Credentials prompt not working when passwords are changed

[VasuInukollu]

Git version 1.18.1.windows.1 having problems when the passwords are changed. It is not auto prompting for new password. It used to work fine in 1.16.2.windows.1

[VasuInukollu]

The repository in question is hosted on TFS Version 16.131.27701.1 and uses ssl.

Rolling back to 1.16.2 fixed the issue. Also, the install and rollback were done using choco if that has anything to do with this.

[whoisj]

The repository in question is hosted on TFS Version 16.131.27701.1 and uses ssl.

By SSL you mean HTTPS and not SSH? Have to check here as GCM does not cover SSH (without a lot of special case setup and hand holding).

Rolling back to 1.16.2 fixed the issue. Also, the install and rollback were done using choco if that has anything to do with this.

The failing version is GCM v1.17.0, or Git for Windows v1,18.1.windows.1?

Have you tried GCM v1.17.0? The credential handling code as well as the service detection code was improved significantly, especially with regards to TFS on-premises.

[rorymacleod]

I'm having the same problem accessing TFS. I run git push and it gives me the error, "fatal: Authentication failed for 'http://server:8080/tfs/project/_git/repo/'".

This repo used to work but I haven't used it in a few weeks. It uses Active Directory authentication and I have changed my password since I last accessed it.

TFS version is 15.105.25910.0. Git for Windows version is 2.18.0.windows.1. I tried installing GCMW 1.17.1 and got the same result.

I ran git config --global --unset credential.helper and when I pushed, I was prompted for a user name and password - that worked. When I installed GCMW 1.17.1 again, the same error came back.

[whoisj]

@rorymacleod would you be willing to capture a trace log of the failure?

To do so...

1. Run SET GIT_TRACE=1
2. Run SET GCM_TRACE=1
3. Reproduce the issue.

The log should be dumped to the console as the operation progresses. Thanks!

[SlowFourierTransform]

Our team has the same problem with on-premises TFS. I changed my Active Directory password, and now I get Authentication failed:

PS C:\Temp> git fetch
13:38:41.559203 ...\Common.cs:677       trace: [Main] git-credential-manager (v1.17.1) 'get'
13:38:41.628203 ...\Git\Where.cs:361    trace: [FindGitInstallations] found 1 Git installation(s).
13:38:41.634203 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 65 entries.
13:38:41.697203 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://tfs.intranet:8080/'.
13:38:41.849203 ...\Common.cs:196       trace: [CreateAuthentication] authority for 'http://tfs.intranet:8080/' is basic with NTLM=Auto.
13:38:41.855203 ...seSecureStore.cs:195 trace: [ReadCredentials] credentials for 'git:http://tfs.intranet:8080' read from store.
13:38:41.856203 ...\Common.cs:711       trace: [QueryCredentials] credentials found.
13:38:42.426203 ...\Common.cs:677       trace: [Main] git-credential-manager (v1.17.1) 'erase'
13:38:42.492203 ...\Git\Where.cs:361    trace: [FindGitInstallations] found 1 Git installation(s).
13:38:42.499203 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 65 entries.
13:38:42.547203 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://[email protected]:8080/'.
13:38:42.715203 ...\Common.cs:196       trace: [CreateAuthentication] authority for 'http://[email protected]:8080/' is basic with NTLM=Auto.
13:38:42.716203 ...\Common.cs:220       trace: [DeleteCredentials] deleting basic credentials for 'http://[email protected]:8080/'.
13:38:42.722203 ...aseSecureStore.cs:59 trace: [Delete] credentials not found for 'git:http://[email protected]:8080'.
fatal: Authentication failed for 'http://tfs.intranet:8080/tfs/Collection/Project/_git/Repo/'

Relevant entry from cmdkey /list

Target: LegacyGeneric:target=git:http://tfs.intranet:8080
Type: Generic
User: MyUsername

Running cmdkey /delete:git:http://tfs.intranet:8080 does fix the problem

[X-Guardian]

I am experiencing the same issue with on on-premise GitLab repository. You can re-create it by entering incorrect credentials when GCM first prompts. From then on, GCM will not prompt again, and the invalid credentials aren't deleted from the Windows credential store.

set GIT_TRACE=1
set GCM_TRACE=1
git fetch
12:56:20.810288 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
12:56:20.812584 git.c:415               trace: built-in: git fetch
12:56:20.812584 run-command.c:637       trace: run_command: GIT_DIR=.git git remote-https origin https://source-it/uk-it-infrastructure/powershell-scripts.git/
12:56:20.843836 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
12:56:20.843836 git.c:654               trace: exec: git-remote-https origin https://source-it/uk-it-infrastructure/powershell-scripts.git/
12:56:20.843836 run-command.c:637       trace: run_command: git-remote-https origin https://source-it/uk-it-infrastructure/powershell-scripts.git/
12:56:20.859462 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
12:56:20.924133 run-command.c:637       trace: run_command: 'git credential-manager get'
12:56:20.982672 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
12:56:20.985675 git.c:654               trace: exec: git-credential-manager get
12:56:20.985675 run-command.c:637       trace: run_command: git-credential-manager get
12:56:21.095231 ...\Common.cs:665       trace: [Main] git-credential-manager (v1.16.2) 'get'
12:56:21.229155 ...\Git\Where.cs:343    trace: [FindGitInstallations] found 1 Git installation(s).
12:56:21.239159 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 31 entries.
12:56:21.281710 ...\Common.cs:84        trace: [CreateAuthentication] detecting authority type for 'https://source-it/'.
12:56:21.328583 ...\Common.cs:195       trace: [CreateAuthentication] authority for 'https://source-it/' is basic with NTLM=Auto.
12:56:21.328583 ...seSecureStore.cs:195 trace: [ReadCredentials] credentials for 'git:https://source-it' read from store.
12:56:21.344210 ...\Common.cs:699       trace: [QueryCredentials] credentials found.
12:56:21.392972 run-command.c:637       trace: run_command: 'git credential-manager erase'
12:56:21.437496 exec-cmd.c:236          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
12:56:21.437496 git.c:654               trace: exec: git-credential-manager erase
12:56:21.437496 run-command.c:637       trace: run_command: git-credential-manager erase
12:56:21.567406 ...\Common.cs:665       trace: [Main] git-credential-manager (v1.16.2) 'erase'
12:56:21.709415 ...\Git\Where.cs:343    trace: [FindGitInstallations] found 1 Git installation(s).
12:56:21.719415 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 31 entries.
12:56:21.757421 ...\Common.cs:84        trace: [CreateAuthentication] detecting authority type for 'https://MyUserName@source-it/'.
12:56:21.786746 ...\Common.cs:195       trace: [CreateAuthentication] authority for 'https://MyUserName@source-it/' is basic with NTLM=Auto.
12:56:21.786746 ...\Common.cs:219       trace: [DeleteCredentials] deleting basic credentials for 'https://MyUserName@source-it/'.
12:56:21.802372 ...aseSecureStore.cs:59 trace: [Delete] credentials not found for 'git:https://MyUserName@source-it'.
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://source-it/uk-it-infrastructure/powershell-scripts.git/'

It looks like it is trying to erase the cached credentials once the authentication has failed, but fails as it is trying to erase the credentials for git:https://MyUserName@source-it rather than git:https://source-it/

cmdkey /list

Target: LegacyGeneric:target=git:https://source-it
Type: Generic
User: MyUserName
Local machine persistence

[SlowFourierTransform]

@gistofj Would it be possible to get some action on this issue? As @X-Guardian says, it looks like a quick and easy fix

[whoisj]

@gistofj Would it be possible to get some action on this issue? As @X-Guardian says, it looks like a quick and easy fix

No, I'm sorry. I am no longer associated with Microsoft, and therefore have no role in this project. Hopefully whom ever has taken over the reigns in my absence follows up. Best of luck.

[X-Guardian]

@jeschu1, is anyone able to take a look at this?

[jrbriggs]

We're looking at picking up work on this bug early in 2019. We're also very happy to review pull requests!

[MarkusKepert]

Hi Guys, its still present in 2.20.
Can i support in any way?

[obarak]

Seems related to this: #817
I believe both issues are a regression introduced by this PR: #547
@gistofj @shiftkey

[whoisj]

I am no longer associated with Microsoft, and therefore no longer contribute to this project. @jeschu1 as a replacement for me (I'll be unsubscribing).

[Hickstone]

Hi,

this issue is quite annoying as our company (and many other) requires to reset the password every now and then.
We as the administrators have to go to everyone who recently changed their password and remove the old entries manually.
I want to help to fix this issue, as it persists since half a year now.
But I need some information.
First let's see what I found out on my machine:
We use Git LFS in our company and move the binary files to a Artifactory server (let's call it artifactory.company.example).
If there are no credentials for git:https://artifactory.company.example, the user will be queried to enter a username and password.
This will create TWO entries:

• git:https://artifactory.company.example
• git:https://[email protected]

This is no problem as long as the credentials are correct.
As soon as the credentials are expired, the following happens (compiled with debug to get more information):

1. GCM detects an authority for 'https://artifactory.company.example' and seems to do nothing with it
2. GCM detects an authority for 'https://[email protected]' and deletes it from the store
3. 'https://artifactory.company.example' will be detected again (and nothing will be done with it)
4. 'https://[email protected]' will be detected, tried to delete but not be found (as it was deleted previously)
5. Step 3 and 4 will be repeated until some kind of max repetition trigger value gets hit.

The user will not be queried until the entry of 'https://artifactory.company.example' gets be deleted manually.

The value of 'https://[email protected]' seems pretty useless to us. I would want to get rid of it, or delete the value of 'https://artifactory.company.example' as soon as the value of 'https://[email protected]' contains wrong credentials.

But this is only for our use case of the GCM with Git LFS.
What do you think of the ideas? And why do we need the username in the URL as the credential store seems to be hard-wired to the user account?

[acbsubscriptions]

I am having same issue with VS2019 Enterprise version now. All machines where we installed VS2019 along with VS2017 are foo bar now. We have stopped migration of remaining team members to VS2019.
I do not get any prompts.
Here are the logs.

