HttpRequestException and then I'm prompted for username

[fpintos]

I've installed git and the cred manager (GCMW-1.12.0) on a brand new AAD-joined Windows system (1703 15063.601).
During Git setup I requested the windows command prompt and enabled the credential manager.
When trying to work against a VSTS repro I see the following message and then I'm prompted for user name/password:

fatal: HttpRequestException encountered.
   An error occurred while sending the request.
fatal: HttpRequestException encountered.
   An error occurred while sending the request.
Username for 'https://<accountname>.visualstudio.com': 

Config shows credential.helper=manager, but the auth dialog never shows up.

In Fiddler I see requests from git-credential-manager which end up failing with 401.

[whoisj]

@fpintos you seem very web / networking literate which should make diagnosis and resolution much easier 😄

First, the best way to collection trace data is to enable tracing. To enable tracing, from a Command Prompt:

1. Run SET GIT_TRACE=1
2. Run SET GCM_TRACE=1
3. Reproduce your issue.

The trace should be emitted directly to the standard error of the console and something you can copy/paste into this thread. Of course, please redact any secret or personally identifiable information contained in the trace before posting. 😏

[fpintos]

Thanks for the quick turnaround.

Please find the trace in the attached file.
The error that jumps out of it is this:
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later
gitTrace.txt

In Fiddler, the requests show up as going to these:
GET https://login.microsoftonline.com/common/UserRealm/?api-version=1.0
GET https://msft.sts.microsoft.com/adfs/services/trust/mex HTTP/1.1
POST https://msft.sts.microsoft.com/adfs/services/trust/13/windowstransport

The POST request is the one failing.

[fpintos]

Hum...I've connected to the corp VPN and now it worked.
This seems odd that it would require to be on corpnet to acquire an AAD token.
I should also mention that it acquired the token silently, which in this case was good.

Including trace of successful pull.
gitTrace2.txt

One thing to notice is that this was a new machine, which was AAD-joined fro outside the corp network, and I never ran Git while connected to the corp network before. In fact, I just connected with VPN for the 1st time in this machine just now, after seeing that error about 'domain controller'.

[whoisj]

@fpintos so the GCM attempts non-interactive authentication by default. If the non-interactive fails, it should fall back to interactive.

I've seen situations where a user can be non-interactively authenticated, but cannot access source control without multi-factor interactive authentication. In these cases, the users see errors similar to what you were seeing.

Please let me know if this happens again to you.

[juarola]

@whoisj @fpintos Hello guys! I had the exact same issue as @fpintos.

Initial situation was that everything was working fine on

• two vsts git accounts (one of these use corp aad, other does not)
• github account
• gitlab account

Then i cloned a new vsts repo (using the same account as the existing non-corp vsts, but as a guest on a different aad) and from the get-go ops on that repo manifested the two HttpRequestExceptions and asking credentials in the command prompt.

While googling i stumbled on this thread and initially dismissed the resolution as "how could it work this way". After banging my head against this for a while, decided to connect via vpn to corp network and try to pull. Got the usual gcm authentication dialog and everything works fine now.

I have no idea whats going on, but thought i'd report in.

[MSchmittnaegel]

I've got something more to add @whoisj

I've experienced the exact same behaviour (Windows 10, AzureAD-joined, VSTS -> HttpRequestException), but even within our corporate network I wasn't able to solve it - until now.

During the last Windows reinstall and the AAD join, Win10 requests to activate Windows Hello and - in my case - activates the fingerprint login. As long as I've logged in to Windows with my fingerprint the Windows session seems somehow to be "Windows Hello Authenticated".

When I'm now doing a Windows sign off and relogin via the good old Windows password, something seems to be different: Now GCM works just as expected (login dialog appears) - but also only when I'm within the corp network or connected via VPN. Just as @fpintos mentioned.

IMHO an interesting point: I've experienced the exact same behaviour when I'm using Hello + connected to corp OR when I'm not using Hello and wasn't connected to corp. It seems to be related to the way the current Windows session is authenticated and maybe has something to do with the single sign on behaviour of Windows.

I'm not an infrastructure guy, so I'm not quite sure about our corp authentication process, but I think we're using something like ADFS or ADConnect, so the actual authentication flow runs against our OnPrem sts.mycorp.com. It seems git/GCM tries to authenticate against the STS but not in a normal way.
It doesn't seems to be like "Hey STS please log me in" but more like "Hey STS here is my single sign on account/token, let me in" and STS just response with 401, so the whole STS-based authentication flow is canceled. Even if this is the expected behaviour to this point, maybe GCM should than request a new/fresh authentication from STS instead of falling back to console username/password.

[whoisj]

@MSchmittnaegel thanks for the feedback, very insightful. 😄 I'd like illuminate some of the darker corners of how the GCM operates so that anyone hitting this issue will be better equipped to assist in finding a root cause.

When the GCM receives a get request from Git, it does a couple things (for this example, we'll assume the request is for VSTS account access):

1. GCM loads the user's settings, including git-config.
2. GCM examines the user's settings and the host URL to see if it contains any hints as to which type of authority will be responsible.
3. When the authority is Azure, the GCM then attempts to distinguish between AAD (Azure Active Directory) and MSA (Microsoft Account).
4. If the GCM detects AAD, it will attempt to connect via non-interactive authentication, falling back to interactive authentication (this is where the logon dialog comes into play).
5. If non/interactive authentication is successful, the GCM will use the Azure Authentication Token to acquire a VSTS Personal Access Token (aka PAT) from the visualstudio.com identity service.
6. Once the GCM has acquired a PAT, it records it in the OS secrets' vault and returns it as credentials to Git.

My hunch is that there's something bad happening during the token exchange to acquire the PAT, and the PAT is somehow invalid or cannot be acquired. The whole Azure/AD/MSA/VSTS/STS interaction model is highly complex and customizatable (almost to a fault), and pinning down the actual root cause of issues like these has proven to be time consuming and difficult.

The symptoms are always significantly more obvious than the actual problem.

Specifically, I believe the OP (@fpintos ) issue is related to the non-interactive authentication portion. In some cases I've seen STS setup to allow users to skip multi-factor authentication because the users complained loudly about it. Which means the user is able to get an Azure token without any interaction at all, however access to IP (like source code) requires multi-factor authentication. Since there's no way for the GCM to know these requirements it tries (and fails) to acquire a PAT with simple, single-factor authentication. The net result is a baffled and frustrated user.

If my hunch is correct, the best solution would be for the network admins to completely disallow single-factor authentication (that's best no matter what anyways).

[vCillusion]

I faced the same issue guys, it appears when I have only TLS1.2 enabled on my PC. After enabling TLS 1.1, SSL.x the issue was resolved. For enabling and disabling I used IISCrypto software. Hope that helps the team and other users.

[whoisj]

@vCillusion starting with v1.14.0 the GCM should support TLS 1.2. Have you tried v1.14.0 and leaving TLS 1.1 disabled?

[dvlsg]

Updating to v1.14.0 worked for me. I didn't have quite the same error -- or at least it didn't start prompting me for a username. I did get a bunch of fatal: HttpRequestException encountered in a row while trying to use git submodule commands. Top bit of the trace of one of the errors looked like this:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

I'm not sure what changed to cause the error to start happening, since it was working fine yesterday and I'm not aware of anything that changed. Windows updates of some sort, perhaps? Just using a standard windows login. No AAD, no VPN.

Whatever the case, can confirm v1.14.0 is working for me, and I didn't have to go explicitly enable TLS 1.1.

[VarunChopraAccolite]

@whoisj I am using the latest version 2.4.1.1219

[whoisj]

@dvlsg the error makes me think you have some kind of proxy running. Something like Telerik Fiddler, a HTTP proxy, or some other "man-in-the-middle" software.

Which version of Windows are you using?

Does any other service fail when using HTTPS? Have you tried Edge, Chrome, or Fire Fox on this machine?

[whoisj]

@whoisj I am using the latest version 2.4.1.1219

Which version of Windows are you using? Does you system support TLS 1.2?

I'm having a problem finding the document I really want to link, but here's a document helping get TLS 1.2 unlocked on older versions of Windows.

[vCillusion]

I am using latest Windows 10 as mentioned inline.
OS Name Microsoft Windows 10 Pro
Version 10.0.16299 Build 16299
Yes, it does support TLS 1.2 and works out fine. Please try to use IISCrypto to enable/disable TLS / SSL versions to reproduce the issue. Hope it helps, Let me know for any further information.

