Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » Authentication failure - No password provided - although password was entered
Authentication failure - No password provided - although password was entered [message #1773389] Wed, 27 September 2017 08:30 Go to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
I have a problem with EGit/jGit even after installing the latest version from the nightly build repository. We are connecting to a locally hosted TFS GIT instance using https. Git Windows command line client as well as GUI front ends like SourceTree or the Github Desktop work fine. EGit does prompt for credentials but then fails with a 'No passwaord provided' authentication error. Here is a sample stacktrace:
!ENTRY org.eclipse.egit.core 4 0 2017-09-27 15:33:03.493
!MESSAGE An exception occurred during push on URI https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS: https://tfs.synergy.net.au/tfs/Synergy/
WBU/_git/STARS: null
!STACK 0
org.eclipse.jgit.api.errors.TransportException: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS: null
at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:180)
at org.eclipse.egit.core.op.PushOperation.run(PushOperation.java:215)
at org.eclipse.egit.ui.internal.push.PushJob.performJob(PushJob.java:84)
at org.eclipse.egit.ui.internal.jobs.RepositoryJob.run(RepositoryJob.java:57)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: org.eclipse.jgit.errors.TransportException: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS: null
at org.eclipse.jgit.transport.BasePackPushConnection.doPush(BasePackPushConnection.java:238)
at org.eclipse.jgit.transport.TransportHttp$SmartHttpPushConnection.doPush(TransportHttp.java:1119)
at org.eclipse.jgit.transport.BasePackPushConnection.push(BasePackPushConnection.java:170)
at org.eclipse.jgit.transport.PushProcess.execute(PushProcess.java:172)
at org.eclipse.jgit.transport.Transport.push(Transport.java:1310)
at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:169)
... 4 more
Caused by: java.io.IOException
at org.eclipse.jgit.transport.HttpAuthMethod$Negotiate.configureRequest(HttpAuthMethod.java:560)
at org.eclipse.jgit.transport.TransportHttp.httpOpen(TransportHttp.java:861)
at org.eclipse.jgit.transport.TransportHttp$Service.openStream(TransportHttp.java:1150)
at org.eclipse.jgit.transport.TransportHttp$Service.sendRequest(TransportHttp.java:1187)
at org.eclipse.jgit.transport.TransportHttp$MultiRequestService.execute(TransportHttp.java:1415)
at org.eclipse.jgit.transport.TransportHttp$Service$HttpExecuteStream.read(TransportHttp.java:1345)
at org.eclipse.jgit.util.io.UnionInputStream.read(UnionInputStream.java:145)
at java.io.FilterInputStream.read(FilterInputStream.java:133)
at org.eclipse.jgit.util.io.TimeoutInputStream.read(TimeoutInputStream.java:112)
at org.eclipse.jgit.util.IO.readFully(IO.java:247)
at org.eclipse.jgit.transport.PacketLineIn.readLength(PacketLineIn.java:225)
at org.eclipse.jgit.transport.SideBandInputStream.needDataPacket(SideBandInputStream.java:154)
at org.eclipse.jgit.transport.SideBandInputStream.read(SideBandInputStream.java:136)
at org.eclipse.jgit.util.IO.readFully(IO.java:247)
at org.eclipse.jgit.transport.PacketLineIn.readLength(PacketLineIn.java:225)
at org.eclipse.jgit.transport.PacketLineIn.readString(PacketLineIn.java:155)
at org.eclipse.jgit.transport.BasePackPushConnection.readStringLongTimeout(BasePackPushConnection.java:437)
at org.eclipse.jgit.transport.BasePackPushConnection.readStatusReport(BasePackPushConnection.java:369)
at org.eclipse.jgit.transport.BasePackPushConnection.doPush(BasePackPushConnection.java:221)
... 9 more
Caused by: GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Attempt to obtain new I
NITIATE credentials failed! (null)))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at org.eclipse.jgit.transport.HttpAuthMethod$Negotiate.configureRequest(HttpAuthMethod.java:554)
... 27 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
... 30 more
Caused by: javax.security.auth.login.LoginException: No password provided
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330)
... 38 more


Any suggestions what might be going wrong?
Re: Authentication failure - No password provided - although password was entered [message #1773463 is a reply to message #1773389] Thu, 28 September 2017 07:41 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
...
Caused by: java.io.IOException
at org.eclipse.jgit.transport.HttpAuthMethod$Negotiate.configureRequest(HttpAuthMethod.java:560)
...
Caused by: javax.security.auth.login.LoginException: No password provided
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919)
...

Do you use Kerberos at all? Is Kerberos configured on the server and on the client?