15:54:21.339986 git.c:340               trace: built-in: git 'clone' '--progress' '--verbose' '--recurse-submodules' 'http://xxxxx' 'C:\Users\xxxxxxx'
15:54:21.402486 run-command.c:626       trace: run_command: 'remote-http' 'origin' 'http://xxxxx'
15:54:21.433736 git.c:572               trace: exec: 'git-remote-http' 'origin' 'http://xxxxx'
15:54:21.433736 run-command.c:626       trace: run_command: 'git-remote-http' 'origin' 'http://xxxx'
15:54:21.480608 run-command.c:626       trace: run_command: 'git credential-manager get'
15:54:21.683730 git.c:572               trace: exec: 'git-credential-manager' 'get'
15:54:21.699356 run-command.c:626       trace: run_command: 'git-credential-manager' 'get'
15:54:21.777484 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.4) 'get'
15:54:21.839977 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
15:54:21.855605 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
15:54:21.855605 ...\Common.cs:427       trace: [LoadOperationArguments] GCM_HTTP_USER_AGENT = 'git-credential-manager (Microsoft Windows NT 10.0.17763.0; Win32NT x64) CLR/4.0.30319 VS15/16.0.0'.
15:54:21.855605 ...\Common.cs:479       trace: [LoadOperationArguments] interactive = 'Auto'.
15:54:21.855605 ...\Common.cs:497       trace: [LoadOperationArguments] validate = 'True'.
15:54:21.855605 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.
15:54:21.902522 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://xxxxxx'.
15:54:21.918104 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http:xxxxx' is basic with NTLM=Auto.
15:54:21.918104 ...\Common.cs:765       trace: [QueryCredentials] querying 'Auto' for credentials.
15:54:25.001047 ...uthentication.cs:119 trace: [AcquireCredentials] 'http://xxxxx' supports NTLM, sending NTLM credentials instead
15:54:25.001047 ...\Common.cs:780       trace: [QueryCredentials] credentials found.
15:54:25.032300 run-command.c:626       trace: run_command: 'git credential-manager erase'
15:54:25.094831 git.c:572               trace: exec: 'git-credential-manager' 'erase'
15:54:25.094831 run-command.c:626       trace: run_command: 'git-credential-manager' 'erase'
15:54:25.157334 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.4) 'erase'
15:54:25.235456 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
15:54:25.235456 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 26 entries.
15:54:25.235456 ...\Common.cs:427       trace: [LoadOperationArguments] GCM_HTTP_USER_AGENT = 'git-credential-manager (Microsoft Windows NT 10.0.17763.0; Win32NT x64) CLR/4.0.30319 VS15/16.0.0'.
15:54:25.235456 ...\Common.cs:479       trace: [LoadOperationArguments] interactive = 'Auto'.
15:54:25.235456 ...\Common.cs:497       trace: [LoadOperationArguments] validate = 'True'.
15:54:25.235456 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.
15:54:25.266667 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://xxxxxx'.
15:54:25.282334 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://xxxxxx' is basic with NTLM=Auto.
15:54:25.282334 ...\Common.cs:252       trace: [DeleteCredentials] deleting basic credentials for 'http://xxxxxxx'.
15:54:25.297955 ...aseSecureStore.cs:59 trace: [Delete] credentials not found for 'git:http://xxxxxx'.

[cdcjunkbin]

I am having this issue as well but I was able to find a work-around.

Fortunately, I also have WSL (Ubuntu) set up so I was able to use the Linux version of git to push the changes I had made through windows.

[catsem]

We're facing the same issue.
Password needs to be change every 90 days due to companys IT-policies (forced by ActiveDirectory).
After password is changed, git credential manager does not notice the changed password and keeps trying with the old credentials until.... the users account is locked -> Fun begins for the user account support team...

• git credential manager should really not try until forever when the auth attempt failed
• git credential manager should ask for the credentials if the auth attempt failed

[soyetola-atos]

solution here:
#871 (comment)

[catsem]

solution here:
#871 (comment)

It's more a workaround than a solution ;)

[DrStrangepork]

What is going on with this bug? This is a critical issue that has gone unresolved for >2 years!?

[XabiBeltza]

This should be relatively easy to fix:
If ("using secrets stored from credential manager" and "authentication fails") {
prompt for new credentials
if (auth is successful) {
edit stored credentials (or delete and recreate credentials)
}
else {
fail message
}
}

[sntg-p]

I'm having the same issue. I guess they want us to move to other authentication methods.

[dscho]

I'm having the same issue. I guess they want us to move to other authentication methods.

Why, yes: https://github.blog/changelog/2019-08-08-password-based-http-basic-authentication-deprecation-and-removal/

[aruanoguate]

I think they will be deprecating this project in favor of the new Git Credential Manager Core which is multiplatform and now offered as part of the Git For Windows Installation:

https://github.com/microsoft/Git-Credential-Manager-Core

[dscho]

I think they will be deprecating this project in favor of the new Git Credential Manager Core which is multiplatform and now offered as part of the Git For Windows Installation:

https://github.com/microsoft/Git-Credential-Manager-Core

Indeed, this has already happened: #918