Auth failure when trying to access internal Gitea using Kerberos (Negotiate/GSSAPI/SPNEGO) auth

[jnahmias]

Version

2.0.935+8b4735fc7b

Operating system

Windows

OS version or distribution

Microsoft Windows [Version 10.0.19044.2604]

Git hosting provider(s)

Other - please describe below

Other hosting provider

Internal installation of Gitea

(Azure DevOps only) What format is your remote URL?

None

Can you access the remote repository directly in the browser?

Yes, I can access the repository

Expected behavior

Able to clone/push to Gitea with Kerberos SSO authentication

Actual behavior

fatal: Authentication failed for 'https://gitea-test.example.org/UserName/CodeRepo.git/'

Logs

I have Gitea installed on a RHEL8 server [gitea-test.example.org] that is joined to AD. An appropriate HTTP SPN is set up, and Apache is installed there as a reverse proxy to do SSL termination and Kerberos (password-less) authentication. I am able to access this Gitea install using Firefox or MS Edge on my windows workstation. I have also tested using git on a Debian workstation and it authenticates successfully (after obtaining a TGT and setting git config --global http.emptyAuth true).

However, when I try to run git for windows in a standard Command Prompt (cmd.exe) on my windows workstation, I get an authentication failure:

C:\Temp>ver

Microsoft Windows [Version 10.0.19044.2604]

C:\Temp>C:\Windows\System32\klist.exe tgt | head -n 19

Current LogonId is 0:0xc20a6

Cached TGT:

ServiceName        : krbtgt
TargetName (SPN)   : krbtgt
ClientName         : username
DomainName         : EXAMPLE.ORG
TargetDomainName   : EXAMPLE.ORG
AltTargetDomainName: EXAMPLE.ORG
Ticket Flags       : 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Session Key        : KeyType 0x12 - AES-256-CTS-HMAC-SHA1-96
                   : KeyLength 32 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
StartTime          : 4/27/2023 8:26:00 (local)
EndTime            : 4/27/2023 18:26:00 (local)
RenewUntil         : 5/4/2023 8:26:00 (local)
TimeSkew           :  + 0:00 minute(s)
EncodedTicket      : (size: 1762)

C:\Temp>git --version
git version 2.40.1.windows.1

C:\Temp>git credential-manager --version
2.0.935+8b4735fc7b

C:\Temp>set GIT_TRACE=C:\Temp\git_trace.log

C:\Temp>set GCM_TRACE=C:\Temp\git_trace.log

C:\Temp>git clone https://gitea-test.example.org/UserName/CodeRepo.git
Cloning into 'CodeRepo'...
fatal: Authentication failed for 'https://gitea-test.example.org/UserName/CodeRepo.git/'

Here's the (redacted) trace file contents:

