Can't sign in to on-prem TFS

[mrichman]

Multiple attempts to do Team: Signin end up locking my account.

2017-05-31T14:17:19.480Z - debug:  [14088] TFVC Retrieved from settings; localPath='C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\TF.exe'
2017-05-31T14:17:19.480Z - debug:  [14088] TFVC Repository created with repositoryRootFolder='c:\tfs\EcoSys\SCM\Azure'
2017-05-31T14:17:19.590Z - debug:  [14088] Started ApplicationInsights telemetry
2017-05-31T14:17:19.591Z - info:   [14088] Getting repository information with repositoryInfoClient
2017-05-31T14:17:19.591Z - debug:  [14088] RemoteUrl = http://tfs:8080/tfs/ecosys
2017-05-31T14:17:19.600Z - debug:  [14088] Getting repository information for a TFVC repository at http://tfs:8080/tfs/ecosys
2017-05-31T14:17:19.601Z - debug:  [14088] Parsing values from repositoryInfo as string url
2017-05-31T14:17:19.602Z - debug:  [14088] Starting the validation of the collection. Url: 'http://tfs:8080/tfs/ecosys'
2017-05-31T14:17:19.856Z - error:  [14088] Failed call with repositoryClient:  Unauthorized. Check your authentication credentials and try again. Error: Error: Failed Request: Unauthorized(401) - http://tfs:8080/tfs/ecosys/_apis/tfvc/branches
2017-05-31T14:17:19.856Z - debug:  [14088] Error: Failed Request: Unauthorized(401) - http://tfs:8080/tfs/ecosys/_apis/tfvc/branches

I can browse directly to the URL which returns 401 in the log:

[jeffyoung]

Hi @mrichman. Thanks for trying out the extension.

Unfortunately, I think the difference here is that your web browser is going to use integrated NTLM authentication against the server (Windows, which I presume you're using, will just use the credentials you used to log into your machine when it makes the web request; let me know if you're not on Windows). The VS Code extension has to rely on the vsts-node-api which provides the NTLM support (which is interactive; that is, it requires a user name and password and it contains the code to do the NTLM negotiation itself... it can't rely on the Windows networking stack that's been around for years). I added the NTLM support to vsts-node-api but it's likely that won't support all scenarios (we've had other reports as well).

Do you have any other details on how your network is set up? For instance, do you know if your TFS server is on the same domain as your account (which appears to be CMC)? Any other differences you might be aware of? Since I assume you've entered the same credentials as you did when you logged into your machine, there's something going sideways during the negotiation during the HTTP call that results in the 401. At this point, however, I don't know what that would be.

[mrichman]

Hey @jeffyoung

Yes, I'm using Windows 10 connected to the same domain (CMC) that my TFS server is in. Short of putting Wireshark on here and sniffing the HTTP, I'm not sure what else to look at.

Thanks,
Mark

[mrichman]

Using 1.119.0, same issue:

