New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HttpRequestException and then I'm prompted for username #488

Closed
fpintos opened this Issue Sep 11, 2017 · 65 comments

Comments

Projects
None yet
@fpintos
Member

fpintos commented Sep 11, 2017

I've installed git and the cred manager (GCMW-1.12.0) on a brand new AAD-joined Windows system (1703 15063.601).
During Git setup I requested the windows command prompt and enabled the credential manager.
When trying to work against a VSTS repro I see the following message and then I'm prompted for user name/password:

fatal: HttpRequestException encountered.
   An error occurred while sending the request.
fatal: HttpRequestException encountered.
   An error occurred while sending the request.
Username for 'https://<accountname>.visualstudio.com': 

Config shows credential.helper=manager, but the auth dialog never shows up.

In Fiddler I see requests from git-credential-manager which end up failing with 401.

@gistofj

This comment has been minimized.

Contributor

gistofj commented Sep 11, 2017

@fpintos you seem very web / networking literate which should make diagnosis and resolution much easier 😄

First, the best way to collection trace data is to enable tracing. To enable tracing, from a Command Prompt:

  1. Run SET GIT_TRACE=1
  2. Run SET GCM_TRACE=1
  3. Reproduce your issue.

The trace should be emitted directly to the standard error of the console and something you can copy/paste into this thread. Of course, please redact any secret or personally identifiable information contained in the trace before posting. 😏

@fpintos

This comment has been minimized.

Member

fpintos commented Sep 11, 2017

Thanks for the quick turnaround.

Please find the trace in the attached file.
The error that jumps out of it is this:
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later
gitTrace.txt

In Fiddler, the requests show up as going to these:
GET https://login.microsoftonline.com/common/UserRealm/?api-version=1.0
GET https://msft.sts.microsoft.com/adfs/services/trust/mex HTTP/1.1
POST https://msft.sts.microsoft.com/adfs/services/trust/13/windowstransport

The POST request is the one failing.

@fpintos

This comment has been minimized.

Member

fpintos commented Sep 11, 2017

Hum...I've connected to the corp VPN and now it worked.
This seems odd that it would require to be on corpnet to acquire an AAD token.
I should also mention that it acquired the token silently, which in this case was good.

Including trace of successful pull.
gitTrace2.txt

One thing to notice is that this was a new machine, which was AAD-joined fro outside the corp network, and I never ran Git while connected to the corp network before. In fact, I just connected with VPN for the 1st time in this machine just now, after seeing that error about 'domain controller'.

@gistofj

This comment has been minimized.

Contributor

gistofj commented Sep 11, 2017

@fpintos so the GCM attempts non-interactive authentication by default. If the non-interactive fails, it should fall back to interactive.

I've seen situations where a user can be non-interactively authenticated, but cannot access source control without multi-factor interactive authentication. In these cases, the users see errors similar to what you were seeing.

Please let me know if this happens again to you.

@gistofj gistofj closed this Sep 11, 2017

@juarola

This comment has been minimized.

juarola commented Jan 3, 2018

@whoisj @fpintos Hello guys! I had the exact same issue as @fpintos.

Initial situation was that everything was working fine on

  • two vsts git accounts (one of these use corp aad, other does not)
  • github account
  • gitlab account

Then i cloned a new vsts repo (using the same account as the existing non-corp vsts, but as a guest on a different aad) and from the get-go ops on that repo manifested the two HttpRequestExceptions and asking credentials in the command prompt.

While googling i stumbled on this thread and initially dismissed the resolution as "how could it work this way". After banging my head against this for a while, decided to connect via vpn to corp network and try to pull. Got the usual gcm authentication dialog and everything works fine now.

I have no idea whats going on, but thought i'd report in.

@MSchmittnaegel

This comment has been minimized.

MSchmittnaegel commented Jan 4, 2018

I've got something more to add @whoisj

I've experienced the exact same behaviour (Windows 10, AzureAD-joined, VSTS -> HttpRequestException), but even within our corporate network I wasn't able to solve it - until now.

During the last Windows reinstall and the AAD join, Win10 requests to activate Windows Hello and - in my case - activates the fingerprint login. As long as I've logged in to Windows with my fingerprint the Windows session seems somehow to be "Windows Hello Authenticated".

When I'm now doing a Windows sign off and relogin via the good old Windows password, something seems to be different: Now GCM works just as expected (login dialog appears) - but also only when I'm within the corp network or connected via VPN. Just as @fpintos mentioned.

IMHO an interesting point: I've experienced the exact same behaviour when I'm using Hello + connected to corp OR when I'm not using Hello and wasn't connected to corp. It seems to be related to the way the current Windows session is authenticated and maybe has something to do with the single sign on behaviour of Windows.

