microsoft / Git-Credential-Manager-for-Windows

Secure Git credential storage for Windows with support for Visual Studio Team Services, GitHub, and Bitbucket multi-factor authentication.
Other
2.87k stars 590 forks source link

Doesn't prompt on VSO #354

Closed alexschneider-ms closed 7 years ago

alexschneider-ms commented 7 years ago

I've looked through other issues like #351 and #337 but none of the advice given there worked for me.

Follows is the GIT_LOG/GCM_LOG:

16:23:18.184657 git.c:349               trace: built-in: git 'clone' 'https://<snip>.visualstudio.com/<snip>'
Cloning into '<snip>'...
16:23:18.202651 run-command.c:336       trace: run_command: 'git-remote-https' 'origin' 'https://<snip>.visualstudio.com/<snip>'
16:23:18.629131 run-command.c:336       trace: run_command: 'git credential-manager get'
16:23:18.806027 git.c:563               trace: exec: 'git-credential-manager' 'get'
16:23:18.806027 run-command.c:336       trace: run_command: 'git-credential-manager' 'get'
16:23:18.843009 ...\Program.cs:656      trace: [Main] git-credential-manager (v1.8.1) 'get'
16:23:18.876533 ...Configuration.cs:200 trace: [LoadGitConfiguration] git portable config read, 11 entries.
16:23:18.898550 ...\Where.cs:255        trace: [FindGitInstallations] found 1 Git installation(s).
16:23:18.899532 ...Configuration.cs:216 trace: [LoadGitConfiguration] git global config read, 15 entries.
16:23:18.904546 ...\Program.cs:1130     trace: [TryReadBoolean] modalPrompt = 'true'.
16:23:18.911551 ...\Program.cs:367      trace: [CreateAuthentication] detecting authority type for 'https://<snip>.visualstudio.com/'.
16:23:18.913552 ...uthentication.cs:192 trace: [DetectAuthority] 'https://<snip>.visualstudio.com/' is subdomain of 'visualstudio.com', checking AAD vs MSA.
16:23:19.210700 ...uthentication.cs:273 trace: [GetAuthentication] AAD authority for tenant '<snip>' detected.
16:23:19.254212 ...\Program.cs:408      trace: [CreateAuthentication] authority for 'https://<snip>.visualstudio.com/' is Azure Directory.
16:23:19.306844 ...zureAuthority.cs:172 trace: [NoninteractiveAcquireToken] token acquisition for authority host URL = 'https://login.microsoftonline.com/<snip>' succeeded.
16:23:19.307847 ...uthentication.cs:147 trace: [NoninteractiveLogon] token acquisition for 'https://<snip>.visualstudio.com/' succeeded
16:23:19.318844 ...zureAuthority.cs:295 trace: [GetConnectionDataRequest] validating adal access token for 'https://<snip>.visualstudio.com/'.
16:23:19.318844 ...zureAuthority.cs:120 trace: [PopulateTokenTargetId] access token end-point is 'GET' 'https://<snip>.visualstudio.com/_apis/connectiondata'.
16:23:19.387524 ...zureAuthority.cs:144 trace: [PopulateTokenTargetId] target identity is <snip>.
16:23:19.634636 ...zureAuthority.cs:389 trace: [GetAccessTokenRequestBody] creating access token scoped to 'vso.code_write vso.packaging' for '<snip>'
16:23:20.048865 ...AzureAuthority.cs:87 trace: [GeneratePersonalAccessToken] personal access token acquisition for 'https://<snip>.visualstudio.com/' succeeded.
16:23:20.050446 ...uthentication.cs:169 trace: [GeneratePersonalAccessToken] personal access token created for 'https://<snip>.visualstudio.com/'.
16:23:20.056424 ...seSecureStore.cs:204 trace: [WriteCredential] credentials for 'git:https://<snip>.visualstudio.com' written to store.
16:23:20.059926 ...zureAuthority.cs:172 trace: [ValidateCredentials] validating credentials against 'https://<snip>.visualstudio.com/_apis/connectiondata'.
16:23:20.181383 ...zureAuthority.cs:178 trace: [ValidateCredentials] server returned: 'OK'.
16:23:20.181383 ...\Program.cs:1015     trace: [QueryCredentials] credentials for 'https://<snip>.visualstudio.com/' found.
16:23:20.182404 ...\Program.cs:186      trace: [LogEvent] Azure Directory credentials  for 'https://<snip>.visualstudio.com/' successfully retrieved.
16:23:20.459513 run-command.c:336       trace: run_command: 'git credential-manager erase'
16:23:20.540608 git.c:563               trace: exec: 'git-credential-manager' 'erase'
16:23:20.541608 run-command.c:336       trace: run_command: 'git-credential-manager' 'erase'
16:23:20.578638 ...\Program.cs:656      trace: [Main] git-credential-manager (v1.8.1) 'erase'
16:23:20.608629 ...Configuration.cs:200 trace: [LoadGitConfiguration] git portable config read, 11 entries.
16:23:20.629630 ...\Where.cs:255        trace: [FindGitInstallations] found 1 Git installation(s).
16:23:20.629630 ...Configuration.cs:216 trace: [LoadGitConfiguration] git global config read, 15 entries.
16:23:20.635641 ...\Program.cs:1130     trace: [TryReadBoolean] modalPrompt = 'true'.
16:23:20.640641 ...\Program.cs:367      trace: [CreateAuthentication] detecting authority type for 'https://<snip>.visualstudio.com/'.
16:23:20.641632 ...uthentication.cs:192 trace: [DetectAuthority] 'https://<snip>.visualstudio.com/' is subdomain of 'visualstudio.com', checking AAD vs MSA.
16:23:20.997129 ...uthentication.cs:273 trace: [GetAuthentication] AAD authority for tenant '<snip>' detected.
16:23:21.064112 ...\Program.cs:408      trace: [CreateAuthentication] authority for 'https://<snip>.visualstudio.com/' is Azure Directory.
16:23:21.064112 ...\Program.cs:464      trace: [DeleteCredentials] deleting VSTS credentials for 'https://<snip>.visualstudio.com/'.
16:23:21.072115 ...seSecureStore.cs:133 trace: [ReadCredentials] credentials for 'git:https://<snip>.visualstudio.com' read from store.
16:23:21.074117 ...aseSecureStore.cs:58 trace: [Delete] credentials for 'git:https://<snip>.visualstudio.com' deleted from store.
16:23:21.088100 run-command.c:336       trace: run_command: 'git credential-manager erase'
16:23:21.125101 git.c:563               trace: exec: 'git-credential-manager' 'erase'
16:23:21.126100 run-command.c:336       trace: run_command: 'git-credential-manager' 'erase'
16:23:21.209664 ...\Program.cs:656      trace: [Main] git-credential-manager (v1.8.1) 'erase'
16:23:21.241581 ...Configuration.cs:200 trace: [LoadGitConfiguration] git portable config read, 11 entries.
16:23:21.262615 ...\Where.cs:255        trace: [FindGitInstallations] found 1 Git installation(s).
16:23:21.263116 ...Configuration.cs:216 trace: [LoadGitConfiguration] git global config read, 15 entries.
16:23:21.268124 ...\Program.cs:1130     trace: [TryReadBoolean] modalPrompt = 'true'.
16:23:21.273138 ...\Program.cs:367      trace: [CreateAuthentication] detecting authority type for 'https://<snip>.visualstudio.com/'.
16:23:21.275123 ...uthentication.cs:192 trace: [DetectAuthority] 'https://<snip>.visualstudio.com/' is subdomain of 'visualstudio.com', checking AAD vs MSA.
16:23:21.524072 ...uthentication.cs:273 trace: [GetAuthentication] AAD authority for tenant '<snip>' detected.
16:23:21.562088 ...\Program.cs:408      trace: [CreateAuthentication] authority for 'https://<snip>.visualstudio.com/' is Azure Directory.
16:23:21.562088 ...\Program.cs:464      trace: [DeleteCredentials] deleting VSTS credentials for 'https://<snip>.visualstudio.com/'.
fatal: Authentication failed for 'https://<snip>.visualstudio.com/<snip>/'

And git config --list --show-origin

file:"C:\\ProgramData/Git/config"       core.symlinks=false
file:"C:\\ProgramData/Git/config"       core.autocrlf=true
file:"C:\\ProgramData/Git/config"       core.fscache=true
file:"C:\\ProgramData/Git/config"       color.diff=auto
file:"C:\\ProgramData/Git/config"       color.status=auto
file:"C:\\ProgramData/Git/config"       color.branch=auto
file:"C:\\ProgramData/Git/config"       color.interactive=true
file:"C:\\ProgramData/Git/config"       help.format=html
file:"C:\\ProgramData/Git/config"       http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
file:"C:\\ProgramData/Git/config"       diff.astextplain.textconv=astextplain
file:"C:\\ProgramData/Git/config"       rebase.autosquash=true
file:"C:\\Program Files\\Git\\mingw64/etc/gitconfig"    credential.helper=manager
file:C:/Users/<snip>/.gitconfig       credential.modalprompt=true
file:C:/Users/<snip>/.gitconfig       credential.helper=manager
file:C:/Users/<snip>/.gitconfig       gui.recentrepo=E:/<snip>
file:C:/Users/<snip>/.gitconfig       http.emptyauth=true
whoisj commented 7 years ago

Looks like the following is happening:

  1. Get request to get credentials for a given host.
  2. Host is detected to be "visualstudio.com" and Azure Authentication is detected as the authority.
  3. NonInteractive authentication is attempted and succeeds; and Azure token is acquired.
  4. The Azure authentication token is exchanged for a scoped VSTS personal access token.
  5. The token is copied to secure storage.
  6. The token is given to the requester (likely git.exe).
  7. Get request to erase credentials for a given host.
  8. Host is detected to be "visualstudio.com" and Azure Authentication is detected as the authority.
  9. The token is deleted from secure storage.

Git is asking for credentials that it can stuff into a basic authentication header as part of the HTTPS request. The GCM is using Azure to authenticate you as "you", and getting a VSTS specific scoped token to hand back to Git. Git is using the token, but failing to perform an action you've requested against the remote. Git asks the GCM to delete the token because Git thinks it is invalid.

Is it possible that while you are "you", you do not have privileges necessary with regards to the target remote?