6.jpg "clip_image002[12]")
If this is the case, it is most likely that the permissions to browse the reports have not been set correctly. Please visit the Microsoft documentation on this http://msdn.microsoft.com/en-us/library/bb558971.aspx and follow the instructions “To add a member to the Browser group in Reporting Services”.
If symptoms persist, you can review the Scrum for Team System support forum at http://www.scrumforteamsystem.com/forum to see if your issue has been resolved there, or raise a new topic there.