I'm not an infrastructure guy, so I'm not quite sure about our corp authentication process, but I think we're using something like ADFS or ADConnect, so the actual authentication flow runs against our OnPrem sts.mycorp.com. It seems git/GCM tries to authenticate against the STS but not in a normal way.
It doesn't seems to be like "Hey STS please log me in" but more like "Hey STS here is my single sign on account/token, let me in" and STS just response with 401, so the whole STS-based authentication flow is canceled. Even if this is the expected behaviour to this point, maybe GCM should than request a new/fresh authentication from STS instead of falling back to console username/password.

@gistofj

This comment has been minimized.

Contributor

gistofj commented Jan 5, 2018

@MSchmittnaegel thanks for the feedback, very insightful. 😄 I'd like illuminate some of the darker corners of how the GCM operates so that anyone hitting this issue will be better equipped to assist in finding a root cause.

When the GCM receives a get request from Git, it does a couple things (for this example, we'll assume the request is for VSTS account access):

  1. GCM loads the user's settings, including git-config.
  2. GCM examines the user's settings and the host URL to see if it contains any hints as to which type of authority will be responsible.
  3. When the authority is Azure, the GCM then attempts to distinguish between AAD (Azure Active Directory) and MSA (Microsoft Account).
  4. If the GCM detects AAD, it will attempt to connect via non-interactive authentication, falling back to interactive authentication (this is where the logon dialog comes into play).
  5. If non/interactive authentication is successful, the GCM will use the Azure Authentication Token to acquire a VSTS Personal Access Token (aka PAT) from the visualstudio.com identity service.
  6. Once the GCM has acquired a PAT, it records it in the OS secrets' vault and returns it as credentials to Git.

My hunch is that there's something bad happening during the token exchange to acquire the PAT, and the PAT is somehow invalid or cannot be acquired. The whole Azure/AD/MSA/VSTS/STS interaction model is highly complex and customizatable (almost to a fault), and pinning down the actual root cause of issues like these has proven to be time consuming and difficult.

The symptoms are always significantly more obvious than the actual problem.

Specifically, I believe the OP (@fpintos ) issue is related to the non-interactive authentication portion. In some cases I've seen STS setup to allow users to skip multi-factor authentication because the users complained loudly about it. Which means the user is able to get an Azure token without any interaction at all, however access to IP (like source code) requires multi-factor authentication. Since there's no way for the GCM to know these requirements it tries (and fails) to acquire a PAT with simple, single-factor authentication. The net result is a baffled and frustrated user.

If my hunch is correct, the best solution would be for the network admins to completely disallow single-factor authentication (that's best no matter what anyways).

@vCillusion

This comment has been minimized.

vCillusion commented Jan 30, 2018

I faced the same issue guys, it appears when I have only TLS1.2 enabled on my PC. After enabling TLS 1.1, SSL.x the issue was resolved. For enabling and disabling I used IISCrypto software. Hope that helps the team and other users.

@gistofj

This comment has been minimized.

Contributor

gistofj commented Jan 30, 2018

@vCillusion starting with v1.14.0 the GCM should support TLS 1.2. Have you tried v1.14.0 and leaving TLS 1.1 disabled?

@dvlsg

This comment has been minimized.

dvlsg commented Feb 8, 2018

Updating to v1.14.0 worked for me. I didn't have quite the same error -- or at least it didn't start prompting me for a username. I did get a bunch of fatal: HttpRequestException encountered in a row while trying to use git submodule commands. Top bit of the trace of one of the errors looked like this:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

I'm not sure what changed to cause the error to start happening, since it was working fine yesterday and I'm not aware of anything that changed. Windows updates of some sort, perhaps? Just using a standard windows login. No AAD, no VPN.

Whatever the case, can confirm v1.14.0 is working for me, and I didn't have to go explicitly enable TLS 1.1.

@VarunChopraAccolite

This comment has been minimized.

VarunChopraAccolite commented Feb 9, 2018

@whoisj I am using the latest version 2.4.1.1219

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 9, 2018

@dvlsg the error makes me think you have some kind of proxy running. Something like Telerik Fiddler, a HTTP proxy, or some other "man-in-the-middle" software.

Which version of Windows are you using?

Does any other service fail when using HTTPS? Have you tried Edge, Chrome, or Fire Fox on this machine?

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 9, 2018

@whoisj I am using the latest version 2.4.1.1219

Which version of Windows are you using? Does you system support TLS 1.2?

I'm having a problem finding the document I really want to link, but here's a document helping get TLS 1.2 unlocked on older versions of Windows.

@vCillusion

This comment has been minimized.

vCillusion commented Feb 9, 2018

I am using latest Windows 10 as mentioned inline.
OS Name Microsoft Windows 10 Pro
Version 10.0.16299 Build 16299
Yes, it does support TLS 1.2 and works out fine. Please try to use IISCrypto to enable/disable TLS / SSL versions to reproduce the issue. Hope it helps, Let me know for any further information.

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 9, 2018

@vCillusion as best I know "IISCrypto" is a server admin package. It should not be necessary in anyway for client software. That said, if it does somehow goad Windows into doing the right thing, then by all means give it a try. 😕

@vCillusion

This comment has been minimized.

vCillusion commented Feb 12, 2018

@whoisj yes IISCrypto just a tool and won't be necessary. The main concern is with TLS 1.2 enabled getting the HTTP request exception

@randyriegel

This comment has been minimized.

randyriegel commented Feb 21, 2018

IISCrypto is just a tool. you can do the same thing it does manually editing the registry. It does make it easier though :) I had to turn TLS1.0 off of our server to be PCI compliant. I clicked checkbox in middle and night rebooted and done :) I changed software before that

@dsyme

This comment has been minimized.

dsyme commented Feb 22, 2018

I just started having this problem out of the blue. I can confirm that upgrading to GCM 1.14.0 worked for me https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

@sebastienros

This comment has been minimized.

sebastienros commented Feb 22, 2018

Same thing here, I followed @dsyme recommendation and it instantly fixed the issue.
I am using GitExtensions GUI and the two factor auth appeared only after updating GCMW.

@shiftkey

This comment has been minimized.

Contributor

shiftkey commented Feb 22, 2018

@dsyme @sebastienros thanks for confirming the fix - GitHub finally turned off some weak crypto standards today and TLS 1.0 was being used by GCM. It needed an update to ensure it used TLS 1.2.

@htkcodes

This comment has been minimized.

htkcodes commented Feb 22, 2018

just installed it..same problem.

EDIT:reopened my terminal..works

@ghhtimsgh1970

This comment has been minimized.

ghhtimsgh1970 commented Feb 22, 2018

We're seeing this issue as well and on at least 2 different machines. Just started happening out of the blue

@ghhtimsgh1970

This comment has been minimized.

ghhtimsgh1970 commented Feb 22, 2018

....looks like GCM fixed it. At least on one of the machines. Still not clear what's going on here or what was fixed. 😕

@shiftkey

This comment has been minimized.

Contributor

shiftkey commented Feb 22, 2018

@ghhtimsgh1970 GitHub has finally disabled some weak crypto standards, and GCM was caught up in this because it was defaulting to TLS 1.0. More details about this are here.

@fredrikkumlin

This comment has been minimized.

fredrikkumlin commented Feb 23, 2018

On Windows just reinstall git to v. 2.16.2 (2018-02-15)

@buffet-time

This comment has been minimized.

buffet-time commented Feb 23, 2018

Can confirm issue started happening earlier today just a few hours ago, and updating GCM to what @dsyme linked to has fixed the issue.

@chakrabar

This comment has been minimized.

chakrabar commented Feb 24, 2018

Suddenly started having this issue from yesterday. VS Code will keep prompting for Git (GitHub) login and it'd fail every time with error

fatal: HttpRequestException encountered.
   An error occurred while sending the request.

I updated to GCM 1.14.0 and VS Code 1.20.1 (Windows 8, x64) and problem fixed.

@Rychu-Pawel

This comment has been minimized.

Rychu-Pawel commented Feb 24, 2018

Updating to VisualStudio15.5.7 also fixes the issue

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 24, 2018

Updating to VisualStudio15.5.7 also fixes the issue

Correct, but only for Git operations from within Visual Studio. I know because I am one of the primary maintainers of Visual Studio's Git integration - so yeah, you can blame / praise me for a lot of that. 😀

@q587p

This comment has been minimized.

q587p commented Feb 24, 2018

TortoiseGit suddenly (at this week) start asking for user name/password. Installing v1.14.0 helps, thnx this thread!

@kamilliano

This comment has been minimized.

kamilliano commented Feb 24, 2018

git update to 2.16.2.windows.1 fixed it for me.

@Rychu-Pawel

This comment has been minimized.

Rychu-Pawel commented Feb 24, 2018

Correct, but only for Git operations from within Visual Studio. I know because I am one of the primary maintainers of Visual Studio's Git integration - so yeah, you can blame / praise me for a lot of that.

Yeah, I first fixed git console client by updating it to 2.16.2 as @kamilliano said but surprisingly that didn't fix VS... Had to update it anyway. Strange issue. Fortunately fixed :)

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 24, 2018

Yeah, I first fixed git console client by updating it to 2.16.2 as @kamilliano said but surprisingly that didn't fix VS...

Visual Studio doesn't use the installed Git for Windows, it ships with its own internal copy. Hence the issue.

