2

I upgraded my Ubuntu to 18.10 (from 17.10). Now I can't connect to my project's Microsoft Visual Studio Team Foundation Server (Version 16.131.27701.1) from the CLI any more. (I didn't worked on the repository for two weeks. So I don't know if the server side changed in the meantime as well.)

$ git fetch
Username for 'http://....net:8080': NUNNI
Password for 'http://NUNNI@....net:8080': 
fatal: Authentication failed for 'http://....net:8080/tfs/AE/_git/AE-VMT/'

(Yes, it's not HTTPS and it's via some VPN.)

Unfortunately I wasn't able to find a helpful answer to my situation.

Some research showed:

$ GIT_CURL_VERBOSE=2 git fetch
...
< WWW-Authenticate: Bearer
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
...

So it seems, Negotiate (Kerberos or NTLM) or NTLM are are announced for authentication via the HTTP headers.

curl --negotiate "http://NUNNI:<password>@....net:8080/tfs/AE/_git/AE-VMT"

does not work; HTML title element is:

TF400813: Resource not available for anonymous access. Client authentication required. - Microsoft Team Foundation Server

Whereas

curl --ntlm "http://NUNNI:<password>@....net:8080/tfs/AE/_git/AE-VMT"

works fine.

As far as I understood https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication, Negotiate is preferred over NTLM.

So for me it looks as if cURL is not working for Negotiate in this situation. (As far as I understood the MS documentation, the connection should prefer Kerberos if available and fall back to NTLM if Kerberos is not available.)

Questions:

  • How can I check if Kerberos is not supported by the server-side or my local cURL.
  • Is there an option to force git to use NTLM instead of Negotiate. (I read something about HTTP/NTLM proxy in different stackoverflow articles but it didn't work when I tried to configure the Git repository to be an NTLM proxy - I didn't really expected that to work.)
  • Any other ideas to solve the issue or get more details what's going on?

Thanks a lot!

Thomas
  • 21
  • 1

1 Answers1

0

If you're using a username and password, you're explicitly not using Kerberos. Using a username and password for HTTP authentication is orthogonal to Kerberos.

How can I check if Kerberos is not supported by the server-side or my local cURL.

Run klist -5fea to see if you have a Kerberos ticket. If so, you should be able to curl --negotiate without specifying a username and password; curl will use your Kerberos ticket to authenticate. If you do not have a ticket, you will need to use NTLM and use a username and password, or use a personal access token (PAT).

Is there an option to force git to use NTLM instead of Negotiate.

Yes, using a username and password should explicitly disable Negotiate.

Any other ideas to solve the issue or get more details what's going on?

Set the GIT_CURL_VERBOSE=1 and GIT_TRACE=1 environment variables.

Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
  • Thanks for your answer. It helped me partially.Additionally I found out, that I missed the announced BASIC authentication in the HTTP headers. And cURL only works wenn I add --ntlm as option. Without that it tries to use BASIC that returns an authentication error. No I try to convince my customer to fix that. :-( – Thomas Jan 15 '19 at 12:46
  • Yeah, I've seen reports of this. I think that Basic is only supported for personal access tokens, and NTLM is only supported for domain users. I'm...not actually sure how to resolve that problem. – Edward Thomson Jan 15 '19 at 12:55