• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • git-client-plugin
    • Windows 2012 R2, Jenkins 5.1, TFS-Plugin (latest), Git-Plugin (latest)

      1. Follow instructions on TFS-Plugin site for TFS-GIT
      2. Test-Connection fails
      3. Tasks fail with credentials
      4. Change service account to run under domain user with TFS access
      5. Test-Connection passes with credentials
      6. Change credentials to none
      7. Test-Connection still passes
      8. Leave credentials on Task
      9. Task builds successfully
      10. Set credentials on Task to None
      11. Task still builds successfully.
      12. Change the service account back to the SYSTEM
      13. it will not work no matter what credentials I use.

          [JENKINS-37934] NTLM Authentication No Matter What

          It looks like on Windows, when attempting to connect to a Git repository hosted on TFS, NTLM authentication will be attempted using the identity the Jenkins process is running under and, consequently, the configured credentials are ignored.

          Olivier Dagenais added a comment - It looks like on Windows, when attempting to connect to a Git repository hosted on TFS, NTLM authentication will be attempted using the identity the Jenkins process is running under and, consequently, the configured credentials are ignored.

          As far as I can tell, this happens when using JGit on Windows, because the JRE will automatically try NTLM and, if that doesn't work (either there's no user or the user has no access to TFS), there's no fallback to NTLM using the supplied credentials. There is a possibility of a fallback to using Kerberos, but that's less common.

          The next thing to try would be configuring JGit to use the Apache HTTP Client instead of the JRE's.

          Olivier Dagenais added a comment - As far as I can tell, this happens when using JGit on Windows, because the JRE will automatically try NTLM and, if that doesn't work (either there's no user or the user has no access to TFS), there's no fallback to NTLM using the supplied credentials. There is a possibility of a fallback to using Kerberos, but that's less common. The next thing to try would be configuring JGit to use the Apache HTTP Client instead of the JRE's.

          Mark Waite added a comment -

          If the problem is JGit specific, then you might also consider trying to use the command line git implementation inside the TFS plugin (if the TFS plugin exposes a user interface to select the git implementation).

          Mark Waite added a comment - If the problem is JGit specific, then you might also consider trying to use the command line git implementation inside the TFS plugin (if the TFS plugin exposes a user interface to select the git implementation).

          markewaite: The TFS plugin doesn't do too much with the git-client-plugin; there's a dependency on git-plugin to be able to subclass RevisionParameterAction to be able to ask for a specific commit to be built, as well as pass around some extra data and be able to more loosely match repository URLs.

          I am hoping you will see, via my testing in pull request #216, that you can take tfs-plugin out of the equation.

          foobartn: The above pull request might be relevant to your interests...

          Olivier Dagenais added a comment - markewaite : The TFS plugin doesn't do too much with the git-client-plugin; there's a dependency on git-plugin to be able to subclass RevisionParameterAction to be able to ask for a specific commit to be built, as well as pass around some extra data and be able to more loosely match repository URLs. I am hoping you will see, via my testing in pull request #216 , that you can take tfs-plugin out of the equation. foobartn : The above pull request might be relevant to your interests...

          Mark Waite added a comment -

          Since pull request 216 was included in git client plugin 2.1.0 in Nov 2016, I assume you should be able to test with the jgit-apache implementation that was included.

          Mark Waite added a comment - Since pull request 216 was included in git client plugin 2.1.0 in Nov 2016, I assume you should be able to test with the jgit-apache implementation that was included.

          Mark Waite added a comment -

          A fix was also included in JGit to allow NTLM authentication to be used more reliably on Windows. The JGit version with the fix is included in git client plugin 3.0.0-beta5.

          Mark Waite added a comment - A fix was also included in JGit to allow NTLM authentication to be used more reliably on Windows. The JGit version with the fix is included in git client plugin 3.0.0-beta5.

          Mark Waite added a comment -

          Git client plugin 3.0.0 released a long time ago. I assume this is functioning now

          Mark Waite added a comment - Git client plugin 3.0.0 released a long time ago. I assume this is functioning now

            dastahel David Staheli
            foobartn Joshua Barton
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: