Empty username and password proxy config should enable WIA/default credentials

[CarliJoy]

Which version of GCM Core are you using?

From a terminal, run git-credential-manager-core version and paste the output.

Git Credential Manager version 2.0.280-beta+1f4c6db90f (Windows, .NET Framework 4.0.30319.42000)

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - please describe

Can you access the remote repository directly in the browser using the remote URL?

From a terminal, run git remote -v to see your remote URL.

• Yes
• No, I get a permission error
• No, for a different reason - please describe

---

[Azure DevOps only] What format is your remote URL?

• Not applicable
• https://dev.azure.com/`{org}`/...
• https://{org}@dev.azure.com/{org}/...
• https://{org}.visualstudio.com/...

[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

• Not applicable
• I only see one identity
• I checked each identity and none worked

---

Expected behavior

Github Login Popup open, the Browser opens, I am authenticated and the git command run through by connecting to the Proxy using NTLM auth.

Actual behavior

Github Login Popup opens, the Browser opens and tells me that I am authenticated but gcm-core fails to connect to the proxy

Notes
The authentication works fine with the outdated gcm setting

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.net>
    <defaultProxy useDefaultCredentials="true" />
  </system.net>
</configuration>

in the git-credential-manger.exe.config file. But even if I add these settings to the gcm-core config file, it won't work.

PS: Some more detailled logs for errors connecting to proxies would be great (i.e. what kind of authentication was tried)

Logs

C:\git-dir>git push
20:09:32.763301 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
20:09:32.767801 git.c:444               trace: built-in: git push
20:09:32.767801 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://github.
com/CarliJoy/SyncGitlab2MSProject.git
20:09:32.814700 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git
-core
20:09:32.814700 git.c:729               trace: exec: git-remote-https origin https://github.com/CarliJoy/SyncGit
lab2MSProject.git
20:09:32.814700 run-command.c:663       trace: run_command: git-remote-https origin https://github.com/CarliJoy/
SyncGitlab2MSProject.git
20:09:32.867828 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git
-core
20:09:33.546331 run-command.c:663       trace: run_command: 'C:/Users/USER/Documents/bin/gc-core/git-credent
ial-manager-core.exe get'
20:09:34.241477 ...\Application.cs:69   trace: [RunInternalAsync] Git Credential Manager version 2.0.280-beta+1f
4c6db90f (Windows, .NET Framework 4.0.30319.42000) 'get'
20:09:34.241477 ...\Command.cs:63       trace: [ExecuteAsync] Start 'get' command...
20:09:34.268594 ...\Command.cs:74       trace: [ExecuteAsync] Detecting host provider for input:
20:09:34.268594 ...\Command.cs:75       trace: [ExecuteAsync]   protocol=https
20:09:34.268594 ...\Command.cs:75       trace: [ExecuteAsync]   host=github.com
20:09:34.484722 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
20:09:34.484722 ...\Command.cs:77       trace: [ExecuteAsync] Host provider 'GitHub' was selected.
20:09:34.484722 ...\HostProvider.cs:115 trace: [GetCredentialAsync] Looking for existing credential in store wit
h service=https://github.com account=...
20:09:34.500346 ...\HostProvider.cs:120 trace: [GetCredentialAsync] No existing credentials found.
20:09:34.500346 ...\HostProvider.cs:123 trace: [GetCredentialAsync] Creating new credential...
20:09:34.615828 ...bHostProvider.cs:192 trace: [GetSupportedAuthenticationModesAsync] https://github.com/ is github.com - authentication schemes: 'OAuth'
20:09:38.437288 ...pClientFactory.cs:53 trace: [CreateClient] Creating new HTTP client instance...
20:09:38.791533 ...ClientFactory.cs:144 trace: [TryCreateProxy] Created a WebProxy instance:
20:09:38.791533 ...ClientFactory.cs:145 trace: [TryCreateProxy]         uri=http://webproxy.company.com:8888/
20:09:38.791533 ...pClientFactory.cs:59 trace: [CreateClient] HTTP client is using the configured proxy.
info: please complete authentication in your browser...
fatal: An error occurred while sending the request.
fatal: The remote server returned an error: (407) Proxy Authentication Required.
20:09:40.827803 run-command.c:663       trace: run_command: bash -c 'cat >/dev/tty && read -r line </dev/tty && echo "$line"'
Username for 'https://github.com':

[CarliJoy]

For reference here the log with the old gcm. Works not perfectly - will not accept the password entered in the GUI but stores the password that is entered in the command line. But anyway Password auth will be deactivated soon.

