Server advertises Kerberos, but GCM ignores it #2290
Description
Version
2.7.3+5fa7116896c82164996a609accd1c5ad90fe730a
Operating system
Windows
OS version or distribution
Windows 11 Enterprise
Git hosting provider(s)
Azure DevOps Server (TFS/on-prem)
Other hosting provider
No response
(Azure DevOps only) What format is your remote URL?
None
Can you access the remote repository directly in the browser?
Yes, I can access the repository
Expected behavior
Git should use Kerberos to authenticate.
Actual behavior
When trying to authenticate against our azure devops server (on premise), we are hit by the warning added in version 2.7.3 even though the server is configured for kerberos auth and (afaict) correctly advertises it via WWW-Authenticate: Negotiate:
Due to its cryptographic weaknesses, NTLM authentication has been disabled in Git by default.
I added logs for GIT_CURL_VERBOSE=1 git pull and GCM_TRACE=1 GIT_TRACE=1 git pull below.
When we activate the NTLM workaround the authentication passes, but this isn't an option going forward as NTLM is being phased out completely.
This is the .gitconfig our team uses:
[http]
sslVerify = true
sslBackend = schannel
[credential "<redacted>"]
provider = generic
[credential "<redacted>"]
provider = generic
[credential]
helper = manager
Logs
GCM_TRACE=1 GIT_TRACE=1 git pull
10:27:19.752238 ...\Application.cs:106 trace: [RunInternalAsync] Version: 2.7.3.0
10:27:19.753238 ...\Application.cs:107 trace: [RunInternalAsync] Runtime: .NET Framework 4.8.9310.0
10:27:19.753238 ...\Application.cs:108 trace: [RunInternalAsync] Platform: Windows (x86-64)
10:27:19.753238 ...\Application.cs:109 trace: [RunInternalAsync] OSVersion: 10.0 (build 26100)
10:27:19.753238 ...\Application.cs:110 trace: [RunInternalAsync] AppPath: <redacted>\git-credential-manager.exe
10:27:19.753238 ...\Application.cs:111 trace: [RunInternalAsync] InstallDir: <redacted>\
10:27:19.753238 ...\Application.cs:112 trace: [RunInternalAsync] Arguments: get
10:27:19.796815 ...GitCommandBase.cs:32 trace: [ExecuteAsync] Start 'get' command...
10:27:19.810300 ...GitCommandBase.cs:46 trace: [ExecuteAsync] Detecting host provider for input:
10:27:19.812301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] capability[]=authtype
10:27:19.812301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] capability[]=state
10:27:19.812301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] ntlm=suppressed
10:27:19.812301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] protocol=https
10:27:19.813301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] host=<redacted>
10:27:19.813301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Bearer
10:27:19.813301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Basic realm="https://<redacted>/tfs"
10:27:19.813301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Negotiate
10:27:19.813301 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=NTLM
10:27:19.818300 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='generic'
10:27:19.821588 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Host provider 'Generic' was selected.
10:27:19.824588 ...icHostProvider.cs:71 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://<redacted> account=...
10:27:19.831591 ...icHostProvider.cs:76 trace: [GetCredentialAsync] No existing credentials found.
10:27:19.831591 ...icHostProvider.cs:79 trace: [GetCredentialAsync] Creating new credential...
10:27:19.839243 ...ricOAuthConfig.cs:38 trace: [TryGet] Invalid OAuth configuration - missing/invalid authorize endpoint:
10:27:19.839243 ...cHostProvider.cs:176 trace: [GenerateCredentialAsync] Checking host 'https://<redacted>/' for Windows Integrated Authentication...
10:27:19.842236 ...Authentication.cs:90 trace: [GetAuthenticationTypesAsync] HTTP: HEAD https://<redacted>/
10:27:19.844236 ...pClientFactory.cs:60 trace: [CreateClient] Creating new HTTP client instance...
10:27:19.868690 ...pClientFactory.cs:80 trace: [CreateClient] Git's SSL/TLS backend is: Schannel
10:27:20.618627 ...Authentication.cs:93 trace: [GetAuthenticationTypesAsync] HTTP: Response code ignored.