See this issue here : https://developercommunity.visualstudio.com/content/problem/201457/unable-to-connect-to-github-due-to-tls-12-only-cha.html

@mghildiy

This comment has been minimized.

mghildiy commented Feb 25, 2018

Updating to git version 2.16.2.windows.1 worked for me.

@Md-Aman

This comment has been minimized.

Md-Aman commented Feb 25, 2018

@stuartcusackie

This comment has been minimized.

stuartcusackie commented Feb 26, 2018

This just happened to me over the last few days on Windows 10 and gitbash.

Instantly fixed by installing the latest Git Credential Manager for windows as recommended by @dsyme

Thanks!

@nicolasrivadeneira

This comment has been minimized.

nicolasrivadeneira commented Feb 26, 2018

I have a similar mistake. Everything was right until last week.
If i try to execute some git command i get always the next:
An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel

@gistofj

This comment has been minimized.

Contributor

gistofj commented Feb 26, 2018

@nicolasrivadeneira and I assume you've tried updating GCM and/or Git for Windows to resolve the issue?

@aflansburg

This comment has been minimized.

aflansburg commented Feb 26, 2018

Had this issue as well on Windows 7 x64 - confirming that updating to 2.16.2.windows.1 fixes the issue (had to re-cache my credentials as well, I'm assuming this has to do with the turning off of the weaker crypto standards.

@miguel-otero-calderon

This comment has been minimized.

miguel-otero-calderon commented Feb 26, 2018

Install
https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0
after reset git extensions.
resolved error.

@DollarAkshay

This comment has been minimized.

DollarAkshay commented Mar 2, 2018

Trying to download Git for Windows at 11 KB/s ... 😑

@stephengardner

This comment has been minimized.

stephengardner commented Mar 3, 2018

Good news - installing the latest version takes care of everything - no need to delete old versions or update PATH variables :)

https://git-scm.com/download/win

@frogr

This comment has been minimized.

frogr commented Mar 3, 2018

Yep! started having this issue recently and updating GCM fixed it. Thanks so much!

@chetanthambad

This comment has been minimized.

chetanthambad commented Mar 5, 2018

Update ur gitBash from : https://git-scm.com/download/win

@adrientetar

This comment has been minimized.

adrientetar commented Mar 11, 2018

I just hit this issue and spent a couple minutes retrying because no clear error message was shown ; it'd be great if more detailed error messages could be shown in such cases.

@kishorkumarsaini

This comment has been minimized.

kishorkumarsaini commented Mar 18, 2018

Can't finish GitHub sharing process
Successfully created project 'MyCalculator' on GitHub, but initial push failed:
HttpRequestException encountered.
remote: error: GH007: Your push would publish a private email address.
failed to push some refs to 'https://github.com/kishorkumarsaini/MyCalculator.git'
how to solve this error

@gistofj

This comment has been minimized.

Contributor

gistofj commented Mar 18, 2018

@kishorkumarsaini the error message you're seeing is unrelated to authentication. Some service is telling you that the content you're attempting to push contains an email address that you likely do not want to share.

@shiftkey

This comment has been minimized.

Contributor

shiftkey commented Mar 18, 2018

@kishorkumarsaini please read the GitHub documentation about this setting - some commits on your branch have an email address that you've marked as private on GitHub, so the server is blocking your push to prevent this leaking out.

@MuhammadUmairghufran

This comment has been minimized.

MuhammadUmairghufran commented Mar 29, 2018

I'm facing same problem

@fartzy

This comment has been minimized.

fartzy commented Mar 29, 2018

I also installed GCMW-1.14.0.exe and the issue went away. https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

@Nerwo1100

This comment has been minimized.

Nerwo1100 commented May 2, 2018

I installed GCMW-1.14.0.exe and the issue is gone. https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

@craig-acutest

This comment has been minimized.

craig-acutest commented May 3, 2018

Installing GCMW-1.14.0.exe works correctly, but make sure to restart your machine, as didn't work until i did so.

@vcx

This comment has been minimized.

vcx commented May 25, 2018

Had the same issues today, turned the flags and saw the same logs described here: #488 (comment)

Looks like the issue returned. I was running both Git (2.17) and GCM (1.16) latest in a fresh install of Windows 10 1803 in a AAD-joined machine. Connecting to the VPN once (so it could try to locate the domain controller) made the problem disappear.

@gistofj

This comment has been minimized.

Contributor

gistofj commented May 25, 2018

@vcx would you capture a Fiddler trace of the problem?

Is your Git configured to use Secure Channel (aka http.sslbackend=schannel)? If not, you'll likely want to experiment with that option as well.

@savolkov

This comment has been minimized.

savolkov commented Jun 14, 2018

Had same error on version 2.14.1, updated to 2.17.1 and now everything is fine. Maybe it'll help someone out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment