Home » Eclipse Projects » EGit / JGit » Authentication failure trying to access a TFS git repo
|Authentication failure trying to access a TFS git repo [message #1765071]
||Tue, 06 June 2017 11:37
|| Dennis Wagelaar
Registered: September 2012
When trying to fetch from a TFS git repo (HTTPS), I get the following error:|
org.eclipse.jgit.api.errors.TransportException: https://tfs.corilus.be/tfs/Corilus/_git/CareConnect: cannot open git-upload-pack
Caused by: org.eclipse.jgit.errors.TransportException: https://tfs.corilus.be/tfs/Corilus/_git/CareConnect: cannot open git-upload-pack
... 10 more
Caused by: java.io.IOException: Authentication failure
... 15 more
One of my colleagues has the same problem, another one has no issues. I have not been able to detect any differences in setup.
From the line number in the stack trace, it appears as if EGit/JGit wants to use NTLM authentication, even though Basic authentication is supported by our TFS (we're using personal access tokens in TFS for basic authentication). In any case, no combination of authentication credentials (NTLM account, personal access token, bogus values, ...) works, or gives a different error message for that matter.
Does anyone have any idea what may trigger this error, or why it only happens for 2 out of 3 people?
|Re: Authentication failure trying to access a TFS git repo [message #1765122 is a reply to message #1765071]
||Tue, 06 June 2017 20:44
| Thomas Wolf
Registered: August 2016
JGit and TFS apparently don't play well together :-(|
Dennis Wagelaar wrote on Tue, 06 June 2017 11:37
From the line number in the stack trace, it appears as if EGit/JGit wants to use NTLM authentication
I read the stack trace a bit differently. JGit will try GSS/SPNEGO, Digest, and Basic authentication in that order, and finally tries with a NONE policy. It doesn't do NTLM (unless the JDK's HttpUrlConnection would try that on its own when JGit doesn't explicitly set its authentication headers?) . The exception you see is raised when none of the authentication methods succeed. Your server advertises Bearer, Basic, Negotiate, and NTLM. (Negotiate would be GSS/SPNEGO).
The only reason I see why Basic authentication might fail is perhaps that JGit always encodes the username:password as UTF-8. What does TFS expect? RFC 7617 specifies an optional charset parameter; if not sent, the encoding is unspecified. TFS doesn't send one, and JGit would ignore it anyway.
So if JGit encodes as UTF-8 but the TFS server expects something else like Cp1252 and the username or password contain non-ASCII characters, Basic authentication might fail.
The other issue is why GSS/SPNEGO, which should be tried first, doesn't succeed. Compare https://bugs.eclipse.org/bugs/show_bug.cgi?id=501167 . This could be a Kerberos configuration problem, or it might perhaps be a problem with JGit's way of trying to do SPNEGO authentication.
|Re: Authentication failure trying to access a TFS git repo [message #1765397 is a reply to message #1765285]
||Fri, 09 June 2017 08:16
| Thomas Wolf
Registered: August 2016
Dennis Wagelaar wrote on Thu, 08 June 2017 07:29|
Yes, that suprised me as well: it just "stops". I've retried the git fetch, but that just generates the same log, and it stops again.
Very strange. Here's what I see in these logs:
It's not the _final_ NONE request but the _initial_ NONE request triggered by the first call to HttpUrlConnection.getResponseCode() that triggers all the JDK-internal authentication machinery by calling getInputStream(), which then calls getInputStream0().
Looking at the working log:
That then gets back the 401, and HttpUrlConnection tries to transparently do the authentication stuff.
It finds the Negotiate header. Kerberos or SPNEGO don't seem to be configured in your setup; somehow that fails right away: the JDK cannot even instantiate its Negotiator due to an InvocationTargetException. If you set the system property "sun.security.krb5.debug" to "true", you should get a stack trace on stderr showing where that comes from. But probably it just means that Kerberos is not configured at all.
Next the JDK tries NTLM. In both the working and the non-working log, it cannot authenticate. In the non-working case, it just stops after first 401 gotten after the initial NTLM attempt. So it's not Basic auth that fails: neither the JDK nor JGit ever get there!
In the working case, NTLM authentication proceeds, but ultimately fails and gets a 401 again. HttpUrlConnection then retries and strangely enough gets a null NTLM authentication scheme, which then of course results in another 401. Only then it re-tries NTLM, but ultimately fails again and gets another 401. It then gets another null NTLM scheme and this time tries Basic and succeeds.
Now there's a couple of strange things in the log of the working case, too:
* Why does the JDK re-try NTLM the first time it gets a null scheme, but tries Basic the second time?
* Why does it get a null scheme at all?
* Why does NTLM not succeed? https://bugs.openjdk.java.net/browse/JDK-8033773 ?
And of course it's utterly unclear to me why in the non-working log there's nothing anymore after having received the initial NTLM 401 with the server's NTLMSSP_CHALLENGE header.
But in any case all this appears to happen in the JDK, before even JGit's own retry mechanisms could kick in.
I also see in the code that if this initial NONE request raises an IOException (even if it's an authorization failure), JGit's own retry mechanism will never kick in. That appears to happen in the non-working case, right in the middle of an NTLM authorization attempt.
Current Time: Fri Mar 23 14:42:00 GMT 2018
Powered by FUDForum
. Page generated in 0.02432 seconds