10:27:20.618627 ...Authentication.cs:95 trace: [GetAuthenticationTypesAsync] Inspecting WWW-Authenticate headers...
10:27:20.627704 ...cHostProvider.cs:182 trace: [GenerateCredentialAsync] Host does not support WIA.
10:27:20.627704 ...cHostProvider.cs:243 trace: [GenerateCredentialAsync] Prompting for basic credentials...
10:30:10.270302 ...\GetCommand.cs:46 trace: [ExecuteInternalAsync] Writing credentials to output:
10:30:10.270302 ...\GetCommand.cs:47 trace: [ExecuteInternalAsync] protocol=https
10:30:10.270302 ...\GetCommand.cs:47 trace: [ExecuteInternalAsync] host=<redacted>
10:30:10.270302 ...\GetCommand.cs:47 trace: [ExecuteInternalAsync] username=<redacted>
10:30:10.270302 ...\GetCommand.cs:47 trace: [ExecuteInternalAsync] password=<redacted>
10:30:10.271301 ...GitCommandBase.cs:53 trace: [ExecuteAsync] End 'get' command...
10:30:11.153075 ...\Application.cs:106 trace: [RunInternalAsync] Version: 2.7.3.0
10:30:11.153075 ...\Application.cs:107 trace: [RunInternalAsync] Runtime: .NET Framework 4.8.9310.0
10:30:11.153075 ...\Application.cs:108 trace: [RunInternalAsync] Platform: Windows (x86-64)
10:30:11.154073 ...\Application.cs:109 trace: [RunInternalAsync] OSVersion: 10.0 (build 26100)
10:30:11.154073 ...\Application.cs:110 trace: [RunInternalAsync] AppPath: <redacted>\git-credential-manager.exe
10:30:11.154073 ...\Application.cs:111 trace: [RunInternalAsync] InstallDir: <redacted>\
10:30:11.154073 ...\Application.cs:112 trace: [RunInternalAsync] Arguments: erase
10:30:11.196756 ...GitCommandBase.cs:32 trace: [ExecuteAsync] Start 'erase' command...
10:30:11.210002 ...GitCommandBase.cs:46 trace: [ExecuteAsync] Detecting host provider for input:
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] ntlm=suppressed
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] protocol=https
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] host=<redacted>
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] username=<redacted>
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] password=<redacted>
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Bearer
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Basic realm="https://<redacted>/tfs"
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Negotiate
10:30:11.212055 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=NTLM
10:30:11.217073 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='generic'
10:30:11.220073 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Host provider 'Generic' was selected.
10:30:11.221073 ...cHostProvider.cs:117 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://<redacted> account=<redacted>...
10:30:11.228498 ...cHostProvider.cs:124 trace: [EraseCredentialAsync] No credential was erased.
10:30:11.228498 ...GitCommandBase.cs:53 trace: [ExecuteAsync] End 'erase' command...
10:30:11.694436 ...\Application.cs:106 trace: [RunInternalAsync] Version: 2.7.3.0
10:30:11.695434 ...\Application.cs:107 trace: [RunInternalAsync] Runtime: .NET Framework 4.8.9310.0
10:30:11.695434 ...\Application.cs:108 trace: [RunInternalAsync] Platform: Windows (x86-64)
10:30:11.695434 ...\Application.cs:109 trace: [RunInternalAsync] OSVersion: 10.0 (build 26100)
10:30:11.695434 ...\Application.cs:110 trace: [RunInternalAsync] AppPath: <redacted>\git-credential-manager.exe
10:30:11.695434 ...\Application.cs:111 trace: [RunInternalAsync] InstallDir: <redacted>\
10:30:11.695434 ...\Application.cs:112 trace: [RunInternalAsync] Arguments: erase
10:30:11.735951 ...GitCommandBase.cs:32 trace: [ExecuteAsync] Start 'erase' command...
10:30:11.749630 ...GitCommandBase.cs:46 trace: [ExecuteAsync] Detecting host provider for input:
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] ntlm=suppressed
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] protocol=https
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] host=<redacted>
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] username=<redacted>
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] password=<redacted>
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Bearer
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Basic realm="https://<redacted>/tfs"
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=Negotiate
10:30:11.751630 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth[]=NTLM
10:30:11.757120 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='generic'
10:30:11.760120 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Host provider 'Generic' was selected.