09:03:02.422734 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
09:03:02.468751 git.c:439               trace: built-in: git clone https://gitea-test.example.org/UserName/CodeRepo.git
09:03:02.553755 run-command.c:655       trace: run_command: git remote-https origin https://gitea-test.example.org/UserName/CodeRepo.git
09:03:02.637732 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:02.643732 git.c:725               trace: exec: git-remote-https origin https://gitea-test.example.org/UserName/CodeRepo.git
09:03:02.644733 run-command.c:655       trace: run_command: git-remote-https origin https://gitea-test.example.org/UserName/CodeRepo.git
09:03:02.757731 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:02.854731 run-command.c:655       trace: run_command: 'C:/Program\ Files/Git/mingw64/bin/git-credential-manager get'
09:03:03.326728 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.332729 git.c:439               trace: built-in: git version
09:03:03.440727 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.445724 git.c:439               trace: built-in: git config --null trace2.eventtarget
09:03:03.547725 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.552726 git.c:439               trace: built-in: git config --null trace2.normaltarget
09:03:03.680723 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.686726 git.c:439               trace: built-in: git config --null credential.msauthUseBroker
09:03:03.804723 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.811453 git.c:439               trace: built-in: git config --null credential.httpProxy
09:03:03.917518 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:03.923515 git.c:439               trace: built-in: git config --null http.proxy
09:03:04.101511 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:04.108515 git.c:439               trace: built-in: git config --null http.sslVerify
09:03:04.212511 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:04.217510 git.c:439               trace: built-in: git config --null --type=path http.sslCAInfo
09:03:04.264507 ...\Application.cs:95   trace: [RunInternalAsync] Version: 2.0.935.18315
09:03:04.272511 ...\Application.cs:96   trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
09:03:04.272511 ...\Application.cs:97   trace: [RunInternalAsync] Platform: Windows (x86-64)
09:03:04.272511 ...\Application.cs:98   trace: [RunInternalAsync] OSVersion: 10.0 (build 19044)
09:03:04.272511 ...\Application.cs:99   trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\bin\git-credential-manager
09:03:04.272511 ...\Application.cs:100  trace: [RunInternalAsync] InstallDir: C:\Program Files\Git\mingw64\bin\
09:03:04.272511 ...\Application.cs:101  trace: [RunInternalAsync] Arguments: get
09:03:04.342511 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'get' command...
09:03:04.357509 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
09:03:04.358510 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
09:03:04.358510 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=gitea-test.example.org
09:03:04.507510 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='generic'
09:03:04.510510 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Generic' was selected.
09:03:04.512510 ...\HostProvider.cs:126 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://gitea-test.example.org account=...
09:03:04.989506 ...\HostProvider.cs:131 trace: [GetCredentialAsync] No existing credentials found.
09:03:04.989506 ...\HostProvider.cs:134 trace: [GetCredentialAsync] Creating new credential...
09:03:05.205504 ...ricOAuthConfig.cs:19 trace: [TryGet] Invalid OAuth configuration - missing/invalid authorize endpoint: 
09:03:05.708500 ...icHostProvider.cs:86 trace: [GenerateCredentialAsync] Checking host 'https://gitea-test.example.org/' for Windows Integrated Authentication...
09:03:05.710501 ...Authentication.cs:34 trace: [GetIsSupportedAsync] HTTP: HEAD https://gitea-test.example.org/
09:03:05.710501 ...pClientFactory.cs:58 trace: [CreateClient] Creating new HTTP client instance...
09:03:06.964487 ...Authentication.cs:37 trace: [GetIsSupportedAsync] HTTP: Response code ignored.
09:03:06.964487 ...Authentication.cs:39 trace: [GetIsSupportedAsync] Inspecting WWW-Authenticate headers...
09:03:06.964487 ...Authentication.cs:44 trace: [GetIsSupportedAsync] Found WWW-Authenticate header for Negotiate
09:03:06.964487 ...icHostProvider.cs:95 trace: [GenerateCredentialAsync] Host supports WIA - generating empty credential...
09:03:06.964487 ...\HostProvider.cs:136 trace: [GetCredentialAsync] Credential created.
09:03:06.964487 ...\GetCommand.cs:39    trace: [ExecuteInternalAsync] Writing credentials to output:
09:03:06.965504 ...\GetCommand.cs:40    trace: [ExecuteInternalAsync] 	protocol=https
09:03:06.965504 ...\GetCommand.cs:40    trace: [ExecuteInternalAsync] 	host=gitea-test.example.org
09:03:06.965504 ...\GetCommand.cs:40    trace: [ExecuteInternalAsync] 	username=
09:03:06.965504 ...\GetCommand.cs:40    trace: [ExecuteInternalAsync] 	password=********
09:03:06.965504 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'get' command...
s/Git/mingw64/libexec/git-core
09:03:05.568502 git.c:439               trace: built-in: git config --null --list
09:03:05.676500 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:05.682499 git.c:439               trace: built-in: git config --null credential.authority
09:03:05.791498 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:05.796497 git.c:439               trace: built-in: git config --null --list
09:03:05.912502 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:05.918498 git.c:439               trace: built-in: git config --null credential.httpsProxy
09:03:06.030497 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.036497 git.c:439               trace: built-in: git config --null --list
09:03:06.141497 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.146496 git.c:439               trace: built-in: git config --null credential.httpProxy
09:03:06.254496 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.259496 git.c:439               trace: built-in: git config --null --list
09:03:06.373495 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.379496 git.c:439               trace: built-in: git config --null http.proxy
09:03:06.482492 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.488495 git.c:439               trace: built-in: git config --null --list
09:03:06.593491 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.598491 git.c:439               trace: built-in: git config --null http.sslVerify
09:03:06.700489 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.706491 git.c:439               trace: built-in: git config --null --list
09:03:06.809490 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:06.814488 git.c:439               trace: built-in: git config --null --type=path http.sslCAInfo
09:03:07.014489 run-command.c:655       trace: run_command: 'C:/Program\ Files/Git/mingw64/bin/git-credential-manager erase'
09:03:07.527484 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:07.544493 git.c:439               trace: built-in: git version
09:03:07.657482 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:07.663484 git.c:439               trace: built-in: git config --null trace2.eventtarget
09:03:07.795483 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:07.800482 git.c:439               trace: built-in: git config --null trace2.normaltarget
09:03:07.958482 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:07.963481 git.c:439               trace: built-in: git config --null credential.msauthUseBroker
09:03:08.083479 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:08.105478 git.c:439               trace: built-in: git config --null credential.httpProxy
09:03:08.209477 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:08.214476 git.c:439               trace: built-in: git config --null http.proxy
09:03:08.395517 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:08.400518 git.c:439               trace: built-in: git config --null http.sslVerify
09:03:08.500517 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:08.505516 git.c:439               trace: built-in: git config --null --type=path http.sslCAInfo
09:03:08.547519 ...\Application.cs:95   trace: [RunInternalAsync] Version: 2.0.935.18315
09:03:08.554517 ...\Application.cs:96   trace: [RunInternalAsync] Runtime: .NET Framework 4.0.30319.42000
09:03:08.554517 ...\Application.cs:97   trace: [RunInternalAsync] Platform: Windows (x86-64)
09:03:08.554517 ...\Application.cs:98   trace: [RunInternalAsync] OSVersion: 10.0 (build 19044)
09:03:08.554517 ...\Application.cs:99   trace: [RunInternalAsync] AppPath: C:\Program Files\Git\mingw64\bin\git-credential-manager
09:03:08.555517 ...\Application.cs:100  trace: [RunInternalAsync] InstallDir: C:\Program Files\Git\mingw64\bin\
09:03:08.555517 ...\Application.cs:101  trace: [RunInternalAsync] Arguments: erase
09:03:08.622516 ...GitCommandBase.cs:33 trace: [ExecuteAsync] Start 'erase' command...
09:03:08.637514 ...GitCommandBase.cs:47 trace: [ExecuteAsync] Detecting host provider for input:
09:03:08.637514 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	protocol=https
09:03:08.638515 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	host=gitea-test.example.org
09:03:08.638515 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	username=
09:03:08.638515 ...GitCommandBase.cs:48 trace: [ExecuteAsync] 	password=********
09:03:08.758222 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='generic'
09:03:08.761236 ...GitCommandBase.cs:50 trace: [ExecuteAsync] Host provider 'Generic' was selected.
09:03:08.761236 ...\HostProvider.cs:173 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://gitea-test.example.org account=...
09:03:09.273219 ...\HostProvider.cs:180 trace: [EraseCredentialAsync] No credential was erased.
09:03:09.273219 ...GitCommandBase.cs:54 trace: [ExecuteAsync] End 'erase' command...
nfig --null --list
09:03:08.965219 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:08.972220 git.c:439               trace: built-in: git config --null credential.namespace
09:03:09.075219 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:09.080219 git.c:439               trace: built-in: git config --null --list
09:03:09.189220 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
09:03:09.231219 git.c:439               trace: built-in: git config --null credential.credentialStore

Is there something I'm missing in order to make this work seamlessly?

[lunny]

Maybe this has been resolved by go-gitea/gitea#26291 ?

[mjcheetham]

Hello - thanks for including your trace output!

09:03:05.205504 ...ricOAuthConfig.cs:19 trace: [TryGet] Invalid OAuth configuration - missing/invalid authorize endpoint: 

From this line we can see that there is some problem with your local config of the OAuth endpoints. Please can you share your Git config by running the following command?

git config --list --show-scope

Aside:

From the logs I can see that GCM attempts to look for GSSAPI/SPNEGO after failing to use the generic OAuth implementation.

I have also tested using git on a Debian workstation and it authenticates successfully (after obtaining a TGT and setting git config --global http.emptyAuth true).

You mention that you managed to get Kerberos/GSSAPI/SPNEGO working on your Debian machine without GCM. We can also see from the trace logs that we are detecting that this auth mechanism is available.

09:03:06.964487 ...Authentication.cs:44 trace: [GetIsSupportedAsync] Found WWW-Authenticate header for Negotiate

GCM is sending back an empty credential to trigger Git/libcurl's built-in support for Negotiate.. perhaps there is also an issue here with your Git setup on Windows?

[ldennington]

Closing due to lack of response.

[wagnerryan265]

09:03:06.964487 ...Authentication.cs:44 trace: [GetIsSupportedAsync] Found WWW-Authenticate header for Negotiate