The stack trace shows that this is during the POST request. (A push is two requests, first a GET to determine server capabilities, then a POST to actually send data.)

Please show full network request traces including headers of all requests involved in that push attempt: of the GET and of the following POST.
Re: Authentication failure - No password provided - although password was entered [message #1776214 is a reply to message #1773463] Tue, 14 November 2017 03:12 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Hi Thomas,

my apologies for the late response. I didn't get a notification that you posted a response and neglected to check the forum directly.

Quote:
Do you use Kerberos at all? Is Kerberos configured on the server and on the client?


To be honest, I don't have a clue about this. All I know it works from the Windows Git client, from Windows Git UI clients, and Visual Studio but not through Eclipse / EGit.

Quote:
Please show full network request traces including headers of all requests involved in that push attempt: of the GET and of the following POST.


Happy to do that if advised how to obtain these. Are there any Eclipse/Java command line switches that enable EGit to log this or shall I use -Djavax.net.debug=all which can be extremely verbose?
Re: Authentication failure - No password provided - although password was entered [message #1776218 is a reply to message #1776214] Tue, 14 November 2017 05:23 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
So I did some digging in the logged output and saw this:
GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Accept: application/x-git-receive-pack-advertisement, */*
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB7IIogQABAAwAAAACAAIACgAAAAGAbEdAAAAD1NXUzMyOTUzQ09SUA==


POST /tfs/Synergy/WBU/_git/STARS/git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Content-Type: application/x-git-receive-pack-request
Accept: application/x-git-receive-pack-result
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive
Content-Length: 9091


So in the GET request JGit sends an NTLM authorization header but not in the POST request.

Could that be the issue?
Re: Authentication failure - No password provided - although password was entered [message #1776220 is a reply to message #1776218] Tue, 14 November 2017 05:44 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Just noticed that the above is not the full exchange, there were 2 'unsuccessful' GET requests before - this is the full sequence I believe before JGit throws the orignally reported exception:

GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Accept: application/x-git-receive-pack-advertisement, */*
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c
ActivityId: 1a6594fa-3e1e-471c-9e6c-d8a73a5d3f3b
X-TFS-Session: 1a6594fa-3e1e-471c-9e6c-d8a73a5d3f3b
X-VSS-E2EID: 1a6594fa-3e1e-471c-9e6c-d8a73a5d3f3b
X-FRAME-OPTIONS: SAMEORIGIN
X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required
WWW-Authenticate: Basic realm="https://tfs.synergy.net.au/tfs"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Tue, 14 Nov 2017 05:11:47 GMT
Content-Length: 20150
Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure

GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Accept: application/x-git-receive-pack-advertisement, */*
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB7IIogQABAAwAAAACAAIACgAAAAGAbEdAAAAD1NXUzMyOTUzQ09SUA==

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgomiwj8TYTy5OuQAAAAAAAAAAIYAhgBAAAAABgOAJQAAAA9DAE8AUgBQAAIACABDAE8AUgBQAAEAFABQAEQAQwBQAFYAVABGAFMAMAAyAAQAEABjAG8AcgBwAC4AaQBuAHQAAwAmAFAARABDAFAAVgBUAEYAUwAwADIALgBjAG8AcgBwAC4AaQBuAHQABQAQAGMAbwByAHAALgBpAG4AdAAHAAgA8YpOEgdd0wEAAAAA
Date: Tue, 14 Nov 2017 05:11:47 GMT
Content-Length: 341
Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure

GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Accept: application/x-git-receive-pack-advertisement, */*
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAgACABYAAAADAAMAGAAAAAQABAAbAAAAAAAAACiAQAABYKIogYBsR0AAAAPUAuyHb67U4ha8If7osR/JEMATwBSAFAAZQBtAG0AYQBsAGwAUwBXAFMAMwAyADkANQAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAG2/kNSKrNrxPDqPeb/jAUcBAQAAAAAAAPGKThIHXdMBWJe2yqqcxKkAAAAAAgAIAEMATwBSAFAAAQAUAFAARABDAFAAVgBUAEYAUwAwADIABAAQAGMAbwByAHAALgBpAG4AdAADACYAUABEAEMAUABWAFQARgBTADAAMgAuAGMAbwByAHAALgBpAG4AdAAFABAAYwBvAHIAcAAuAGkAbgB0AAcACADxik4SB13TAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAAAmSlWfngrx/hRLCjU/P9bR1LGxKb0kGIxDXYA99fRMsQoAEAAAAAAAAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAA==

