Question

我最近从本地TFS 2013升级到TFS 2017（更新3）。作为升级\迁移到新服务器的一部分，我们从使用端口8080切换到了端口443（https）。

我们有一台旧的RHEL 6.8计算机，已将其用作少量使用Git的Java项目的构建服务器。服务器正在运行git 1.7.1（RHEL 6附带），我们不再能够克隆\ pull \ push TFS中托管的Git存储库。

仅供参考-我正在使用export GIT_CURL_VERBOSE = 1来增强日志记录。

我最初的问题是Git不信任来自公司内部CA的证书。（无法识别对等证书的颁发者）我通过在ca-bundle.crt中添加内部证书来解决此问题。

解决了这个问题后，我现在收到一个401未经授权的错误，我无法弄清楚。只要提供--ntlm开关，我就可以使用cURL验证完全相同的URL。 Git似乎正在使用NTLM，但是由于任何原因它都拒绝工作。

-sh-4.1$ curl -k -u 'DOMAIN\username' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs?service=git-upload-pack 
Enter host password for user 'DOMAIN\username':
001e# service=git-upload-pack
000000a5d9f0c36ca42f5a65fc80bd39162b40b472e06c1b HEAD multi_ack thin-pack side-band side-band-64k no-progress multi_ack_detailed no-done shallow allow-tip-sha1-in-want
003fd9f0c36ca42f5a65fc80bd39162b40b472e06c1b refs/heads/master
0000

-sh-4.1$ curl -k -u 'DOMAIN\username' --ntlm https://tfs.mycompany.com/tfs/TeamProjectCollection/TeamProjectName/_git/reponame/info/refs 
Enter host password for user 'DOMAIN\username':
d9f0c36ca42f5a65fc80bd39162b40b472e06c1b        refs/heads/master

但是，当尝试使用以下命令克隆时，我得到401。在使用TFS 2013进行升级之前，我们使用的是http://DOMAIN \ username@tfs.mycompany.com：8080语法，它可以正常工作。我记得我们为此不得不打开基本身份验证。但是，升级到TFS 2017后，无论是否启用基本身份验证，它都不再起作用。

-sh-4.1$ git clone 'https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame'
Initialized empty Git repository in /home/username/git/reponame/.git/
Password:
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
*   Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /home/username/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
*       start date: Jun 05 18:12:59 2018 GMT
*       expire date: Jun 04 18:12:59 2020 GMT
*       common name: tfs.mycompany.com
*       issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e342d-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
<
* Ignoring the response-body
* Connection #0 to host tfs.mycompany.com left intact
* Issue another request to this URL: 'https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack'
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* Re-using existing connection! (#0) with host tfs.mycompany.com
* Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38e34c0-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20181
* The requested URL returned error: 401
* Closing connection #0
* Couldn't find host tfs.mycompany.com in the .netrc file; using defaults
* About to connect() to tfs.mycompany.com port 443 (#0)
*   Trying 10.131.44.190... * Connected to tfs.mycompany.com (10.131.44.190) port 443 (#0)
*   CAfile: /home/username/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=tfs.mycompany.com,OU=IT,O=Company Name,L=Chicago,ST=IL,C=US
*       start date: Jun 05 18:12:59 2018 GMT
*       expire date: Jun 04 18:12:59 2020 GMT
*       common name: tfs.mycompany.com
*       issuer: CN=MYCOMPANY-ADIssuingCA01,DC=ad,DC=mycompany,DC=org
> GET /tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs HTTP/1.1
User-Agent: git/1.7.1
Host: tfs.mycompany.com
Accept: */*
Pragma: no-cache

< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.5
< X-TFS-ProcessId: 624831c6-b5e1-4f34-a100-404f077c0fbe
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< ActivityId: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-TFS-Session: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-VSS-E2EID: b38fcb66-14ed-4c62-9718-a96c8d5fe14c
< X-FRAME-OPTIONS: SAMEORIGIN
< X-TFS-SoapException: %3c%3fxml+version%3d%221.0%22+encoding%3d%22utf-8%22%3f%3e%3csoap%3aEnvelope+xmlns%3asoap%3d%22http%3a%2f%2fwww.w3.org%2f2003%2f05%2fsoap-envelope%22%3e%3csoap%3aBody%3e%3csoap%3aFault%3e%3csoap%3aCode%3e%3csoap%3aValue%3esoap%3aReceiver%3c%2fsoap%3aValue%3e%3csoap%3aSubcode%3e%3csoap%3aValue%3eUnauthorizedRequestException%3c%2fsoap%3aValue%3e%3c%2fsoap%3aSubcode%3e%3c%2fsoap%3aCode%3e%3csoap%3aReason%3e%3csoap%3aText+xml%3alang%3d%22en%22%3eTF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.%3c%2fsoap%3aText%3e%3c%2fsoap%3aReason%3e%3c%2fsoap%3aFault%3e%3c%2fsoap%3aBody%3e%3c%2fsoap%3aEnvelope%3e
< X-TFS-ServiceError: TF400813%3a+Resource+not+available+for+anonymous+access.+Client+authentication+required.
< WWW-Authenticate: Bearer
< WWW-Authenticate: Basic realm="https://tfs.mycompany.com/tfs"
* gss_init_sec_context() failed: : Server not found in Kerberos database< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< X-Powered-By: ASP.NET
< P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
< Lfs-Authenticate: NTLM
< X-Content-Type-Options: nosniff
< Date: Tue, 19 Jun 2018 15:21:16 GMT
< Content-Length: 20153
* The requested URL returned error: 401
* Closing connection #0
error: The requested URL returned error: 401 while accessing https://DOMAIN\username@tfs.mycompany.com/tfs/TeamProjectCollection/TeamProject/_git/reponame/info/refs

fatal: HTTP request failed

我要让我们的Linux管理员升级此服务器上的Git版本，因为我知道它确实已经过时了。我希望这可以解决此问题...但是除此之外，我基本上仍然在这个问题上停留，不知道如何解决它。

Answer 1

解决方案是将Git升级到授权的RHEL发行版中通过Yum提供的最新版本。即使我们将内部根证书添加到ca-bundle.crt，Git 1.7.1仍然无法通过HTTPS与TFS git repos进行通信。

通过运行git 1.7.1的RHEL 6.8通过https获取401未经授权的克隆TFS 2017 git repo

1 个答案: