1

I recently built a TFS 2018 server and set it up as git. For a few months, things have been working fine until last week when I started seeing the following error:

C:\temp\git>git clone https://tfs.mycompany.com/project/team/_git/framework
Cloning into 'framework'...
fatal: Authentication failed for 'https://tfs.mycompany.com/project/team/_git/framework/'

After nearly a week of troubleshooting, I am no closer to finding out the root cause of the problem. Everything I've tried results in the same error. All solutions I found on the net and within SO have not worked, i.e. deleting git folder, uninstalling git, reinstalling git, deleting .cache file, whatever... made no difference.

Today I discovered that I can use the git for windows client against our old TFS 2015 instance and github without any errors so this appears to be a TFS 2018 only issue. I've searched and searched for any security settings that might have changed, but cannot find anything security related that I can change that would affect it in this manor. I also checked the server cert and it appears to be valid for another year, so I don't think it's that.

I also discovered that Visual Studio 2015 can clone and sync with the TFS 2018 server - no authentication errors. Clearly it has it's own built-in git client unaffected by whatever is causing the auth issues with the git client for windows. Visual Studio 2017 throws the same error as git for windows client, so I'm guessing it uses that client under the hood, unlike vs2015.

At the moment, I'm using the most recent git for windows client and it's the only client installed (other than vs2015) - removed all other git clients, i.e. TortoiseGit. Also note, that I've deleted any windows creds for the TFS 2018 server and I'm never prompted for a username or password as Microsoft's articles would suggest. I'm not prompted for creds for the TFS 2015 server either, but credential manager has valid credentials for that server.

Does anyone have a clue as to what could be wrong here? Our server is completely useless at this time as nobody can sync changes.

Chris Gessler
  • 22,727
  • 7
  • 57
  • 83
  • @rubenvb - appears to be a client issue because Visual Studio 2015 is working, but since multiple developers are affected, it's possible something changed on the server. At this point, it's unclear if this is server related. Another note is that SSH is working as expected so that will likely be my backup plan. – Chris Gessler Oct 09 '18 at 20:28

2 Answers2

1

First, check your credential helper: it might have cached incorrect credentials:

git config credential.helper

Second, check your all configuration:

git config -l --show-origin

Look for any insteadOf directive, which could change an https URL to an SSH one.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • This would not affect multiple users, but I can check. – Chris Gessler Oct 10 '18 at 15:16
  • credential.helper=manager http.sslbackend=schannel Didn't see anything related to SSH or insteadOf. – Chris Gessler Oct 10 '18 at 16:59
  • You are using https so the credential helper matters. SSH is irrelevant here. – VonC Oct 10 '18 at 17:32
  • @ChrisGessler Try and open the credential manager (Windows) and delete your github.com entry. Then try again. (https://stackoverflow.com/a/39608906/6309) – VonC Oct 10 '18 at 19:42
  • At this point, I will try anything, but I don't think deleting my github creds will help authenticating to our local TFS server. Will let you know the outcome. – Chris Gessler Oct 10 '18 at 22:38
  • As I suspected, deleting the github creds had no effect. – Chris Gessler Oct 11 '18 at 14:16
  • @ChrisGessler Sorry, I meant the credentials associated to your TFS server, if you see an entry in the Credential Manager. – VonC Oct 11 '18 at 15:56
  • Trust me... tried that too. Also note that when I add the credentials manually, it not only doesn't work for VS 2017, but it also breaks VS 2015 with a 401 unauthorized error. Slightly different error but same result. – Chris Gessler Oct 11 '18 at 22:10
1

Changed the TFS server authentication to NTLM and GIT clone worked as expected. I believe update 3 changes it over to kerberos authentication either without asking or maybe I glossed over it. Below is the command to change it back.

C:\Program Files\Microsoft Team Foundation Server 2018\Tools>TFSConfig Authentication /provider:NTLM /siteType:ApplicationTier
Chris Gessler
  • 22,727
  • 7
  • 57
  • 83
  • True dat! I can't explain why kerberos doesn't work, sadly enough... but at least we're not dead in the water. Hopefully Microsoft will fix this bug before our security team decides to turn off NTLM. – Chris Gessler Oct 24 '18 at 03:19