2017-06-16T14:52:22.195Z - error:  [06220] You are not connected to a Team Foundation Server. Please run the 'team signin' command.
2017-06-16T14:53:41.470Z - info:   [06220] Signin: Username and Password provided as authentication.
2017-06-16T14:53:41.624Z - debug:  [06220] Polling interval value (minutes): 5
2017-06-16T14:53:41.629Z - info:   [06220] *** FOLDER: c:\tfs\EcoSys\SCM\Azure ***
2017-06-16T14:53:41.629Z - info:   [06220] VSTSVSCode/1.119.0 (VSCode 1.13.1; Windows_NT 10.0.14393; Node 7.4.0)
2017-06-16T14:53:41.630Z - debug:  [06220] Looking for an External Context at c:\tfs\EcoSys\SCM\Azure
2017-06-16T14:53:41.630Z - debug:  [06220] No External Context at c:\tfs\EcoSys\SCM\Azure
2017-06-16T14:53:41.632Z - debug:  [06220] Looking for TFVC repository at c:\tfs\EcoSys\SCM\Azure
2017-06-16T14:53:41.633Z - debug:  [06220] TFVC Creating Tfvc object with localPath='undefined'
2017-06-16T14:53:41.633Z - debug:  [06220] Using TFS proxy: undefined
2017-06-16T14:53:41.634Z - debug:  [06220] TFVC Retrieved from settings; localPath='C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\TF.exe'
2017-06-16T14:53:41.634Z - debug:  [06220] TFVC Repository created with repositoryRootFolder='c:\tfs\EcoSys\SCM\Azure'
2017-06-16T14:53:41.635Z - debug:  [06220] TFVC Repository.CheckVersion
2017-06-16T14:53:41.636Z - debug:  [06220] TFVC: tf add -noprompt -?
2017-06-16T14:53:41.653Z - debug:  [06220] TFVC: spawned new process (duration: 17ms)
2017-06-16T14:53:41.738Z - debug:  [06220] TFVC: add exit code: 0 (duration: 102ms)
2017-06-16T14:53:41.739Z - debug:  [06220] TFVC Minimum required version: 14.102.0
2017-06-16T14:53:41.739Z - debug:  [06220] TFVC (TF.exe, TF.cmd) version: 15.112.26421.0
2017-06-16T14:53:41.739Z - debug:  [06220] TFVC Repository.FindWorkspace with localPath='c:\tfs\EcoSys\SCM\Azure'
2017-06-16T14:53:41.739Z - debug:  [06220] TFVC: tf workfold -noprompt c:\tfs\EcoSys\SCM\Azure
2017-06-16T14:53:41.765Z - debug:  [06220] TFVC: spawned new process (duration: 24ms)
2017-06-16T14:53:42.286Z - debug:  [06220] TFVC: workfold exit code: 0 (duration: 546ms)
2017-06-16T14:53:42.287Z - debug:  [06220] Found a TFVC repository for url: 'http://tfs:8080/tfs/ecosys' and team project: 'SCM'.
2017-06-16T14:53:42.288Z - debug:  [06220] Parsing values from repositoryInfo as string url
2017-06-16T14:53:42.288Z - debug:  [06220] TFVC Creating Tfvc object with localPath='undefined'
2017-06-16T14:53:42.289Z - debug:  [06220] Using TFS proxy: undefined
2017-06-16T14:53:42.289Z - debug:  [06220] TFVC Retrieved from settings; localPath='C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\TF.exe'
2017-06-16T14:53:42.290Z - debug:  [06220] TFVC Repository created with repositoryRootFolder='c:\tfs\EcoSys\SCM\Azure'
2017-06-16T14:53:42.376Z - debug:  [06220] Started ApplicationInsights telemetry
2017-06-16T14:53:42.376Z - info:   [06220] Getting repository information with repositoryInfoClient
2017-06-16T14:53:42.376Z - debug:  [06220] RemoteUrl = http://tfs:8080/tfs/ecosys
2017-06-16T14:53:42.378Z - debug:  [06220] Getting repository information for a TFVC repository at http://tfs:8080/tfs/ecosys
2017-06-16T14:53:42.379Z - debug:  [06220] Parsing values from repositoryInfo as string url
2017-06-16T14:53:42.379Z - debug:  [06220] Starting the validation of the collection. Url: 'http://tfs:8080/tfs/ecosys'
2017-06-16T14:53:42.709Z - error:  [06220] Failed call with repositoryClient:  Unauthorized. Check your authentication credentials and try again. Error: Error: Failed Request: Unauthorized(401) - http://tfs:8080/tfs/ecosys/_apis/tfvc/branches
2017-06-16T14:53:42.709Z - debug:  [06220] Error: Failed Request: Unauthorized(401) - http://tfs:8080/tfs/ecosys/_apis/tfvc/branches
2017-06-16T14:53:42.711Z - info:   [06220] Sent TFVC tooling telemetry
2017-06-16T14:53:42.711Z - debug:  [06220] Initializing the TfvcSCMProvider
2017-06-16T14:53:42.714Z - debug:  [06220] TFVC Repository.CheckVersion
2017-06-16T14:53:42.714Z - debug:  [06220] TFVC: tf add -noprompt -?
2017-06-16T14:53:42.736Z - debug:  [06220] TFVC: spawned new process (duration: 21ms)
2017-06-16T14:53:42.858Z - debug:  [06220] TFVC: add exit code: 0 (duration: 142ms)
2017-06-16T14:53:42.858Z - debug:  [06220] TFVC Minimum required version: 14.102.0
2017-06-16T14:53:42.858Z - debug:  [06220] TFVC (TF.exe, TF.cmd) version: 15.112.26421.0
2017-06-16T14:53:42.861Z - debug:  [06220] TFVC Repository.GetStatus
2017-06-16T14:53:42.865Z - debug:  [06220] TFVC: tf status -noprompt -format:detailed -recursive c:\tfs\EcoSys\SCM\Azure
2017-06-16T14:53:42.898Z - debug:  [06220] TFVC: spawned new process (duration: 32ms)

