TechQA.

git "fatal: Authentication failed for 'http:...'" from Microsoft Visual Studio Team Foundation Server

977 views Asked by At

I upgraded my Ubuntu to 18.10 (from 17.10). Now I can't connect to my project's Microsoft Visual Studio Team Foundation Server (Version 16.131.27701.1) from the CLI any more. (I didn't worked on the repository for two weeks. So I don't know if the server side changed in the meantime as well.)

$ git fetch
Username for 'http://....net:8080': NUNNI
Password for 'http://[email protected]:8080': 
fatal: Authentication failed for 'http://....net:8080/tfs/AE/_git/AE-VMT/'

(Yes, it's not HTTPS and it's via some VPN.)

Unfortunately I wasn't able to find a helpful answer to my situation.

Some research showed:

$ GIT_CURL_VERBOSE=2 git fetch
...
< WWW-Authenticate: Bearer
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
...

So it seems, Negotiate (Kerberos or NTLM) or NTLM are are announced for authentication via the HTTP headers.

curl --negotiate "http://NUNNI:<password>@....net:8080/tfs/AE/_git/AE-VMT"

does not work; HTML title element is:

TF400813: Resource not available for anonymous access. Client authentication required. - Microsoft Team Foundation Server

Whereas

curl --ntlm "http://NUNNI:<password>@....net:8080/tfs/AE/_git/AE-VMT"

works fine.

As far as I understood https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication, Negotiate is preferred over NTLM.

So for me it looks as if cURL is not working for Negotiate in this situation. (As far as I understood the MS documentation, the connection should prefer Kerberos if available and fall back to NTLM if Kerberos is not available.)

Questions:

  • How can I check if Kerberos is not supported by the server-side or my local cURL.
  • Is there an option to force git to use NTLM instead of Negotiate. (I read something about HTTP/NTLM proxy in different stackoverflow articles but it didn't work when I tried to configure the Git repository to be an NTLM proxy - I didn't really expected that to work.)
  • Any other ideas to solve the issue or get more details what's going on?

Thanks a lot!

git ubuntu tfs http-negotiate
Original Q&A
1

There are 1 answers

2
Edward Thomson On

If you're using a username and password, you're explicitly not using Kerberos. Using a username and password for HTTP authentication is orthogonal to Kerberos.

How can I check if Kerberos is not supported by the server-side or my local cURL.

Run klist -5fea to see if you have a Kerberos ticket. If so, you should be able to curl --negotiate without specifying a username and password; curl will use your Kerberos ticket to authenticate. If you do not have a ticket, you will need to use NTLM and use a username and password, or use a personal access token (PAT).

Is there an option to force git to use NTLM instead of Negotiate.

Yes, using a username and password should explicitly disable Negotiate.

Any other ideas to solve the issue or get more details what's going on?

Set the GIT_CURL_VERBOSE=1 and GIT_TRACE=1 environment variables.

Related Questions in GIT

Related Questions in UBUNTU

Related Questions in TFS

Related Questions in HTTP-NEGOTIATE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions