using Windows Authentication fails for version > 1.8.1.2-preview20130201

[SoonDead]

We have been using a Bonobo Git server internally which is configured to use Windows Authentication. This means that the IIS serving urls like http://git.local/Project.git/ is configured to use Windows Authentication as well.

For a while now we are able to use our Active Directory accounts to simply authenticate through IIS in Git Bash. This is convenient.

With version 1.8.1.2-preview20130201 the process worked seamlessly. No further configuration was needed.

After someone updated to a newer msysgit version he was unable to authenticate to the server. The request didn't get through the Windows Authentication configured through IIS, it seemed it did not try to complete the challenge at all.

So we reverted to the old version and have been postponing the update since, but now it has already been 1.5 years, so an update may be in order.

I'm not sure what else should I report about the process, what logs/messages should I include in this bug report, but I'm willing to provide any information available.

This was reported on the old bug tracker (back when the project was on google code), but I was not following the life-cycle of the ticket.

[t-b]

The old issues are archived here.

I have no experience using Windows authentication. But this looks like a curl issue.

[t-b]

Please check if the bug was introduced with the next release, https://github.com/msysgit/msysgit/releases/tag/Git-1.8.3-preview20130601.

If yes, have a look at the changes between these two releases https://github.com/msysgit/msysgit/compare/Git-1.8.1.2-preview20130201...Git-1.8.3-preview20130601 and try to revert some of them. I would expect that the curl update broke your setup, but this is only a wild guess.

[SoonDead]

I can confirm that the bug was introduced in 1.8.3-preview20130601 .

It works with 1.8.1.2, but does not 1.8.3, as I get "Authentication Failed".

I'm not sure about cherry-picking and reverting (is this an inverse cherry-pick?) specific commits. Also can you point me to a guide on building this project and using custom builds? I only ever used msysgit by it's installer.

[dscho]

I can confirm that the bug was introduced in 1.8.3-preview20130601 .

Please follow @t-b's very helpful instructions. Just mentioning that one major version fails when the previous one works is unfortunately not helping: it does not address any information that is still missing.

I'm not sure about cherry-picking and reverting (is this an inverse cherry-pick?) specific commits. Also can you point me to a guide on building this project and using custom builds? I only ever used msysgit by it's installer.

Well, step n˚ 1 is to download and install the development environment msysGit.

The next step is to figure out whether @t-b's hunch is correct, i.e. whether an upgrade of cURL broke things. To do that, determine which commits updated cURL: git log mingw/bin/libcurl.dll. Then, revert them in reverse chronological order, i.e. newest first. Test after every revert to find out whether the Windows authentication works again. Of course you need to test this with the Git provided by msysGit, i.e. inside the msysGit Bash.

Once you found out which of those commits, if any, reinstated Windows authentication, you will need to look at the commit(s) previous to the most recently reverted one, to find out whether there have been any suspicious changes in the configuration of the cURL build. Since we were pretty strict about providing a script to build cURL, it is easy to rebuild cURL, and of course you can also change any of the build options, hopefully finding one that fixes things again.

[SoonDead]

The versions I tried (in chronological order).

Checking out and building https://github.com/msysgit/msysgit/commit/c65f85dd11fc825fccf4834ff8d0034bf6618041 (tagged 1.8.1.2) seems to handle Windows Authentication well.

Checking out https://github.com/msysgit/msysgit/commit/d0710244fbe78191351207eb6ceea802c4c354d2 seems to straitout crash on the operations I tried (pull, clone).

Checking out https://github.com/msysgit/msysgit/commit/c9d8242620812995c467fe4aa7f4ffc40edf7334 and onwards seem to throw the Authentication failed error just like the current one.

Also trying to link libcurl 7.26.0 to the current master and building it handles Windows Authentication fine. Here are the files I have modified in the current master. (Basically copied the files from https://github.com/msysgit/msysgit/commit/c65f85dd11fc825fccf4834ff8d0034bf6618041 )

It seems that the required functionality broke with installing curl 7.28.1

I was not able to build curl itself let alone fiddling with it's build options, but the only commit (apart from the ones mentioned above) I found related to this is https://github.com/msysgit/msysgit/commit/37e42ab860ae555d2ba4b0e3e014a0bc6860f0d5 where the dll is renamed.

[t-b]

What problems did you had building curl? I just executed

<open msysgit shell with msys.bat>
git checkout master
git pull
cd /src/curl/
rm -rf curl-*
./release.sh

and had a newly compiled curl.

[SoonDead]

Somehow it exited saying it was not able to download curl and when I downloaded curl manually and unzipped it there, it said that it couldn't apply patches.

I'm able to build curl now.

I have tried the following:

1. Build curl 7.26.0 by modifying the patches to the version in https://github.com/msysgit/msysgit/commit/c65f85dd11fc825fccf4834ff8d0034bf6618041
2. Cleaned+Rebuilt the newest git.
3. msysgit was not able to get through windows authentication.

In contrast, overwriting the built curl files with the ones in the zip I linked (packaged from https://github.com/msysgit/msysgit/commit/c65f85dd11fc825fccf4834ff8d0034bf6618041), and rebuilding git worked fine, I was able to get through windows authentication.

I'm really not sure what is the cause of this difference.

[dscho]

@SoonDead maybe running GIT_CURL_VERBOSE=1 GIT_TRACE=1 git push ... 2>&1 | tee log.txt with both the working and the non-working Git, and then diff'ing the log.txt files would shed light into things. Note: you really want to analyze this yourself as there might be potentially compromising information in that log.

[alexchandel]

This issue forces Bonobo-Git-Server to employ an inconvenient workaround for Windows authentication. :+1:

[dscho]

@SoonDead @alexchandel please try again with Git for Windows 2.x. If the problem persists, we will need an easy way to reproduce. Once you have that, please open a new ticket there.

[SoonDead]

Git for Windows 2.5 seems to be working fine with Windows Authentication.

Thanks for fixing this.

[dscho]

Thanks for testing!