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-git-receive-pack-advertisement
Server: Microsoft-IIS/8.5
X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c
ActivityId: 1a659424-3e1e-471c-9e6c-d8a73a5d3f3b
X-TFS-Session: 1a659424-3e1e-471c-9e6c-d8a73a5d3f3b
X-VSS-E2EID: 1a659424-3e1e-471c-9e6c-d8a73a5d3f3b
X-FRAME-OPTIONS: SAMEORIGIN
X-VSS-UserData: 8857810f-8109-444e-b448-37cbe4b6de34:emmall
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Tue, 14 Nov 2017 05:11:47 GMT
Content-Length: 303878

POST /tfs/Synergy/WBU/_git/STARS/git-receive-pack HTTP/1.1
Accept-Encoding: gzip
Pragma: no-cache
User-Agent: JGit/4.9.0-SNAPSHOT
Content-Type: application/x-git-receive-pack-request
Accept: application/x-git-receive-pack-result
Cache-Control: no-cache
Host: tfs.synergy.net.au
Connection: keep-alive
Content-Length: 9091

HTTP/1.1 401 Unauthorized
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/8.5
X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c
ActivityId: 1a659790-3e1e-471c-9e6c-d8a73a5d3f3b
X-TFS-Session: 1a659790-3e1e-471c-9e6c-d8a73a5d3f3b
X-VSS-E2EID: 1a659790-3e1e-471c-9e6c-d8a73a5d3f3b
X-FRAME-OPTIONS: SAMEORIGIN
X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required
WWW-Authenticate: Basic realm="https://tfs.synergy.net.au/tfs"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Tue, 14 Nov 2017 05:11:53 GMT
Content-Length: 86
Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure
Re: Authentication failure - No password provided - although password was entered [message #1776265 is a reply to message #1776220] Tue, 14 November 2017 15:46 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Thank you, this is most useful. With this info I can go see where exactly in the POST handling this Kerberos exception during Negotiate is not caught.

The NTLM authentication on the GET is done by Java's built in connection support, but JGit doesn't know about that and somehow doesn't send that final valid NTLM token along on the POST.

So it looks as if there are actually two problems: when Kerberos fails, NTLM should be tried, and the successful NTLM auth from the GET should be used initially on the POST. Off to analyze this.
Re: Authentication failure - No password provided - although password was entered [message #1776285 is a reply to message #1776265] Wed, 15 November 2017 02:59 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Let me know if you need anything else or some help with testing.
Re: Authentication failure - No password provided - although password was entered [message #1776393 is a reply to message #1776285] Thu, 16 November 2017 07:17 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Manuel Mall wrote on Wed, 15 November 2017 02:59
Let me know if you need anything else or some help with testing.


We're tracking this as bug 501167.

Indeed we would need help to test a fix for this, since none of the developers has access to a TFS, and the problem is specific to TFS (and perhaps other git servers that advertise Negotiate and NTLM authentication, but I don't know of any).

Can you build JGit from sources? If so, you could build with the fix included and test. If not, we'll have to figure out a way to make available a test update site from which you could install a JGit with the fix included.
Re: Authentication failure - No password provided - although password was entered [message #1776442 is a reply to message #1776393] Thu, 16 November 2017 13:32 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
So I managed to get an JGit Eclipse project setup and error free. How would I best test this change now?
Re: Authentication failure - No password provided - although password was entered [message #1776465 is a reply to message #1776442] Thu, 16 November 2017 16:04 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Great. What exactly do you have now? A JGit-only workspace, or a combined EGit/JGit workspace? If you did the automated Oomph setup, you'd have a combined workspace, and things will be simpler.

If you have a combined EGit/JGit workspace, you could just download the change from Gerrit and start a runtime workbench, then try cloning a repository from your TFS.

Downloading the change from Gerrit would be the command

git fetch https://git.eclipse.org/r/jgit/jgit refs/changes/71/111671/3 && git checkout FETCH_HEAD

or in Eclipse "Fetch from Gerrit..." (context menu on the JGit clone in the repositories view) and then enter the change number 111671, hit ctrl-space, then select the latest patch set (number 3). Eclipse will check out the change, Eclipse will re-build, and then you can start a runtime workbench and try cloning from TFS in there.

If you have a JGit-only workspace, chances are that this won't work because the JGit target platform has no Eclipse components. So you'd download the change from Gerrit, and then build JGit with maven on the command-line. That will produce a p2 update site that you can use to install that JGit in another Eclipse. Once installed there, you'd try cloning from your TFS server.