10:30:11.761120 ...cHostProvider.cs:117 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://<redacted> account=<redacted>...
10:30:11.768120 ...cHostProvider.cs:124 trace: [EraseCredentialAsync] No credential was erased.
10:30:11.768120 ...GitCommandBase.cs:53 trace: [ExecuteAsync] End 'erase' command...
warning: Due to its cryptographic weaknesses, NTLM authentication has been
disabled in Git by default. You can re-enable it for trusted servers
by running:
git config set http.https://<redacted>.allowNTLMAuth true
fatal: Authentication failed for 'https://<redacted>/tfs/<redacted>/'
GIT_CURL_VERBOSE=1 git pull
09:49:10.835147 http.c:930 == Info: Could not find host <redacted> in the .netrc file; using defaults
09:49:10.846626 http.c:930 == Info: Host <redacted>:443 was resolved.
09:49:10.846626 http.c:930 == Info: IPv6: (none)
09:49:10.846626 http.c:930 == Info: IPv4: <redacted>
09:49:10.846626 http.c:930 == Info: Trying <redacted>:443...
09:49:10.877147 http.c:930 == Info: schannel: disabled automatic use of client certificate
09:49:10.879618 http.c:930 == Info: ALPN: curl offers http/1.1
09:49:10.949361 http.c:930 == Info: ALPN: server accepted http/1.1
09:49:10.949361 http.c:930 == Info: Established connection to <redacted> (<redacted> port 443) from <redacted> port <redacted>
09:49:10.949361 http.c:930 == Info: using HTTP/1.x
09:49:10.949361 http.c:877 => Send header, 0000000318 bytes (0x0000013e)
09:49:10.949361 http.c:889 => Send header: GET /tfs/<redacted>/_git/<redacted>/info/refs?service=git-upload-pack HTTP/1.1
09:49:10.949361 http.c:889 => Send header: Host: <redacted>
09:49:10.949361 http.c:889 => Send header: User-Agent: git/2.53.0.windows.2
09:49:10.949361 http.c:889 => Send header: Accept: */*
09:49:10.949361 http.c:889 => Send header: Accept-Encoding: deflate, gzip, br, zstd
09:49:10.949361 http.c:889 => Send header: Pragma: no-cache
09:49:10.949361 http.c:889 => Send header: Git-Protocol: version=2
09:49:10.950365 http.c:889 => Send header:
09:49:10.950365 http.c:930 == Info: Request completely sent off
09:49:10.997673 http.c:877 <= Recv header, 0000000027 bytes (0x0000001b)
09:49:10.997673 http.c:889 <= Recv header: HTTP/1.1 401 Unauthorized
09:49:10.997673 http.c:877 <= Recv header, 0000000040 bytes (0x00000028)
09:49:10.997673 http.c:889 <= Recv header: Content-Type: text/html; charset=utf-8
09:49:10.997673 http.c:877 <= Recv header, 0000000055 bytes (0x00000037)
09:49:10.997673 http.c:889 <= Recv header: X-TFS-ProcessId: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000050 bytes (0x00000032)
09:49:10.997673 http.c:889 <= Recv header: ActivityId: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000053 bytes (0x00000035)
09:49:10.997673 http.c:889 <= Recv header: X-TFS-Session: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000051 bytes (0x00000033)
09:49:10.997673 http.c:889 <= Recv header: X-VSS-E2EID: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000064 bytes (0x00000040)
09:49:10.997673 http.c:889 <= Recv header: X-VSS-SenderDeploymentId: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000706 bytes (0x000002c2)
09:49:10.997673 http.c:889 <= Recv header: X-TFS-SoapException: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000144 bytes (0x00000090)
09:49:10.997673 http.c:889 <= Recv header: X-TFS-ServiceError: <redacted>
09:49:10.997673 http.c:877 <= Recv header, 0000000026 bytes (0x0000001a)
09:49:10.997673 http.c:889 <= Recv header: WWW-Authenticate: Bearer
09:49:10.998674 http.c:877 <= Recv header, 0000000073 bytes (0x00000049)
09:49:10.998674 http.c:889 <= Recv header: WWW-Authenticate: Basic realm="https://<redacted>/tfs"
09:49:10.998674 http.c:877 <= Recv header, 0000000029 bytes (0x0000001d)
09:49:10.998674 http.c:889 <= Recv header: WWW-Authenticate: Negotiate
09:49:10.999671 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:10.999671 http.c:889 <= Recv header: WWW-Authenticate: NTLM
09:49:10.999671 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:10.999671 http.c:889 <= Recv header: X-Powered-By: ASP.NET
09:49:10.999671 http.c:877 <= Recv header, 0000000124 bytes (0x0000007c)
09:49:10.999671 http.c:889 <= Recv header: ...
