GCM does not recover from reset password

[sergiopereira]

Me and a few others that work together have been experiencing a recurring authentication problem when using GCM. We use TFS 2018 hosted inside our corporate network. Pretty much every time we have to change our network password we start getting authentication errors from TFS, sometimes even after removing every entry from the Windows Credential Manager (WCM) that contained a reference to the TFS server, sometimes a reboot fixes things, sometimes it doesn't.

In my particular situation I log into Windows using a local admin account, connect to VPN, and authenticate with the corporate network as needed, when servers prompt me for my network creds. I have the Git credential config like so:

credential.helper=manager
credential.modalprompt=true

I turned GCM_TRACE on and this is what happens on a git fetch origin (I had no relevant entries in WCM):

14:06:25.219217 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.1) 'get'
14:06:25.291325 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
14:06:25.306958 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 90 entries.
14:06:25.306958 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.
14:06:25.369461 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://tfs2018.internal.mycorp.com:8181/'.
14:06:25.621691 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://tfs2018.internal.mycorp.com:8181/' is basic with NTLM=Auto.
14:06:25.621691 ...\Common.cs:765       trace: [QueryCredentials] querying 'Auto' for credentials.
14:06:25.765221 ...uthentication.cs:119 trace: [AcquireCredentials] 'http://tfs2018.internal.mycorp.com:8181/' supports NTLM, sending NTLM credentials instead
14:06:25.765221 ...\Common.cs:780       trace: [QueryCredentials] credentials found.
14:06:26.146879 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.1) 'erase'
14:06:26.239192 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
14:06:26.239192 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 90 entries.
14:06:26.254817 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.
14:06:26.309667 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'http://tfs2018.internal.mycorp.com:8181/'.
14:06:26.534792 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://tfs2018.internal.mycorp.com:8181/' is basic with NTLM=Auto.
14:06:26.534792 ...\Common.cs:252       trace: [DeleteCredentials] deleting basic credentials for 'http://tfs2018.internal.mycorp.com:8181/'.
14:06:26.534792 ...aseSecureStore.cs:59 trace: [Delete] credentials not found for 'git:http://tfs2018.internal.mycorp.com:8181'.
fatal: Authentication failed for 'http://tfs2018.internal.mycorp.com:8181/tfs/MyCollection/MyProject/_git/MyRepo/' 

Shouldn't GCM prompt me for credentials after failing via NTLM? It seems stuck in this scenario where it detects NTLM support, fails, deletes (or tries to delete) old credentials, and doesn't fall back to Basic auth.

During experimentation, I set credential.tfs2018.internal.mycorp.com.authority to Basic and that makes me get prompted for credentials (in the console, not with the modal pop-up.):

14:23:16.206867 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.1) 'get'                                                                         
14:23:16.290617 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).                                                                   
14:23:16.290617 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 92 entries.                                                               
14:23:16.290617 ...\Common.cs:435       trace: [LoadOperationArguments] authority = 'Basic'.                                                                         
14:23:16.306253 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.                                                                        
14:23:16.368745 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://tfs2018.internal.mycorp.com:8181/' is basic with NTLM=Never.         
14:23:16.368745 ...\Common.cs:765       trace: [QueryCredentials] querying 'Basic' for credentials.                                                                  
14:23:16.384369 ...uthentication.cs:129 trace: [AcquireCredentials] prompting user for credentials for 'http://tfs2018.internal.mycorp.com:8181/'.               
14:23:32.608998 ...\Dialog.cs:103       trace: [DisplayModal] successfully acquired credentials from user.                                                           
14:23:32.624624 ...\Common.cs:780       trace: [QueryCredentials] credentials found.                                                                                 
14:23:33.305003 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.18.1) 'store'                                                                       
14:23:33.383125 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).                                                                   
14:23:33.402945 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 92 entries.                                                               
14:23:33.411407 ...\Common.cs:435       trace: [LoadOperationArguments] authority = 'Basic'.                                                                         
14:23:33.411407 ...\Common.cs:513       trace: [LoadOperationArguments] modalPrompt = 'True'.                                                                        
14:23:33.462733 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'http://CORP\joedoe@tfs2018.internal.mycorp.com:8181/' is basic with NTLM=Ne
ver.                                                                                                                                                                 
14:23:33.462733 ...\Program.cs:513      trace: [Store] storing basic credentials for 'http://CORP\joedoe@tfs2018.internal.mycorp.com:8181/'. 