Building on the command-line needs maven, so you'd have to have that. The steps are described in the Contributor's Guide; basically it's

mvn clean install
mvn -f org.eclipse.jgit.packaging/pom.xml clean install

That should produce a p2 repository at <jgit-clone-dir>/org.eclipse.jgit.packaging/org.eclipse.jgit.repository/target/repository/ that could be used to install that JGit version in an Eclipse.
Re: Authentication failure - No password provided - although password was entered [message #1776628 is a reply to message #1776465] Sun, 19 November 2017 05:08 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Good news - it works!

Ended up installing full eGit/jGit environment using Oomph and added your changes as suggested above. Then successfully cloned our TFS Git repo through Eclipse and pushed a change to TFS through Eclipse as well. Both operations don't work without the patch. Tracing the HTTP headers confirmed that jGit ends up falling back to HTTP Basic Authentication on the POST requests.

GETs still use NTLM though. This could lead to some confusion as it means for Git operations involving GETs the Windows desktop credentials are used while for operations using POSTs the credentials configured in Eclipse are used. I guess it would be preferable to be consistent - all Git operations to either use NTLM or Basic Authentication - not a mix. Especially because in a TFS environment using the Active Directory (desktop) credentials with HTTP Basic Authentication to TFS does not work! You need to create a Personal Access Token in TFS as described for example in https://docs.microsoft.com/en-us/vsts/accounts/use-personal-access-tokens-to-authenticate and then its use in the HTTP Authorization header is described in https://docs.microsoft.com/en-us/vsts/integrate/get-started/rest/basics. In Eclipse this means you must enter an empty Username and the Personal Access Token as the Password.

[Updated on: Sun, 19 November 2017 05:08]

Report message to a moderator

Re: Authentication failure - No password provided - although password was entered [message #1776664 is a reply to message #1776628] Mon, 20 November 2017 07:25 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Manuel Mall wrote on Sun, 19 November 2017 05:08
Good news - it works!

Great! So at least we did understand more or less correctly what was going on.

Quote:
Ended up installing full eGit/jGit environment using Oomph and added your changes as suggested above. Then successfully cloned our TFS Git repo through Eclipse and pushed a change to TFS through Eclipse as well. Both operations don't work without the patch. Tracing the HTTP headers confirmed that jGit ends up falling back to HTTP Basic Authentication on the POST requests.

Thanks a lot for going to all that trouble to verify this. We really should have a simpler way how people could test such not-yet-merged changes.

Quote:
GETs still use NTLM though. This could lead to some confusion as it means for Git operations involving GETs the Windows desktop credentials are used while for operations using POSTs the credentials configured in Eclipse are used. I guess it would be preferable to be consistent - all Git operations to either use NTLM or Basic Authentication - not a mix. Especially because in a TFS environment using the Active Directory (desktop) credentials with HTTP Basic Authentication to TFS does not work! You need to create a Personal Access Token in TFS as described for example in https://docs.microsoft.com/en-us/vsts/accounts/use-personal-access-tokens-to-authenticate and then its use in the HTTP Authorization header is described in https://docs.microsoft.com/en-us/vsts/integrate/get-started/rest/basics. In Eclipse this means you must enter an empty Username and the Personal Access Token as the Password.

We should add that info to the EGit documentation.

I'm afraid we can't do anything about that NTLM. It's entirely handled by Java's HttpUrlConnection, which does use it on the GET but apparently not on the POST. As I wrote on bugzilla, it's also hard to see how it could be used on POST, since the Java libraries do not have the POST data, which would need to be re-sent.

Java does have a http.auth.preference system property that a user could set to disable NTLM, but it's a bit restrictive in that it allows to specify only one authentication scheme. AFAIK there's no way to define a sequence of schemes, such as Negotiate->Digest->Basic.

Microsoft's own specification of NTLM is interesting. I quote from v20170915, section 5.1, "Security considerations for implementers":
Quote:
Therefore, applications are generally advised not to use NTLM.
(Emphasis added.)

Also, there's RFC 4559, which says:
Quote:
It is not always possible to mutually authenticate the server before the HTTP operation. POST methods are in this category.
...
[On POST requests] the authentication should be complete between the client and server before sending the user data.

As far as I see, Java doesn't give us a way to implement this latter bit. We have to send the data at least once to get the initial 401 response. Unless I'm missing something.
Re: Authentication failure - No password provided - although password was entered [message #1776670 is a reply to message #1776664] Mon, 20 November 2017 08:30 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Given that even Microsoft recommends not using NTLM maybe I need to figure out how to configure the Eclipse Java environment to use Kerberos for single sign on to TFS? A quick search has not uncovered any simple instructions how to do this.
Re: Authentication failure - No password provided - although password was entered [message #1776703 is a reply to message #1776670] Mon, 20 November 2017 15:20 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Manuel Mall wrote on Mon, 20 November 2017 08:30
Given that even Microsoft recommends not using NTLM maybe I need to figure out how to configure the Eclipse Java environment to use Kerberos for single sign on to TFS? A quick search has not uncovered any simple instructions how to do this.