(.venv) C:\Users\USER\Documents\Python\SyncGitlab2MSProject>git push
20:31:07.104077 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
20:31:07.119762 git.c:444               trace: built-in: git push
20:31:07.119762 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:07.166630 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:07.166630 git.c:729               trace: exec: git-remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:07.166630 run-command.c:663       trace: run_command: git-remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:07.235679 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:07.857960 run-command.c:663       trace: run_command: 'git credential-manager get'
20:31:08.036353 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:08.036353 git.c:729               trace: exec: git-credential-manager get
20:31:08.036353 run-command.c:663       trace: run_command: git-credential-manager get
20:31:08.167900 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'get'
20:31:08.252563 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:31:08.252563 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:31:08.321611 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://github.com/'.
20:31:08.337236 ...uthentication.cs:151 trace: [GetAuthentication] created GitHub authentication for 'https://github.com/'.
20:31:08.337236 ...\Common.cs:176       trace: [CreateAuthentication] authority for 'https://github.com/' is GitHub.
20:31:08.337236 ...\Common.cs:765       trace: [QueryCredentials] querying 'GitHub' for credentials.
20:31:08.406268 ...icationPrompts.cs:50 trace: [CredentialModalPrompt] prompting user for credentials for 'https://github.com/'.
20:31:31.432357 ...\Program.cs:601      trace: [Run] ! error: 'A task was canceled.'.
20:31:31.435361 ...\Common.cs:709       trace: [LogEvent] System.Threading.Tasks.TaskCanceledException: A task was canceled.
20:31:31.473941 ...\Program.cs:601      trace: [Run] fatal: TaskCanceledException encountered.
   A task was canceled.
fatal: TaskCanceledException encountered.
   A task was canceled.
20:31:31.896710 run-command.c:663       trace: run_command: bash -c 'cat >/dev/tty && read -r line </dev/tty && echo "$line"'
Username for 'https://github.com': email@example.com
20:31:36.773220 run-command.c:663       trace: run_command: bash -c 'cat >/dev/tty && read -r -s line </dev/tty && echo "$line" && echo >/dev/tty'
Password for 'https://email@example.com@github.com':
20:31:41.362553 run-command.c:663       trace: run_command: 'git credential-manager store'
20:31:41.510775 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:41.526398 git.c:729               trace: exec: git-credential-manager store
20:31:41.526398 run-command.c:663       trace: run_command: git-credential-manager store
20:31:41.663965 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'store'
20:31:41.742378 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:31:41.761015 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:31:41.795786 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://email@example.com@github.com/'.
20:31:41.811393 ...uthentication.cs:151 trace: [GetAuthentication] created GitHub authentication for 'https://kound%40posteo.de@github.com/'.
20:31:41.811393 ...\Common.cs:176       trace: [CreateAuthentication] authority for 'https://email@example.com@github.com/' is GitHub.
20:31:41.811393 ...\Program.cs:526      trace: [Store] storing GitHub credentials for 'https://email@example.com@github.com/'.
20:31:41.859282 run-command.c:663       trace: run_command: 'git credential-manager store'
20:31:41.980346 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:41.995973 git.c:729               trace: exec: git-credential-manager store
20:31:41.995973 run-command.c:663       trace: run_command: git-credential-manager store
20:31:42.127545 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'store'
20:31:42.212200 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:31:42.212200 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:31:42.265616 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://webproxy.company.com:8888/'.
20:31:42.281264 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://webproxy.company.com:8888/' is basic with NTLM=Auto.
20:31:42.281264 ...\Program.cs:513      trace: [Store] storing basic credentials for 'http://webproxy.company.com:8888/'.
Everything up-to-date

(.venv) C:\Users\USER\Documents\Python\SyncGitlab2MSProject>git push
20:31:59.165376 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
20:31:59.181995 git.c:444               trace: built-in: git push
20:31:59.186495 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:59.218759 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:59.234382 git.c:729               trace: exec: git-remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:59.234382 run-command.c:663       trace: run_command: git-remote-https origin https://github.com/CarliJoy/SyncGitlab2MSProject.git
20:31:59.287415 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:31:59.919513 run-command.c:663       trace: run_command: 'git credential-manager get'
20:32:00.088757 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:32:00.104395 git.c:729               trace: exec: git-credential-manager get
20:32:00.104395 run-command.c:663       trace: run_command: git-credential-manager get
20:32:00.235914 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'get'
20:32:00.320562 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:32:00.320562 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:32:00.389080 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://github.com/'.
20:32:00.404969 ...uthentication.cs:151 trace: [GetAuthentication] created GitHub authentication for 'https://github.com/'.
20:32:00.404969 ...\Common.cs:176       trace: [CreateAuthentication] authority for 'https://github.com/' is GitHub.
20:32:00.404969 ...\Common.cs:765       trace: [QueryCredentials] querying 'GitHub' for credentials.
20:32:00.420595 ...uthentication.cs:175 trace: [GetCredentials] credentials for 'https://github.com/' found.
20:32:01.206529 ...\Authority.cs:200    trace: [ValidateCredentials] credential validation for 'https://github.com/' succeeded.
20:32:01.206529 ...\Common.cs:873       trace: [QueryCredentials] credentials for 'https://github.com/' found.
20:32:01.206529 ...\Common.cs:709       trace: [LogEvent] GitHub credentials for 'https://github.com/' successfully retrieved.
20:32:01.873334 run-command.c:663       trace: run_command: 'git credential-manager store'
20:32:02.022685 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:32:02.038311 git.c:729               trace: exec: git-credential-manager store
20:32:02.038311 run-command.c:663       trace: run_command: git-credential-manager store
20:32:02.169853 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'store'
20:32:02.254527 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:32:02.254527 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:32:02.307956 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://email@example.com@github.com/'.
20:32:02.323563 ...uthentication.cs:151 trace: [GetAuthentication] created GitHub authentication for 'https://kound%40posteo.de@github.com/'.
20:32:02.323563 ...\Common.cs:176       trace: [CreateAuthentication] authority for 'https://email@example.com@github.com/' is GitHub.
20:32:02.323563 ...\Program.cs:526      trace: [Store] storing GitHub credentials for 'https://email@example.com@github.com/'.
20:32:02.354832 run-command.c:663       trace: run_command: 'git credential-manager store'
20:32:02.492356 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
20:32:02.492356 git.c:729               trace: exec: git-credential-manager store
20:32:02.492356 run-command.c:663       trace: run_command: git-credential-manager store
20:32:02.640063 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'store'
20:32:02.709109 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
20:32:02.709109 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
20:32:02.755965 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://webproxy.company.com:8888/'.
20:32:02.789728 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://webproxy.company.com:8888/' is basic with NTLM=Auto.
20:32:02.790227 ...\Program.cs:513      trace: [Store] storing basic credentials for 'http://webproxy.company.com:8888/'.
Everything up-to-date

[mjcheetham]

Hi @CarliJoy, thanks for reporting this issue.

Can I ask if you've set any username/password in the proxy configuration? I can see the following in the GCM Core trace output, which looks correct to me:

20:09:38.437288 ...pClientFactory.cs:53 trace: [CreateClient] Creating new HTTP client instance...
20:09:38.791533 ...ClientFactory.cs:144 trace: [TryCreateProxy] Created a WebProxy instance:
20:09:38.791533 ...ClientFactory.cs:145 trace: [TryCreateProxy]         uri=http://webproxy.company.com:8888/
20:09:38.791533 ...pClientFactory.cs:59 trace: [CreateClient] HTTP client is using the configured proxy.

According to the proxy code, we should be doing the same thing as the old GCM. Namely that if a user has specified a proxy URI and no username/pass then we should be setting UseDefaultCredentials = true.

According to the WebProxy.UseDefaultCredentials documentation Windows Integrated Authentication (NTLM) should be used when set to true:

Set this property to true when requests made by this WebProxy object should, if requested by the server, be authenticated using the credentials of the currently logged on user.

In GCM Core, we set this property to true if a proxy is configured without a user/pass, as your case:

https://github.com/microsoft/Git-Credential-Manager-Core/blob/252a0411d4bd2561299b019e07a1f6933870b86b/src/shared/Microsoft.Git.CredentialManager/HttpClientFactory.cs#L123-L141

In GCM for Windows the equivalent code looked like this:

var proxy = new WebProxy(proxyUri) { UseDefaultCredentials = true };

// check if the user has specified authentications (comes as UserInfo)
if (!string.IsNullOrWhiteSpace(proxyUri.UserInfo) && proxyUri.UserInfo.Length > 1)
{
    ... omited ...
    if (hasUserNameAndPassword)
    {
        ... omitted ...
        proxy.UseDefaultCredentials = false;
        proxy.Credentials = proxyCreds;
    }
}

return proxy;

(Set UseDefaultCredentials = true when there's a proxy without user/pass information.)

Can you try running a Fiddler trace to see what specific communications and auth is happening on the wire between your proxy server and the client?

[CarliJoy]

Empty user and password is set for proxy (see the : before the @)

$ git config -l
   ...
   http.proxy=http://:@proxy.company.com:8888
   ...

I am not sure If I manage to do fiddler. Have to try if I can get this tool or something similar running without admin privileges (company policy 🙄)

Maybe the TryGetUserInfo code is recognizing the ":" as set username even so it is empty? (just guessing here).

Without the ":" git itself is not working properly as it tries to gather the username and password first.

[mjcheetham]

Maybe the TryGetUserInfo code is recognizing the ":" as set username even so it is empty? (just guessing here).

Aha! Yes! This is the issue.

Without the ":" git itself is not working properly as it tries to gather the username and password first.

This I was not aware of, to be honest. We can update GCM Core to treat an empty user/pass value as UseDefaultCredentials = true, which should fix things.

I'll update this issue once the fix is in the main branch, and then once a release is available with the fix.

For a workaround before then.. If you omit the : empty user/pass from the proxy address, and just enter an empty user/pass to Git when it prompts, does that work?

[mjcheetham]

@CarliJoy the fix has been merged in and should be available in the next release. Watch this space!

[CarliJoy]

@mjcheetham Thanks a lot :-).
Thought that it would be fast fix, until I saw the amount of new tests required ;-)