This works and continues working without further prompts but I'm not sure there's some underlying problem that I'm just masking by doing this. I could maybe just ask all my team members to configure that last setting like I did but it doesn't seem reasonable. My expectation was that this kind of stuff should work transparently and auto-recover in scenarios like password reset.

Let me know if I can provide extra details.

[jeschu1]

Here is the workflow and it's an interesting problem:

For NTLM, GCM doesn't validate or store credentials. It requires on your OS to manage NTLM connections.
Git then "fails" and tells GCM erase the credentials (which it never stored). At this point there is no notion of it being NTLM, it's just a host url.

NTML isn't valided in GCM (nor is easy to validate for all cases). We believe the time which you see this would be during a password reset, which would hopefully be infrequent.

[sergiopereira]

Wouldn't it be reasonable for GCM to try basic authentication after NTLM failed? Or are you saying GCM doesn't have a chance to do that, like it doesn't even know the authentication failed?

[jeschu1]

For a "Get" call, GCM just returns your NTML credentials. It doesn't try to use them and doesn't see the fail.
The fail occurs when git tries to use the credentials.

[seanfisher]

Hi my team is also experiencing the same issue when changing passwords. What is the resolution? @sergiopereira could you share how you set the Authority to Basic?

[sergiopereira]

@seanfisher all the avenues I explored to get some help, including this thread were dead-ends. My solution was to abandon this type of authentication and moving my entire team to SSH. The Windows Credential Manager has been our biggest headache for the last two years and I don't know if it's its fault. These days I do everything I can to not need it.

[seanfisher]

Thanks @sergiopereira. I managed to find a solution that worked for me buried in the open issues here, of which there are several with this same problem (#703 #750 maybe more).

The solution was to encode my username into the remote URL (I had to use the second option below):
https://myUsername@myurl.com/[...]
https://DOMAIN\myUsername@myurl.com/[...]

[aruanoguate]

I ended up also changing the credential.my.tfs.server.authority to basic and has been working ever since.

[HughG]

I'm seeing the same problem against a company-hosted Bitbucket Server instance.

I'm on Windows 10 Pro Version 1909 build 18363.535, Git for Windows 2.24.1.windows.2, and GCM v1.20.0.

My git config (with branch list removed) is as follows.

http.sslbackend=schannel
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
credential.helper=manager
core.editor="C:\\Program Files (x86)\\Notepad++\\notepad++.exe" -multiInst -notabbar -nosession -noPlugin
core.autocrlf=true
core.fscache=true
core.symlinks=true
user.name=Hugh Greene
user.email=REDACTED
core.autocrlf=true
difftool.sourcetree.cmd='C:/Program Files/Beyond Compare 4/BComp.exe' "$LOCAL" "$REMOTE"
mergetool.sourcetree.cmd='C:/Program Files/Beyond Compare 4/BComp.exe' "$LOCAL" "$REMOTE" "$BASE" "$MERGED"
mergetool.sourcetree.trustexitcode=true
gc.autodetach=false
pull.rebase=true
winupdater.recentlyseenversion=2.24.1.windows.2
core.repositoryformatversion=0
core.filemode=false
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
remote.origin.url=https://bitbucket.REDACTED/scm/REDACTED
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master

I have one entry in Windows Credential Manager for git:https://bitbucket.REDACTED, which was updated 2019-11-11, before I last changed my password. The command (from SmartGit 19.1.5 #14212, installed: #14196)

git.exe push --porcelain --progress --recurse-submodules=check origin refs/heads/refactor/branch-REDACTED:refs/heads/refactor/branch-REDACTED

gives the following error

fatal: Authentication failed for 'https://bitbucket.REDACTED/scm/REDACTED/'

and does not updated the entry in Windows Credential Manager. With GIT_TRACE, GIT_TRACE2, and GCM_TRACE set to 2, I get the following output.

10:07:50.171343 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
10:07:50.176306 common-main.c:48                  version 2.24.1.windows.2
10:07:50.176306 common-main.c:49                  start git.exe push --porcelain --progress --recurse-submodules=check origin refs/heads/refactor/PI-16296-reason-for-failure-status-error:refs/heads/refactor/PI-16296-reason-for-failure-status-error
10:07:50.198303 repository.c:130                  worktree C:/Projects/VSP/vsp_3
10:07:50.200326 git.c:439               trace: built-in: git push --porcelain --progress --recurse-submodules=check origin refs/heads/refactor/PI-16296-reason-for-failure-status-error:refs/heads/refactor/PI-16296-reason-for-failure-status-error
10:07:50.200326 git.c:440                         cmd_name push (push)
10:07:50.203311 run-command.c:735                 child_start[0] git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.203311 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.222351 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
10:07:50.231337 common-main.c:48                  version 2.24.1.windows.2
10:07:50.231337 common-main.c:49                  start git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.256483 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_)
10:07:50.256483 git.c:702               trace: exec: git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.256483 run-command.c:735                 child_start[0] git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.256483 run-command.c:663       trace: run_command: git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.286138 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
10:07:50.300401 common-main.c:48                  version 2.24.1.windows.2
10:07:50.300401 common-main.c:49                  start git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
10:07:50.330920 repository.c:130                  worktree C:/Projects/VSP/vsp_3
10:07:50.330920 remote-curl.c:1382                cmd_name remote-curl (push/_run_dashed_/remote-curl)
10:07:50.864692 run-command.c:735                 child_start[0] 'git credential-manager get'
10:07:50.864692 run-command.c:663       trace: run_command: 'git credential-manager get'
10:07:50.959719 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
10:07:50.967718 common-main.c:48                  version 2.24.1.windows.2
10:07:50.967718 common-main.c:49                  start 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' credential-manager get
10:07:50.997733 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_/remote-curl/_run_dashed_)
10:07:50.997733 git.c:702               trace: exec: git-credential-manager get
10:07:50.997733 run-command.c:735                 child_start[0] git-credential-manager get
10:07:50.997733 run-command.c:663       trace: run_command: git-credential-manager get
10:07:51.222737 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'get'
10:07:51.341151 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
10:07:51.347150 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 40 entries.
10:07:51.478142 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://bitbucket.REDACTED/'.
10:07:51.504823 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'https://bitbucket.REDACTED/' is basic with NTLM=Auto.
10:07:51.504823 ...\Common.cs:765       trace: [QueryCredentials] querying 'Auto' for credentials.
10:07:51.513603 ...\Common.cs:780       trace: [QueryCredentials] credentials found.
10:07:51.541136 run-command.c:990                 child_exit[0] pid:20432 code:0 elapsed:0.543044
10:07:51.542138 git.c:718                         exit elapsed:0.582069 code:0
10:07:51.542138 trace2/tr2_tgt_normal.c:123       atexit elapsed:0.582123 code:0
10:07:51.553149 run-command.c:990                 child_exit[0] pid:25632 code:0 elapsed:0.688002
10:07:51.695973 run-command.c:735                 child_start[1] 'git credential-manager erase'
10:07:51.695973 run-command.c:663       trace: run_command: 'git credential-manager erase'
10:07:51.759024 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
10:07:51.770037 common-main.c:48                  version 2.24.1.windows.2
10:07:51.770037 common-main.c:49                  start 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' credential-manager erase
10:07:51.798078 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_/remote-curl/_run_dashed_)
10:07:51.798078 git.c:702               trace: exec: git-credential-manager erase
10:07:51.798078 run-command.c:735                 child_start[0] git-credential-manager erase
10:07:51.798078 run-command.c:663       trace: run_command: git-credential-manager erase
10:07:51.976202 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'erase'
10:07:52.077821 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
10:07:52.084831 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 40 entries.
10:07:52.154777 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://hgreene@bitbucket.REDACTED/'.
10:07:52.176340 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'https://hgreene@bitbucket.REDACTED/' is basic with NTLM=Auto.
10:07:52.176340 ...\Common.cs:252       trace: [DeleteCredentials] deleting basic credentials for 'https://hgreene@bitbucket.REDACTED/'.
10:07:52.181342 ...aseSecureStore.cs:59 trace: [Delete] credentials not found for 'git:https://hgreene@bitbucket.REDACTED'.
10:07:52.199325 run-command.c:990                 child_exit[0] pid:25636 code:0 elapsed:0.401462
10:07:52.200316 git.c:718                         exit elapsed:0.441865 code:0
10:07:52.200316 trace2/tr2_tgt_normal.c:123       atexit elapsed:0.441891 code:0
10:07:52.210312 run-command.c:990                 child_exit[1] pid:5516 code:0 elapsed:0.514909
10:07:52.211312 usage.c:64                        error Authentication failed for 'https://bitbucket.REDACTED/scm/REDACTED/'
fatal: Authentication failed for 'https://bitbucket.REDACTED/scm/REDACTED/'
10:07:52.211312 usage.c:68                        exit elapsed:1.925418 code:128
10:07:52.211312 trace2/tr2_tgt_normal.c:123       atexit elapsed:1.925429 code:128
10:07:52.220314 run-command.c:990                 child_exit[0] pid:12140 code:128 elapsed:1.963549
10:07:52.220314 git.c:718                         exit elapsed:1.998322 code:128
10:07:52.220314 trace2/tr2_tgt_normal.c:123       atexit elapsed:1.998343 code:128
10:07:52.227340 transport-helper.c:1137           exit elapsed:2.056935 code:128
10:07:52.227340 trace2/tr2_tgt_normal.c:123       atexit elapsed:2.056997 code:128

I then applied the suggestion from the bottom of #817 (comment) which sets the username for that (all repos on) server -- rather than for a particular remote URL, as suggested at #793 (comment) above. This worked, with the log file below. I was prompted with the usual Windows password GUI, and now have a new entry in Windows Credential Store which has my username in the URLgit:https://hgreene@bitbucket.REDACTED and has the correct contents; the old entry remains, though.

11:19:23.255658 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
11:19:23.261660 common-main.c:48                  version 2.24.1.windows.2
11:19:23.261660 common-main.c:49                  start git.exe push --porcelain --progress --recurse-submodules=check origin refs/heads/refactor/branch-REDACTED:refs/heads/refactor/branch-REDACTED
11:19:23.279626 repository.c:130                  worktree C:/Projects/VSP/vsp_3
11:19:23.280626 git.c:439               trace: built-in: git push --porcelain --progress --recurse-submodules=check origin refs/heads/refactor/branch-REDACTED:refs/heads/refactor/branch-REDACTED
11:19:23.280626 git.c:440                         cmd_name push (push)
11:19:23.281630 run-command.c:735                 child_start[0] git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.281630 run-command.c:663       trace: run_command: GIT_DIR=.git git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.298393 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:23.304416 common-main.c:48                  version 2.24.1.windows.2
11:19:23.304416 common-main.c:49                  start git remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.323429 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_)
11:19:23.323429 git.c:702               trace: exec: git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.323429 run-command.c:735                 child_start[0] git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.323429 run-command.c:663       trace: run_command: git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.338393 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:23.345428 common-main.c:48                  version 2.24.1.windows.2
11:19:23.345428 common-main.c:49                  start git-remote-https origin https://bitbucket.REDACTED/scm/REDACTED
11:19:23.365393 repository.c:130                  worktree C:/Projects/VSP/vsp_3
11:19:23.365393 remote-curl.c:1382                cmd_name remote-curl (push/_run_dashed_/remote-curl)
11:19:23.888663 run-command.c:735                 child_start[0] 'git credential-manager get'
11:19:23.889526 run-command.c:663       trace: run_command: 'git credential-manager get'
11:19:24.040207 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:24.051199 common-main.c:48                  version 2.24.1.windows.2
11:19:24.051199 common-main.c:49                  start 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' credential-manager get
11:19:24.077166 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_/remote-curl/_run_dashed_)
11:19:24.077166 git.c:702               trace: exec: git-credential-manager get
11:19:24.077166 run-command.c:735                 child_start[0] git-credential-manager get
11:19:24.077166 run-command.c:663       trace: run_command: git-credential-manager get
11:19:24.203225 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'get'
11:19:24.277172 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
11:19:24.286164 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 41 entries.
11:19:24.291161 ...\Common.cs:657       trace: [LoadOperationArguments] username = 'hgreene'.
11:19:24.383164 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://hgreene@bitbucket.REDACTED/'.
11:19:24.399164 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'https://hgreene@bitbucket.REDACTED/' is basic with NTLM=Auto.
11:19:24.400162 ...\Common.cs:765       trace: [QueryCredentials] querying 'Auto' for credentials.
11:19:24.994302 ...uthentication.cs:129 trace: [AcquireCredentials] prompting user for credentials for 'https://hgreene@bitbucket.REDACTED/'.
11:19:56.453390 ...\Dialog.cs:103       trace: [DisplayModal] successfully acquired credentials from user.
11:19:56.464377 ...\Common.cs:780       trace: [QueryCredentials] credentials found.
11:19:56.512374 run-command.c:990                 child_exit[0] pid:22392 code:0 elapsed:32.434272
11:19:56.512374 git.c:718                         exit elapsed:32.472051 code:0
11:19:56.512374 trace2/tr2_tgt_normal.c:123       atexit elapsed:32.472068 code:0
11:19:56.523396 run-command.c:990                 child_exit[0] pid:24860 code:0 elapsed:32.634393
11:19:56.788414 run-command.c:735                 child_start[1] 'git credential-manager store'
11:19:56.788414 run-command.c:663       trace: run_command: 'git credential-manager store'
11:19:56.845377 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:56.852388 common-main.c:48                  version 2.24.1.windows.2
11:19:56.852388 common-main.c:49                  start 'C:\Program Files\Git\mingw64\libexec\git-core\git.exe' credential-manager store
11:19:56.879373 git.c:696                         cmd_name _run_dashed_ (push/_run_dashed_/remote-curl/_run_dashed_)
