Git-credential-manager-for-windows: GCM not working with Azure AD backed VSTS

Created on 23 Feb 2018  路  14Comments  路  Source: microsoft/Git-Credential-Manager-for-Windows

Although the documentation mentions using domain accounts, the dialog box I get presumes that the VSTS account is backed by a Microsoft account.

If I cancel and use the basic authentication, I can pull/push the code but it doesn't remember the credentials used for the next time

Most helpful comment

It took some digging and a couple of re-installations but it appears to be working correctly now. For those that land here delete the file %LocalAppData%\GitCredentialManager\tenant.cache

All 14 comments

Which dialog are you seeing? Is it the common Microsoft authentication, like you'd see logging into Office365, Outlook.com, Azure Portal, or other Microsoft web service? Does it look like an OS dialog?

It's the common Microsoft authentication dialog but when I enter my work account details, it says the Microsoft account doesn't exist i.e. it's not trying to authenticate against Azure AD only Microsoft accounts

OK, now I understand what you're saying. This

Although the documentation mentions using domain accounts, the dialog box I get presumes that the VSTS account is backed by a Microsoft account.

... confused me because "domain accounts" generally are referring to Active Directory (aka internal corporate accounts) where as "Microsoft account" is often used for AAD/MSA backed accounts. As for

it's not trying to authenticate against Azure AD only Microsoft accounts

Even MSA (Microsoft Accounts) authenticate using Azure AD, just the directory is the public directory which Hotmail, Outlook, OneDrive, and other use for non-corporate accounts.

OK so back to the topic at hand. When the GCM is asked by Git to provide credentials for an operation it examines the URL Git provides as part of the request. If the URL host is "visualstudio.com" then the GCM is required to send an unauthenticated request to the host. The request will return a 401 or 404 response, and the response will include an HTTP header with the Azure tenant which controls authentication for the resource.

My guess is that which ever tenant authority which controls authentication for the *.visualstudio.com account you're trying to access isn't the public tenant, and therefore doesn't know about your MSA. This is wholly reasonable.

If you're certain that the account should be using MSA to authenticate you, then can force the GCM to use MSA to authenticate you by running git config --local credential.authority MSA. Hopefully that helps some.

No joy, still get the dialog which says "Sign in to your Microsoft account".

I think this is this issue... https://github.com/Microsoft/Git-Credential-Manager-for-Windows/issues/537

I installed the 1.15 version and cleared the tenant.cache file and it authenticated correctly

@phatcher which version of the GCM was this with? Starting with v1.15.0 the tenant cache finally has corrected cache eviction logic.

I think it was 1.14 I had updated to git 2.16.2, unfortunately the MSA prompt is back again :-(

Your distinction of calling AAD tenant accounts MSA is an odd one though as it doesn't allow me to distinguish between a hotmail style account and my AD account in the cloud, and the credential prompt I'm getting doesn't see it this way - it's expected an account in the Microsoft directory and won't accept one in my AD.

The *.visualstudio.com web site gets it correct presenting a dialog which allows both MSA and AAD tenant accounts to be entered, is there a way of getting GCM to do the same?

Ok, another tenant.cache clear and its working...

I think the issue was I had an account that was secured with MSA with a submodule where the upstream was secured with AAD - basically I'm trying to share some libraries with each participant being able to do their own development.

This confused GCM until I independently connected to another clone of the upstream repository and then the submodule push worked correctly.

@phatcher in theory the v1.15.0 release should do this for you.

Same problem here. I just finished the horrible process of untangling my MSA and assigning my ORG (AAD) account to my Visual Studio repo. I tried both the credential manager install from the GIT install and also tried 1.15.0 and it only prompts for an MSA. When I enter my user account (email address) it only offers MSA not an option for my Organizational account.

If I cancel out I can enter my account and my token on the cmd line and it works fine.

I think I'll uninstall and just use that approach until this is resolved.

@MatthewMcD Did you try clearing the tenant.cache, that worked for me and it's now stable.

It took some digging and a couple of re-installations but it appears to be working correctly now. For those that land here delete the file %LocalAppData%\GitCredentialManager\tenant.cache

@MatthewMcD as of v1.15.0 the GCM ought to clear the tenant.cache file when it fails to authenticate. This should automatically resolve issues like you've been having.

FWIW I just had the same issue reported here after installing the latest GCM (1.15.2). Deleting the tenant.cache solved the problem for me.

@saschwarz well that's disappointing. v1.15.2 was supposed to resolve the need to delete the tenant cache manually. 馃槥

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mesbahamin picture mesbahamin  路  39Comments

Sean18 picture Sean18  路  93Comments

thedavidscherer picture thedavidscherer  路  21Comments

omatrot picture omatrot  路  39Comments

JohanTh picture JohanTh  路  69Comments