I have another scenario where this is failing. I have a job that worked up until this morning when our SCM admin forced us to use 2FA. Now, no matter what I try, my pipeline jobs fail in strange ways during 'checkout scm'. I have one job that will fail to checkout submodules (some of which aren't even part of our private repos), and PR jobs will fail because they can't figure out what branch to start with (indicating that scm.* is not being populated properly). I have tried all of the workarounds I can think of, including using the syntax generator and hardcoding the Jenkinsfile script with credentialID. Nothing appears to work.
Update: It appears I have to add 'Checkout over SSH' to force it to use the proper credentials, even though the submodules are defined to use ssh URL and the 'Advanced sub-modules behaviours->Use credentials from default remote of parent repository' is checked. Seems ridiculously redundant and non-intuitive.
2FA auth requires pin which can't be retrieved automatically. Nobody use 2FA and store all creds in jenkins, where u can fetch any creds with help of groovy console