11:19:56.879373 git.c:702               trace: exec: git-credential-manager store
11:19:56.879373 run-command.c:735                 child_start[0] git-credential-manager store
11:19:56.879373 run-command.c:663       trace: run_command: git-credential-manager store
11:19:57.001377 ...\Common.cs:744       trace: [Main] git-credential-manager (v1.20.0) 'store'
11:19:57.119374 ...\Git\Where.cs:348    trace: [FindGitInstallations] found 1 Git installation(s).
11:19:57.126378 ...Configuration.cs:222 trace: [LoadGitConfiguration] git All config read, 41 entries.
11:19:57.131374 ...\Common.cs:657       trace: [LoadOperationArguments] username = 'hgreene'.
11:19:57.194376 ...\Common.cs:85        trace: [CreateAuthentication] detecting authority type for 'https://hgreene@bitbucket.REDACTED/'.
11:19:57.211373 ...\Common.cs:224       trace: [CreateAuthentication] authority for 'https://hgreene@bitbucket.REDACTED/' is basic with NTLM=Auto.
11:19:57.212374 ...\Program.cs:513      trace: [Store] storing basic credentials for 'https://hgreene@bitbucket.REDACTED/'.
11:19:57.296374 run-command.c:990                 child_exit[0] pid:26448 code:0 elapsed:0.417587
11:19:57.296374 git.c:718                         exit elapsed:0.452024 code:0
11:19:57.297375 trace2/tr2_tgt_normal.c:123       atexit elapsed:0.452038 code:0
11:19:57.312393 run-command.c:990                 child_exit[1] pid:5696 code:0 elapsed:0.523498
11:19:57.332376 run-command.c:735                 child_start[2] git send-pack --stateless-rpc --helper-status --thin --progress https://bitbucket.REDACTED/scm/REDACTED/ --stdin
11:19:57.332376 run-command.c:663       trace: run_command: git send-pack --stateless-rpc --helper-status --thin --progress https://bitbucket.REDACTED/scm/REDACTED/ --stdin
11:19:57.350374 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:57.357379 common-main.c:48                  version 2.24.1.windows.2
11:19:57.357379 common-main.c:49                  start git send-pack --stateless-rpc --helper-status --thin --progress https://bitbucket.REDACTED/scm/REDACTED/ --stdin
11:19:57.380380 repository.c:130                  worktree C:/Projects/VSP/vsp_3
11:19:57.381374 git.c:439               trace: built-in: git send-pack --stateless-rpc --helper-status --thin --progress https://bitbucket.REDACTED/scm/REDACTED/ --stdin
11:19:57.381374 git.c:440                         cmd_name send-pack (push/_run_dashed_/remote-curl/send-pack)
11:19:57.414390 run-command.c:735                 child_start[0] git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
11:19:57.414390 run-command.c:663       trace: run_command: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
11:19:57.456379 exec-cmd.c:237          trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
11:19:57.471381 common-main.c:48                  version 2.24.1.windows.2
11:19:57.471381 common-main.c:49                  start git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
11:19:57.499379 repository.c:130                  worktree C:/Projects/VSP/vsp_3
11:19:57.499379 git.c:439               trace: built-in: git pack-objects --all-progress-implied --revs --stdout --thin --delta-base-offset --progress
11:19:57.499379 git.c:440                         cmd_name pack-objects (push/_run_dashed_/remote-curl/send-pack/pack-objects)
Enumerating objects: 41, done.
Counting objects:   2% (1/41)
[...]
Counting objects: 100% (41/41), done.
Delta compression using up to 8 threads
Compressing objects:   6% (1/16)
[...]
Compressing objects: 100% (16/16), done.
Writing objects:   4% (1/23)
[...]
Writing objects: 100% (23/23), 2.04 KiB | 232.00 KiB/s, done.
11:19:57.570379 git.c:673                         exit elapsed:0.114323 code:0
11:19:57.570379 trace2/tr2_tgt_normal.c:123       atexit elapsed:0.114358 code:0
Total 23 (delta 10), reused 0 (delta 0)
11:19:57.575378 run-command.c:990                 child_exit[0] pid:8504 code:0 elapsed:0.160609
remote: Simple Bitbucket Commit Checker        
remote: 
remote: 
remote: View pull request for refactor/branch-REDACTED => master:        
remote:   https://bitbucket.REDACTED/REDACTED/pull-requests/1300        
remote: 
11:19:58.010392 git.c:673                         exit elapsed:0.659764 code:0
11:19:58.010392 trace2/tr2_tgt_normal.c:123       atexit elapsed:0.659806 code:0
11:19:58.014377 run-command.c:990                 child_exit[2] pid:3972 code:0 elapsed:0.681447
11:19:58.034377 common-main.c:54                  exit elapsed:34.695555 code:0
11:19:58.034377 trace2/tr2_tgt_normal.c:123       atexit elapsed:34.695575 code:0
11:19:58.038386 run-command.c:990                 child_exit[0] pid:24700 code:0 elapsed:34.715183
11:19:58.038386 git.c:718                         exit elapsed:34.740221 code:0
11:19:58.038386 trace2/tr2_tgt_normal.c:123       atexit elapsed:34.740246 code:0
11:19:58.041380 run-command.c:990                 child_exit[0] pid:21028 code:0 elapsed:34.759660
11:19:58.042377 git.c:673                         exit elapsed:34.786716 code:0
11:19:58.042377 trace2/tr2_tgt_normal.c:123       atexit elapsed:34.786738 code:0
To https://bitbucket.REDACTED/scm/REDACTED
 	refs/heads/refactor/branch-REDACTED:refs/heads/refactor/branch-REDACTED	3b3ac172dc..e309479220
Done