[mrichman]

If this is helpful, here are some headers I dumped using Wireshark:

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-TFS-ProcessId: 9ea49f24-ae20-4d5b-9019-8faaa375d00e
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Access-Control-Allow-Methods: OPTIONS,GET,POST,PATCH,PUT,DELETE
Access-Control-Expose-Headers: ActivityId,X-TFS-Session,X-MS-ContinuationToken
Access-Control-Allow-Headers: authorization
X-FRAME-OPTIONS: SAMEORIGIN
X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
WWW-Authenticate: Bearer
WWW-Authenticate: Basic realm="http://tfs:8080/tfs"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Fri, 16 Jun 2017 17:58:13 GMT
Content-Length: 19489

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGsdfsdfsKXPhfNHaMAAAAAAAAAAKgAqAA+AAAACgA5OAAAAA9DAE0AQwACAAYAQwBNAEMAAQAUAEMATABUAFQARgBwerwrwerABAAcAGMAYQBtAHAAdQBzAG0AZwBtAHQALgBjAG8AbQADADIAQwsdfsdfsdfMAVwBFAEIAMQAuAGMAYQBtAHAAdQBzAG0AZwBtAHQALgBjAG8AbQAFABwAYwBhAG0AcAB1AHMAbQBnAG0AdAAuAGMAbwBtAAcACAAWrs8fyubSAQAAAAA=
Date: Fri, 16 Jun 2017 17:58:13 GMT
Content-Length: 341

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/10.0
X-TFS-ProcessId: 9ea49f24-ae20-4d5b-9019-8faaa375d00e
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Access-Control-Allow-Methods: OPTIONS,GET,POST,PATCH,PUT,DELETE
Access-Control-Expose-Headers: ActivityId,X-TFS-Session,X-MS-ContinuationToken
Access-Control-Allow-Headers: authorization
X-FRAME-OPTIONS: SAMEORIGIN
WWW-Authenticate: Bearer
WWW-Authenticate: Basic realm="http://tfs:8080/tfs"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Fri, 16 Jun 2017 17:58:13 GMT
Content-Length: 1293

[jeffyoung]

Hi @mrichman, thanks for that information. Based on what I see (if I'm reading it correctly), it appears (bottom to top) to be a 'typical' NTLM challenge-response flow. I'm at a bit of a loss as to what's going sideways here.

That said, I'm attaching a node project that you can open in VS Code, set the server URL, your username, domain and password in the code, hit F5 and see if the connection works. This code was the basis
for the code that's in the npm module that the extension relies upon (IOW, it's not exactly the same code). But I would be interested in knowing what your results are. I've included the node_modules as well as the .vscode folder so you really should just be able to extract it, open the folder in VS Code and go.

https-ntlm-testing.markrichman.zip

[mrichman]

I set my TFS host and credentials in app.ts, then I had to install gulp using npm. Then I started the debugger in VS Code, and...

Debugger listening on 127.0.0.1:49372
{ 'content-type': 'text/html',
  server: 'Microsoft-IIS/10.0',
  'x-tfs-processid': '9ea49f24-ae20-4d5b-9019-8faaa375d00e',
  'access-control-allow-origin': '*',
  'access-control-max-age': '3600',
  'access-control-allow-methods': 'OPTIONS,GET,POST,PATCH,PUT,DELETE',
  'access-control-expose-headers': 'ActivityId,X-TFS-Session,X-MS-ContinuationToken',
  'access-control-allow-headers': 'authorization',
  'x-frame-options': 'SAMEORIGIN',
  'www-authenticate': 'Bearer, Basic realm="http://tfs:8080/tfs", Negotiate, NTLM',
  'x-powered-by': 'ASP.NET',
  p3p: 'CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"',
  'lfs-authenticate': 'NTLM',
  'x-content-type-options': 'nosniff',
  date: 'Sun, 18 Jun 2017 15:23:25 GMT',
  connection: 'close',
  'content-length': '1293' }
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

If this is helpful at all, running curl also fails with 401:

curl http://tfs:8080/tfs/EcoSys/_apis/tfvc/branches -v --ntlm --negotiate -u CMC\mrichman

[jeffyoung]

Thanks Mark.

Unfortunately, the code I sent was the simplest repro I could come up with. Had it worked, I'd have a bit more information about what to investigate next. But since it and curl failed, I'm at a loss for what to investigate next. 😞 All I can think of is that there's some intricacy or nuance of the network (or NTLM) that just isn't covered by the npm package being used. Your web browser works since Windows itself handles the NTLM authentication. The extension relies on a separate implementation that just must have some holes (which wouldn't be all that surprising since Windows has had the NTLM support for many years).

If you have any other ideas on what we could investigate, I'd be interested in knowing what those are. But at this point, I don't know what to look at next.

[mrichman]

I tried omitting --negotiate from the curl command and it worked. So, there must be something peculiar about the httpntlm package, and its support for Negotiate. I don't know enough about Node or NTLM to diagnose further.

[dfrencham]

I think this may be the same issue that I've just submitted a pull request for. My dev VM (windows10) is in a different domain to my TFS server. I noticed authentication errors occurring and did some digging.

I found that the domain portion of my username (domain\user) was not being passed. I determined this by commenting out the arg = "******" line in the argument builder, so I could log the full credentials that were being passed.

The argument builder was not including the domain when building the tf.exe command.

[jeffyoung]

v1.122.0 has been released with these changes (#291). Thanks again for the PR @dfrencham.

[dmumladze]

I'm using on-prem TFS along with the latest v1.122.0 plugin, but still experiencing the same error.

[dfrencham]

@dmumladze what are your log entries showing?

[dmumladze]

Error is at Unauthorized. Check your authentication credentials and try again. Error: Error: Failed Request: Unauthorized(401)

I can access the URL https://tfs.hostname.net/tfs/collection/_apis/tfvc/branches using the browser.

team-extension.log

[catqbat]

Same here: using latest version: 1.122.0. Trying to access Team Foundation Server 2017 (15.117.27024.0):
Failed call with repositoryClient: Unauthorized. Check your authentication credentials and try again. Error: Error: Failed Request: Unauthorized(401) - https://tfs.xxx/tfs/defaultcollection/_apis/tfvc/branches

What I find weird is the user name value in Windows Credential Manager, it says: creds.exe

[rugpanov]

@catqbat , so it should be. Tfvc extension uses external tool "creds.exe" to save user credentials into the credentials manager on windows.

[catqbat]

Ok, good to know.
It looks there's a problem with httpntlm. Did same test as @mrichman, got same results:
401 - Unauthorized: Access is denied due to invalid credentials.

[dfrencham]

One way to tackle this would be to download the source for vsts-vscode, search for "-noprompt". That will lead you to the file where your credentials are masked for display in the log window. Comment out the code block that does the masking, then load the plugin.

This will allow you to see the credentials being sent by vsts-vscode in the Output window (change the drop down to TFVC).

That is how I was able to diagnose my authentication issues.

[catqbat]

Credentials seems fine. I've downloaded the source code. Authentication fails at this point:

RestClient.prototype.getJson = function (url, apiVersion, customHeaders, serializationData, onResult) {
        this._getJson('GET', url, apiVersion, customHeaders, serializationData, onResult);
    };

while accessing https://tfs.hostname.net/tfs/collection/_apis/tfvc/branches
at vsts-vscode-master\node_modules\vso-node-api\RestClient.js

I can see proper domain, user name and my pass in debugger window:

[dfrencham]

At this point it's probably worth installing a rest client (such as this one for Chrome: https://chrome.google.com/webstore/detail/yet-another-rest-client/ehafadccdcdedbhcbddihehiodgcddpl).

Try making a rest request to https://tfs.hostname.net/tfs/collection/_apis/tfvc/branches (ensure you've set credentials in your rest client). That should help narrow down the cause.

[catqbat]

@dfrencham - thank you very much for your assistance.

I've checked out this rest client, but I'm now a little confused. If I enter my credentials in form domain\user_name + pass and hit "send request" button, there's a chrome popup prompt from tfs saying "authorization required" with input fields for user name and pass.

If I hit cancel, I get 401:

If I enter my credentials in chrome popup - nothing happens and the popup reappears with empty input fields :)

[plamenkoyovchev]

Hi guys, I have exactly the same issue. I've checked with Fiddler and I'm getting 401 Unauthorized but when I hit the url in the browser it works.

I am using v1.144.1 (2018-11-05) of Azure Repos extensions.

[adamhill]

I also have begun to experience this as well in last 4 weeks. Command line git is working fine. Latest VS Code 1.31.1