Git for Windows and NTLM authentication

[nilleb]

I've got a problem with git and NTLM authentication:
libcurl detects an Authentication problem and it doesn't continue the authentication process.

More in detail:
I type my command line:
git push origin master

• GIT/libcurl contacts the server, asking for url
• server: 401
• GIT asks my credentials
• I type my credentials
• GIT/libcurl contacts the server, asking for url
• server: 401
• GIT/libcurl contacts the server, asking for url
• server: 401
• GIT/libcurl contacts the server, asking for url, NTLMSSP_NEGOTIATE
• server: 401, NTLMSSP_CHALLENGE
• GIT/LibCURL detects an athentication problem.

If I type a command line like the following
curl -u domain\user:password url --ntlm
I get the desired content.
In the network traces, I see that the exchanges looks like

• GET url, NTLMSSP_NEGOTIATE
• server: 401, NTLMSSP_CHALLENGE
• GET url, NTLMSSP_AUTH, user: domain\user
• server: 200

I'm not behind a proxy.
I'm using git for windows, 1.9.2-msysgit.
I'm typing exactly the same credentials, thus this should not constitue a problem.

What am I doing wrong? Is Git supposing something wrong?

[nilleb]

I have to admit that my point of view was a little biased.
In my previous post, the method (WWW-Authenticate) used by GIT was Negotiate. The method used by curl was NTLM.
If force CURL to use the --negotiate authentication method, CURL will produce the same exchanges I've seen in GIT.
curl -u domain\user:password url --negotiate

• GET ``url`
• server: 401
• GET ``url`, Negotiate NTLMSSP_NEGOTIATE
• server: 401, NTLMSSP_CHALLENGE
  (here I see the raw HTTP 401 response and the exchange doesn't continue with a NTLMSSP_AUTH)

So far.. is there a way to force git to use WWW-Authenticate == NTLM ?
Or to continue the exchange after the NTLMSSP_CHALLENGE?
(Visual Studio version of libgit2 is able to do that...)

[dscho]

Have you tried with Vagrant? If it works with Vagrant, it is not a Windows-specific issue, and I'd like to ask you to take the issue to git@vger.kernel.org, i.e. the Git mailing list (non-Windows).

[nilleb]

I've not yet installed Vagrant, but on a linux system I'm getting a similar behavior.
I've not the traces of the exchanges, but I can't clone the repo.
Thank you for your quick response.

[jberezanski]

I have encountered the same problem in my setup (git hosted in IIS via WebGitNet, only Windows Authentication enabled in IIS). I don't remember exactly, but I believe it started happening with Git for Windows 1.8.3 (1.8.1.2 did not exhibit that problem), when libcurl was updated to 7.3.0.

I used a server side workaround - in IIS Windows authentication settings, I removed all authentication providers except NTLM. Since the server was not part of a domain, forcing NTLM did not lower security, as Kerberos would not have been available anyway.

[t-b]

It would be really helpful if we could create a test case to reproduce the problem. Although I guess the number of publically accessible NTLM capable servers is limited ;)

[fourxd]

me to :(
setup is IIS 7.5
auth with basic and negoation

[nilleb]

I've opened a thread on
the git M/L, as suggested by dscho.

[fourxd]

the problem is curl, a call with --anyauth, from git, will check for the safest method to communicate. if the server provides more then on, in my example negotiate and basic, curl tooks negotiate. but negotiate (kerb5) is not always possible and so the request fails. in thise case, curl should take next mechanism to authenticate.

[jberezanski]

Just to clarify, Negotiate != Kerberos. "Negotiate" should automatically pick the most secure protocol supported by both client and server, Kerberos in a domain (Active Directory) environment, NTLM outside of a domain. That's why it's called Negotiate :)
If curl equals Negotiate to Kerberos, it is a bug, or at least an incomplete implementation of Negotiate.

[dscho]

All these comments would make excellent additions to the report... upstream...

[fourxd]

yes, the fail in my example is ntlm negotiate, curl does not implemented it...

http.c of curl

if(data->state.negotiate.state == GSS_AUTHSENT) {
/* if we sent GSS authentication in the outgoing request and we get
this back, we're in trouble */
infof(data, "Authentication problem. Ignoring this.\n");
data->state.authproblem = TRUE;
}

[kusma]

Again, please add your comments to the upstream-discussion, not here.

[nilleb]

I think that an extra comment could be useful in this thread:

I have been able to use git for windows to authenticate against a HTTP
server offering Negotiate/NTLM as authentication protocols.

How? Using the git-credentials-winstore (
https://gitcredentialstore.codeplex.com/).

This gives implicitly the answer to the thread, and solves the problem on
windows.

I'm not aware of a equivalent solution for Linux.

On Fri, Apr 25, 2014 at 3:37 PM, Erik Faye-Lund notifications@github.comwrote:

Again, please add your comments to the upstream-discussion, not here.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/171#issuecomment-41392986
.

http://www.nilleb.com