Furthermore I verified that, if I change my password, I get one round of fatal: Authentication failed for ... where I'm not prompted for my password but the correct credentials (with username) are deleted, and then the next attempt to do something requiring auth will prompt me for my new password and store it.

I'll send this workaround out within my company but it would be good to have a fix.

[marcohillenbrand]

The issue is still unresolved to this day.

Lets assume the remote url is set to https://git-server.local, so there is no username included.
There is also no default username configured in .gitconfig.

As far as I can tell this is what happens:

• Git asks for credentials for https://git-server.local with no username supplied
• GCM looks in the credential store for git:https://git-server.local
  • If found, the credentials of the entry are returned
  • If not found, the user is prompted
• Git authenticates
  • if successful, Git triggers a store of the credentials for https://git-server.local with username and password supplied
    • GCM stores the credentials in git:https://username@git-server.local and git:https://git-server.local (the latter might already be stored when the user was prompted)
  • if not successful, Git triggers an erase of the credentials for https://git-server.local with username supplied
    • GCM erases the credentials entry git:https://username@git-server.local, but the entry git:https://git-server.local remains unchanged

And this is where the issue lies. When Git does not provide a username, the default credentials for the domain are always used for the lookup, but are never erased when authentication fails.

The are two workarounds for the issue:

• add the username to the remote url
• configure a default username for the url in .gitconfig

To resolve this I suggest the following change:
When a credential is rejected by Git with a known username, in addition to deleting the specific entry (e.g. git:https://username@git-server.local), check if the default credential for the domain (e.g. git:https://git-server.local) uses the same username and if so, delete that as well.

[mkincaid]

Pull request #907 resolves this according to @marcohillenbrand's suggestion. This appears to be the same logic that Bitbucket auth already follows, so hopefully nothing here is too controversial.