...and I can just hope that that works with EGit/JGit. While there is code for the Negotiate scheme (SPNEGO only) in JGit, I have no idea whether it actually works. It was contributed a while ago, apparently by someone who had indeed a working Kerberos setup (though perhaps (probably?) not with TFS). I don't have access to one, and from what I know, neither do the other regular contributors to JGit.
Re: Authentication failure - No password provided - although password was entered [message #1776738 is a reply to message #1776703] Tue, 21 November 2017 00:20 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
Quote:
It was contributed a while ago, apparently by someone who had indeed a working Kerberos setup


...you don't happen to have some contact details for this contributor?
Re: Authentication failure - No password provided - although password was entered [message #1776797 is a reply to message #1776738] Tue, 21 November 2017 17:25 Go to previous messageGo to next message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
Look through the git history of class HttpAuthMethod for who added the SPNEGO support.
Re: Authentication failure - No password provided - although password was entered [message #1776821 is a reply to message #1776797] Wed, 22 November 2017 00:14 Go to previous messageGo to next message
Manuel Mall is currently offline Manuel MallFriend
Messages: 19
Registered: September 2015
Junior Member
I played around with this a bit more (what a time sink...) and decided that Kerberos and Windows Java clients don't work nicely together. But then I wrote myself a little test program:
package au.net.synergy.wts.security.tools;

import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;

import sun.util.logging.PlatformLogger;

public class GitTest {

  public static void main(final String[] args) throws Exception {
    System.setProperty("javax.net.ssl.trustStore", "NONE");
    System.setProperty("javax.net.ssl.trustStoreType", "Windows-ROOT");
//    System.setProperty("javax.net.debug", "all");
    System.setProperty("java.security.krb5.realm", "CORP.INT");
    System.setProperty("java.security.krb5.kdc", "corp.int");
    System.setProperty("sun.security.krb5.debug", "true");
//    System.setProperty("http.auth.preference", "SPNEGO");
    
    sun.util.logging.PlatformLogger .getLogger("sun.net.www.protocol.http.HttpURLConnection") .setLevel(PlatformLogger.Level.ALL);
    final InputStream is = new URL("https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack").openStream();
    final byte[] ba = new byte[1024*1024]; 
    final int len = is.read(ba);
    is.close();
    final URL url = new URL("https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack");
    final HttpURLConnection conn = (HttpURLConnection)url.openConnection();
    conn.setRequestMethod("POST");
    conn.setRequestProperty( "Content-Type", "application/x-git-receive-pack-request");
    conn.setDoOutput(true);
    conn.getOutputStream().write(ba, len, 0);
    conn.getInputStream().read(ba);
  }

}

Nothing fancy, just emulating what jGit does, first a GET to TFS and then a POST. Interesting observation, in my test the Java HttpURLConnection does fall back to NTLM on the POST. Question is why doesn't it do it in the jGit case? Here is the console output of this program. It shows the same exception as jGit with respect to Kerberos but then falls back to NTLM:
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.https.HttpsClient New
FINEST: Looking for HttpClient for URL https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack and proxy value of DIRECT
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.https.HttpsClient <init>
FINEST: Creating new HttpsClient with url:https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack and proxy:DIRECT with connect timeout:-1
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: Proxy used: DIRECT
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@20e2cbe05 pairs: {GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1: null}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
Nov 22, 2017 8:03:50 AM sun.net.www.http.HttpClient logFinest
FINEST: KeepAlive stream used: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@68be2bc221 pairs: {null: HTTP/1.1 401 Unauthorized}{Content-Type: text/html; charset=utf-8}{Server: Microsoft-IIS/8.5}{X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c}{ActivityId: 1ba73d8d-3e1e-471c-9e6c-d8a73a5d3f3b}{X-TFS-Session: 1ba73d8d-3e1e-471c-9e6c-d8a73a5d3f3b}{X-VSS-E2EID: 1ba73d8d-3e1e-471c-9e6c-d8a73a5d3f3b}{X-FRAME-OPTIONS: SAMEORIGIN}{X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e}{X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.}{WWW-Authenticate: Bearer}{WWW-Authenticate: Basic realm="https://tfs.synergy.net.au/tfs"}{WWW-Authenticate: Negotiate}{WWW-Authenticate: NTLM}{X-Powered-By: ASP.NET}{P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"}{Lfs-Authenticate: NTLM}{X-Content-Type-Options: nosniff}{Date: Wed, 22 Nov 2017 00:03:51 GMT}{Content-Length: 20150}{Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure}
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>>KinitOptions cache name is C:\Users\emmall\krb5cc_emmall
>>>DEBUG <CCacheInputStream>  client principal is emmall@CORP.INT
>>>DEBUG <CCacheInputStream> server principal is krbtgt/CORP.INT@CORP.INT
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Tue Nov 21 13:08:35 AWST 2017
>>>DEBUG <CCacheInputStream> start time: Tue Nov 21 13:08:35 AWST 2017
>>>DEBUG <CCacheInputStream> end time: Tue Nov 21 23:08:35 AWST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
Host address is /10.52.68.19
Host address is /fe80:0:0:0:81bd:8d6b:88d8:88eb
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> Obtained TGT from LSA: Credentials:
      client=emmall@CORP.INT
      server=krbtgt/CORP.INT@CORP.INT
    authTime=20171121050835Z
   startTime=20171121050835Z
     endTime=20171121150835Z
   renewTill=null
       flags=INITIAL;PRE-AUTHENT
EType (skey)=17
   (tkt key)=18
Negotiate support not initiated, will fallback to other scheme if allowed. Reason:
GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)))
	at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(Unknown Source)
	at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(Unknown Source)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at sun.net.www.protocol.http.Negotiator.getNegotiator(Unknown Source)
	at sun.net.www.protocol.http.NegotiateAuthentication.isSupportedImpl(Unknown Source)
	at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(Unknown Source)
	at sun.net.www.protocol.http.AuthenticationHeader.parse(Unknown Source)
	at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
	at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at java.net.URL.openStream(Unknown Source)
	at au.net.synergy.wts.security.tools.GitTest.main(GitTest.java:21)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
	at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
	... 20 more
Caused by: javax.security.auth.login.LoginException: No password provided
	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
	at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at sun.security.jgss.GSSUtil.login(Unknown Source)
	at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	... 28 more
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.Negotiator finest
FINEST: NegotiateAuthentication: java.lang.reflect.InvocationTargetException
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.Negotiator finest
FINEST: NegotiateAuthentication: java.io.IOException: Negotiate support not initiated
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection getServerAuthentication
FINEST: Trying Transparent NTLM authentication
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection getServerAuthentication
FINER: Server Authentication for AuthenticationHeader: prefer NTLM returned sun.net.www.protocol.http.ntlm.NTLMAuthentication@39aeed2f