[whoisj]

@vCillusion as best I know "IISCrypto" is a server admin package. It should not be necessary in anyway for client software. That said, if it does somehow goad Windows into doing the right thing, then by all means give it a try. 😕

[vCillusion]

@whoisj yes IISCrypto just a tool and won't be necessary. The main concern is with TLS 1.2 enabled getting the HTTP request exception

[randyriegel]

IISCrypto is just a tool. you can do the same thing it does manually editing the registry. It does make it easier though :) I had to turn TLS1.0 off of our server to be PCI compliant. I clicked checkbox in middle and night rebooted and done :) I changed software before that

[dsyme]

I just started having this problem out of the blue. I can confirm that upgrading to GCM 1.14.0 worked for me https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

[sebastienros]

Same thing here, I followed @dsyme recommendation and it instantly fixed the issue.
I am using GitExtensions GUI and the two factor auth appeared only after updating GCMW.

[shiftkey]

@dsyme @sebastienros thanks for confirming the fix - GitHub finally turned off some weak crypto standards today and TLS 1.0 was being used by GCM. It needed an update to ensure it used TLS 1.2.

[htkcodes]

just installed it..same problem.

EDIT:reopened my terminal..works

[ghhtimsgh1970]

We're seeing this issue as well and on at least 2 different machines. Just started happening out of the blue

[ghhtimsgh1970]

....looks like GCM fixed it. At least on one of the machines. Still not clear what's going on here or what was fixed. 😕

[shiftkey]

@ghhtimsgh1970 GitHub has finally disabled some weak crypto standards, and GCM was caught up in this because it was defaulting to TLS 1.0. More details about this are here.

[fredrikkumlin]

On Windows just reinstall git to v. 2.16.2 (2018-02-15)

[buffet-time]

Can confirm issue started happening earlier today just a few hours ago, and updating GCM to what @dsyme linked to has fixed the issue.

[whoisj]

Updating to VisualStudio15.5.7 also fixes the issue

Correct, but only for Git operations from within Visual Studio. I know because I am one of the primary maintainers of Visual Studio's Git integration - so yeah, you can blame / praise me for a lot of that. 😀

[q587p]

TortoiseGit suddenly (at this week) start asking for user name/password. Installing v1.14.0 helps, thnx this thread!

[kamilliano]

git update to 2.16.2.windows.1 fixed it for me.

[Rychu-Pawel]

Correct, but only for Git operations from within Visual Studio. I know because I am one of the primary maintainers of Visual Studio's Git integration - so yeah, you can blame / praise me for a lot of that.

Yeah, I first fixed git console client by updating it to 2.16.2 as @kamilliano said but surprisingly that didn't fix VS... Had to update it anyway. Strange issue. Fortunately fixed :)

[whoisj]

Yeah, I first fixed git console client by updating it to 2.16.2 as @kamilliano said but surprisingly that didn't fix VS...

Visual Studio doesn't use the installed Git for Windows, it ships with its own internal copy. Hence the issue.

See this issue here : https://developercommunity.visualstudio.com/content/problem/201457/unable-to-connect-to-github-due-to-tls-12-only-cha.html

[mghildiy]

Updating to git version 2.16.2.windows.1 worked for me.

[Md-Aman]

Check the link to solve this error : https://amaniium.blogspot.my/2018/02/httprequestexception-encountered-while.html

[stuartcusackie]

This just happened to me over the last few days on Windows 10 and gitbash.

Instantly fixed by installing the latest Git Credential Manager for windows as recommended by @dsyme

Thanks!

[nicolasrivadeneira]

I have a similar mistake. Everything was right until last week.
If i try to execute some git command i get always the next:
An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel

[whoisj]

@nicolasrivadeneira and I assume you've tried updating GCM and/or Git for Windows to resolve the issue?

[aflansburg]

Had this issue as well on Windows 7 x64 - confirming that updating to 2.16.2.windows.1 fixes the issue (had to re-cache my credentials as well, I'm assuming this has to do with the turning off of the weaker crypto standards.

[miguel-otero-calderon]

Install
https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0
after reset git extensions.
resolved error.

[DollarAkshay]

Trying to download Git for Windows at 11 KB/s ... 😑

[stephengardner]

Good news - installing the latest version takes care of everything - no need to delete old versions or update PATH variables :)

https://git-scm.com/download/win

[frogr]

Yep! started having this issue recently and updating GCM fixed it. Thanks so much!

[chetanthambad]

Update ur gitBash from : https://git-scm.com/download/win

[adrientetar]

I just hit this issue and spent a couple minutes retrying because no clear error message was shown ; it'd be great if more detailed error messages could be shown in such cases.

[kishorkumarsaini]

Can't finish GitHub sharing process
Successfully created project 'MyCalculator' on GitHub, but initial push failed:
HttpRequestException encountered.
remote: error: GH007: Your push would publish a private email address.
failed to push some refs to 'https://github.com/kishorkumarsaini/MyCalculator.git'
how to solve this error

[whoisj]

@kishorkumarsaini the error message you're seeing is unrelated to authentication. Some service is telling you that the content you're attempting to push contains an email address that you likely do not want to share.

[shiftkey]

@kishorkumarsaini please read the GitHub documentation about this setting - some commits on your branch have an email address that you've marked as private on GitHub, so the server is blocking your push to prevent this leaking out.

[MuhammadUmairghufran]

I'm facing same problem

[fartzy]

I also installed GCMW-1.14.0.exe and the issue went away. https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

[Nerwo1100]

I installed GCMW-1.14.0.exe and the issue is gone. https://github.com/Microsoft/Git-Credential-Manager-for-Windows/releases/tag/v1.14.0

[craig-acutest]

Installing GCMW-1.14.0.exe works correctly, but make sure to restart your machine, as didn't work until i did so.

[vcx]

Had the same issues today, turned the flags and saw the same logs described here: #488 (comment)

Looks like the issue returned. I was running both Git (2.17) and GCM (1.16) latest in a fresh install of Windows 10 1803 in a AAD-joined machine. Connecting to the VPN once (so it could try to locate the domain controller) made the problem disappear.

[whoisj]

@vcx would you capture a Fiddler trace of the problem?

Is your Git configured to use Secure Channel (aka http.sslbackend=schannel)? If not, you'll likely want to experiment with that option as well.

[savolkov]

Had same error on version 2.14.1, updated to 2.17.1 and now everything is fine. Maybe it'll help someone out

[paulgmiller]

Having te same issue with lastest 1.18.5. Connecting to vpn didn't help

git fetch
...
10:14:34.223437 ...\Common.cs:744 trace: [Main] git-credential-manager (v1.18.5) 'get'
10:14:34.283438 ...\Git\Where.cs:348 trace: [FindGitInstallations] found 1 Git installation(s).
10:14:34.290392 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 146 entries.
10:14:34.341437 ...\Common.cs:85 trace: [CreateAuthentication] detecting authority type for 'https://msdata.visualstudio.com/'.
10:14:34.356394 ...uthentication.cs:199 trace: [DetectAuthority] 'https://msdata.visualstudio.com/' is Azure DevOps, tenant resource is {72f988bf86f141af91ab2d7cd011db47}.
10:14:34.358397 ...uthentication.cs:359 trace: [GetAuthentication] AAD authority for tenant '72f988bf86f141af91ab2d7cd011db47' detected.
10:14:34.393399 ...\Common.cs:140 trace: [CreateAuthentication] authority for 'https://msdata.visualstudio.com/' is Azure Directory.
10:14:34.393399 ...\Common.cs:765 trace: [QueryCredentials] querying 'AzureDirectory' for credentials.
10:14:59.406518 ...\Program.cs:601 trace: [Run] ! error: 'An error occurred while sending the request.'.
10:14:59.407468 ...\Program.cs:601 trace: [Run] > 'Unable to connect to the remote server'.
10:14:59.408463 ...\Program.cs:601 trace: [Run] > 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.221.132.3:443'.
10:14:59.411468 ...\Common.cs:709 trace: [LogEvent] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.221.132.3:443
at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.WsTrust.MexParser.d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.WsTrust.MexParser.d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenNonInteractiveHandler.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.d__57.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at AzureDevOps.Authentication.Adal.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at AzureDevOps.Authentication.Authority.d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at AzureDevOps.Authentication.AadAuthentication.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Alm.Cli.CommonFunctions.d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Alm.Cli.Program.<b__24_0>d.MoveNext()
10:14:59.452461 ...\Program.cs:601 trace: [Run] fatal: HttpRequestException encountered.
An error occurred while sending the request.
fatal: HttpRequestException encountered.
An error occurred while sending the request.
10:14:59.501460 run-command.c:640 trace: run_command: bash -c 'test "a$SHELL" '!'= "a${SHELL%.exe}" || exit 127; cat >/dev/tty && read -r line </dev/tty && echo "$line"'
Username for 'https://msdata.visualstudio.com':

[mklemm]

It may also happen if you use a proxy and the proxy requires NTLM authentication. NTLM is a challenge-response pattern that involves a failing HTTP request twice with a 401 error to exchange the challenge and response, and it then succeeds on the 3rd request. Maybe that's your issue?