I recently upgraded from on-prem TFS 2013 to TFS 2017 (update 3). As part of the upgrade \ migration to new servers we switched from using port 8080 to port 443 (https).
We have an old RHEL 6.8 machine which we've been using as a build server for a small number of Java projects using Git. The server is running git 1.7.1 (which ships with RHEL 6) and we are no longer able to clone \ pull \ push the Git repos hosted in TFS.
FYI - I'm using export GIT_CURL_VERBOSE=1 to beef up the logging.
My initial problem was that Git didn't trust the certificate from my company's internal CA. (Peer's certificate issuer is not recognized) I fixed that by adding the internal cert to my ca-bundle.crt.
With that resolved I now get a 401 Unauthorized error that I cannot figure out. I am able to use cURL to authenticate to the exact same URLs as long as I provide the --ntlm switch. Git appears to be using NTLM but for whatever reason it refuses to work.
-sh-4.1$ curl -k -u 'DOMAIN\username' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs?service=git-upload-pack
Enter host password for user 'DOMAIN\username':
001e# service=git-upload-pack
000000a5d9f0c36ca42f5a65fc80bd39162b40b472e06c1b HEAD multi_ack thin-pack side-band side-band-64k no-progress multi_ack_detailed no-done shallow allow-tip-sha1-in-want
003fd9f0c36ca42f5a65fc80bd39162b40b472e06c1b refs/heads/master
0000
-sh-4.1$ curl -k -u 'DOMAIN\username' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs
Enter host password for user 'DOMAIN\username':
d9f0c36ca42f5a65fc80bd39162b40b472e06c1b refs/heads/master
But when trying to clone using the following commands I get 401. We were using the http://DOMAIN\username@tfs.mycompany.com:8080 syntax before the upgrade with TFS 2013 and it was working. I remember we had to turn on Basic Auth for that. However, after the upgrade to TFS 2017 it no longer works regardless of the whether Basic Auth is enabled or not.
-sh-4.1$ git clone 'https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame'
Initialized empty Git repository in /home/username/git/reponame/.git/
Password:
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
* Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /home/username/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
* start date: Jun 05 18:12:59 2018 GMT
* expire date: Jun 04 18:12:59 2020 GMT
* common name: tfs.mycompany.com
* issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
<
* Ignoring the response-body
* Connection #0 to host tfs.mycompany.com left intact
* Issue another request to this URL: 'https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack'
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* Re-using existing connection! (#0) with host tfs.mycompany.com
* Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
* The requested URL returned error: 401
* Closing connection #0
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
* Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
* CAfile: /home/username/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
* start date: Jun 05 18:12:59 2018 GMT
* expire date: Jun 04 18:12:59 2020 GMT
* common name: tfs.mycompany.com
* issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20153
* The requested URL returned error: 401
* Closing connection #0
error: The requested URL returned error: 401 while accessing https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs
fatal: HTTP request failed
I am going to have our linux admins upgrade the version of Git on this server as I know it's really outdated. I'm hoping this will fix this... but aside from that I am basically stuck on this issue and have no idea how to resolve it.
The solution to this was to upgrade Git to the latest version available via Yum from the authorized RHEL distro. Git 1.7.1 was just plain not able to talk to TFS git repos over HTTPS even when we added our internal root cert to the ca-bundle.crt.