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.https.HttpsClient New
FINEST: Looking for HttpClient for URL https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack and proxy value of DIRECT
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.https.HttpsClient <init>
FINEST: Creating new HttpsClient with url:https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack and proxy:DIRECT with connect timeout:-1
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: Proxy used: DIRECT
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@20e2cbe06 pairs: {GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1: null}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Authorization: NTLM TlRMTVNTUAABAAAAB7IIogQABAAwAAAACAAIACgAAAAGAbEdAAAAD1NXUzMyOTUzQ09SUA==}
Nov 22, 2017 8:03:50 AM sun.net.www.http.HttpClient logFinest
FINEST: KeepAlive stream used: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@68be2bc27 pairs: {null: HTTP/1.1 401 Unauthorized}{Content-Type: text/html; charset=us-ascii}{Server: Microsoft-HTTPAPI/2.0}{WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgomiw9AhAzO1UlEAAAAAAAAAAIYAhgBAAAAABgOAJQAAAA9DAE8AUgBQAAIACABDAE8AUgBQAAEAFABQAEQAQwBQAFYAVABGAFMAMAAyAAQAEABjAG8AcgBwAC4AaQBuAHQAAwAmAFAARABDAFAAVgBUAEYAUwAwADIALgBjAG8AcgBwAC4AaQBuAHQABQAQAGMAbwByAHAALgBpAG4AdAAHAAgAWzPpYCVj0wEAAAAA}{Date: Wed, 22 Nov 2017 00:03:51 GMT}{Content-Length: 341}{Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure}
Nov 22, 2017 8:03:50 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@20e2cbe06 pairs: {GET /tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack HTTP/1.1: null}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAgACABYAAAADAAMAGAAAAAQABAAbAAAAAAAAACiAQAABYKIogYBsR0AAAAPQjpPOxJ6CwGc1Hd478mUHUMATwBSAFAAZQBtAG0AYQBsAGwAUwBXAFMAMwAyADkANQAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcfP8vHfWnOElN++Le5VOcBAQAAAAAAAFsz6WAlY9MBrcuDD2Ax5xsAAAAAAgAIAEMATwBSAFAAAQAUAFAARABDAFAAVgBUAEYAUwAwADIABAAQAGMAbwByAHAALgBpAG4AdAADACYAUABEAEMAUABWAFQARgBTADAAMgAuAGMAbwByAHAALgBpAG4AdAAFABAAYwBvAHIAcAAuAGkAbgB0AAcACABbM+lgJWPTAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAABCVzzW2GIbgFXPnJm5IUZ1wlW+mXufshCZIJ7ACxlk0goAEAAAAAAAAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAA==}
Nov 22, 2017 8:03:51 AM sun.net.www.http.HttpClient logFinest
FINEST: KeepAlive stream used: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@4678c73018 pairs: {null: HTTP/1.1 200 OK}{Cache-Control: private}{Content-Type: application/x-git-receive-pack-advertisement}{Server: Microsoft-IIS/8.5}{X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c}{ActivityId: 1ba73d37-3e1e-471c-9e6c-d8a73a5d3f3b}{X-TFS-Session: 1ba73d37-3e1e-471c-9e6c-d8a73a5d3f3b}{X-VSS-E2EID: 1ba73d37-3e1e-471c-9e6c-d8a73a5d3f3b}{X-FRAME-OPTIONS: SAMEORIGIN}{X-VSS-UserData: 8857810f-8109-444e-b448-37cbe4b6de34:emmall}{X-AspNet-Version: 4.0.30319}{Persistent-Auth: true}{X-Powered-By: ASP.NET}{P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"}{Lfs-Authenticate: NTLM}{X-Content-Type-Options: nosniff}{Date: Wed, 22 Nov 2017 00:03:51 GMT}{Content-Length: 303878}
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.https.HttpsClient New
FINEST: Looking for HttpClient for URL https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack and proxy value of DIRECT
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.https.HttpsClient <init>
FINEST: Creating new HttpsClient with url:https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack and proxy:DIRECT with connect timeout:-1
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: Proxy used: DIRECT
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@29ee9faa7 pairs: {POST /tfs/Synergy/WBU/_git/STARS/git-receive-pack HTTP/1.1: null}{Content-Type: application/x-git-receive-pack-request}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 0}
Nov 22, 2017 8:03:51 AM sun.net.www.http.HttpClient logFinest
FINEST: KeepAlive stream used: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@c03820321 pairs: {null: HTTP/1.1 401 Unauthorized}{Content-Type: text/html; charset=utf-8}{Server: Microsoft-IIS/8.5}{X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c}{ActivityId: 1ba73d2f-3e1e-471c-9e6c-d8a73a5d3f3b}{X-TFS-Session: 1ba73d2f-3e1e-471c-9e6c-d8a73a5d3f3b}{X-VSS-E2EID: 1ba73d2f-3e1e-471c-9e6c-d8a73a5d3f3b}{X-FRAME-OPTIONS: SAMEORIGIN}{X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e}{X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.}{WWW-Authenticate: Bearer}{WWW-Authenticate: Basic realm="https://tfs.synergy.net.au/tfs"}{WWW-Authenticate: Negotiate}{WWW-Authenticate: NTLM}{X-Powered-By: ASP.NET}{P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"}{Lfs-Authenticate: NTLM}{X-Content-Type-Options: nosniff}{Date: Wed, 22 Nov 2017 00:03:51 GMT}{Content-Length: 20126}{Set-Cookie: BIGipServerPool_TFS=2315326474.36895.0000; path=/; Httponly; Secure}
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection getServerAuthentication
FINER: Server Authentication for AuthenticationHeader: prefer NTLM returned sun.net.www.protocol.http.ntlm.NTLMAuthentication@39aeed2f
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.https.HttpsClient New
FINEST: Looking for HttpClient for URL https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack and proxy value of DIRECT
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.https.HttpsClient New
FINEST: KeepAlive stream retrieved from the cache, sun.net.www.protocol.https.HttpsClient(https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/info/refs?service=git-receive-pack)
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: Proxy used: DIRECT
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@29ee9faa8 pairs: {POST /tfs/Synergy/WBU/_git/STARS/git-receive-pack HTTP/1.1: null}{Content-Type: application/x-git-receive-pack-request}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 0}{Authorization: NTLM TlRMTVNTUAABAAAAB7IIogQABAAwAAAACAAIACgAAAAGAbEdAAAAD1NXUzMyOTUzQ09SUA==}
Nov 22, 2017 8:03:51 AM sun.net.www.http.HttpClient logFinest
FINEST: KeepAlive stream used: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@c0382036 pairs: {null: HTTP/1.1 401 Unauthorized}{Content-Type: text/html; charset=us-ascii}{Server: Microsoft-HTTPAPI/2.0}{WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgomioeQ0kk+gECcAAAAAAAAAAIYAhgBAAAAABgOAJQAAAA9DAE8AUgBQAAIACABDAE8AUgBQAAEAFABQAEQAQwBQAFYAVABGAFMAMAAyAAQAEABjAG8AcgBwAC4AaQBuAHQAAwAmAFAARABDAFAAVgBUAEYAUwAwADIALgBjAG8AcgBwAC4AaQBuAHQABQAQAGMAbwByAHAALgBpAG4AdAAHAAgA06r+YCVj0wEAAAAA}{Date: Wed, 22 Nov 2017 00:03:51 GMT}{Content-Length: 341}
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection writeRequests
FINE: sun.net.www.MessageHeader@29ee9faa8 pairs: {POST /tfs/Synergy/WBU/_git/STARS/git-receive-pack HTTP/1.1: null}{Content-Type: application/x-git-receive-pack-request}{User-Agent: Java/1.8.0_144}{Host: tfs.synergy.net.au}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 0}{Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAgACABYAAAADAAMAGAAAAAQABAAbAAAAAAAAACiAQAABYKIogYBsR0AAAAP37M+tUP0uhsSnJiHCq9BmUMATwBSAFAAZQBtAG0AYQBsAGwAUwBXAFMAMwAyADkANQAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALuSFm2l04SNBRRp8XQwI5ABAQAAAAAAANOq/mAlY9MB3DQbkXjXeggAAAAAAgAIAEMATwBSAFAAAQAUAFAARABDAFAAVgBUAEYAUwAwADIABAAQAGMAbwByAHAALgBpAG4AdAADACYAUABEAEMAUABWAFQARgBTADAAMgAuAGMAbwByAHAALgBpAG4AdAAFABAAYwBvAHIAcAAuAGkAbgB0AAcACADTqv5gJWPTAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAABCVzzW2GIbgFXPnJm5IUZ1wlW+mXufshCZIJ7ACxlk0goAEAAAAAAAAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAA==}
Nov 22, 2017 8:03:51 AM sun.net.www.protocol.http.HttpURLConnection getInputStream0
FINE: sun.net.www.MessageHeader@cc285f419 pairs: {null: HTTP/1.1 500 Internal Server Error}{Cache-Control: private}{Transfer-Encoding: chunked}{Content-Type: text/plain; charset=utf-8}{Server: Microsoft-IIS/8.5}{X-TFS-ProcessId: f968ad58-674d-4bdd-9b09-96cd9ba9a64c}{ActivityId: 1ba73d49-3e1e-471c-9e6c-d8a73a5d3f3b}{X-TFS-Session: 1ba73d49-3e1e-471c-9e6c-d8a73a5d3f3b}{X-VSS-E2EID: 1ba73d49-3e1e-471c-9e6c-d8a73a5d3f3b}{X-FRAME-OPTIONS: SAMEORIGIN}{X-VSS-UserData: 8857810f-8109-444e-b448-37cbe4b6de34:emmall}{X-TFS-Exception: GitProtocolException}{X-AspNet-Version: 4.0.30319}{Persistent-Auth: true}{X-Powered-By: ASP.NET}{P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"}{Lfs-Authenticate: NTLM}{X-Content-Type-Options: nosniff}{Date: Wed, 22 Nov 2017 00:03:51 GMT}
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 500 for URL: https://tfs.synergy.net.au/tfs/Synergy/WBU/_git/STARS/git-receive-pack
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at au.net.synergy.wts.security.tools.GitTest.main(GitTest.java:31)
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Re: Authentication failure - No password provided - although password was entered [message #1776863 is a reply to message #1776821] Wed, 22 November 2017 11:00 Go to previous message
Thomas Wolf is currently offline Thomas WolfFriend
Messages: 78
Registered: August 2016
Member
I have never tried to use SPNEGO/Kerberos with Java, so I can't really help with this. But this gives a few more options to set.

See also HTTP/SPNEGO Authentication. Full example including configs.

It sure looks like a time sink. How about ssh? I find that the easiest. Just register a public key at the server, and off you go. Don't know if TFS can do ssh, though.
Previous Topic:Synchronization with FETCH_HEAD does not refresh
Next Topic:New file can't be commit because no symbol '+' or '>' on it
Goto Forum:
  


Current Time: Wed Sep 19 00:14:01 GMT 2018

Powered by FUDForum. Page generated in 0.03005 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top