09:49:10.999671 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:10.999671 http.c:889 <= Recv header: Lfs-Authenticate: NTLM
09:49:10.999671 http.c:877 <= Recv header, 0000000033 bytes (0x00000021)
09:49:10.999671 http.c:889 <= Recv header: X-Content-Type-Options: nosniff
09:49:10.999671 http.c:877 <= Recv header, 0000000037 bytes (0x00000025)
09:49:11.000842 http.c:889 <= Recv header: Date: Fri, 13 Mar 2026 08:49:10 GMT
09:49:11.000842 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:11.000842 http.c:889 <= Recv header: Content-Length: 20271
09:49:11.000842 http.c:877 <= Recv header, 0000000002 bytes (0x00000002)
09:49:11.000842 http.c:889 <= Recv header:
09:49:11.027697 http.c:930 == Info: Connection #0 to host <redacted>:443 left intact
09:49:21.070875 http.c:930 == Info: Reusing existing https: connection with host <redacted>
09:49:21.070875 http.c:877 => Send header, 0000000318 bytes (0x0000013e)
09:49:21.070875 http.c:889 => Send header: GET /tfs/<redacted>/_git/<redacted>/info/refs?service=git-upload-pack HTTP/1.1
09:49:21.070875 http.c:889 => Send header: Host: <redacted>
09:49:21.070875 http.c:889 => Send header: User-Agent: git/2.53.0.windows.2
09:49:21.070875 http.c:889 => Send header: Accept: */*
09:49:21.070875 http.c:889 => Send header: Accept-Encoding: deflate, gzip, br, zstd
09:49:21.070875 http.c:889 => Send header: Pragma: no-cache
09:49:21.070875 http.c:889 => Send header: Git-Protocol: version=2
09:49:21.070875 http.c:889 => Send header:
09:49:21.070875 http.c:930 == Info: Request completely sent off
09:49:21.104110 http.c:877 <= Recv header, 0000000027 bytes (0x0000001b)
09:49:21.104110 http.c:889 <= Recv header: HTTP/1.1 401 Unauthorized
09:49:21.104110 http.c:877 <= Recv header, 0000000040 bytes (0x00000028)
09:49:21.104110 http.c:889 <= Recv header: Content-Type: text/html; charset=utf-8
09:49:21.104110 http.c:877 <= Recv header, 0000000055 bytes (0x00000037)
09:49:21.105112 http.c:889 <= Recv header: X-TFS-ProcessId: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000050 bytes (0x00000032)
09:49:21.105112 http.c:889 <= Recv header: ActivityId: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000053 bytes (0x00000035)
09:49:21.105112 http.c:889 <= Recv header: X-TFS-Session: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000051 bytes (0x00000033)
09:49:21.105112 http.c:889 <= Recv header: X-VSS-E2EID: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000064 bytes (0x00000040)
09:49:21.105112 http.c:889 <= Recv header: X-VSS-SenderDeploymentId: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000706 bytes (0x000002c2)
09:49:21.105112 http.c:889 <= Recv header: X-TFS-SoapException: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000144 bytes (0x00000090)
09:49:21.105112 http.c:889 <= Recv header: X-TFS-ServiceError: <redacted>
09:49:21.105112 http.c:877 <= Recv header, 0000000026 bytes (0x0000001a)
09:49:21.105112 http.c:889 <= Recv header: WWW-Authenticate: Bearer
09:49:21.105112 http.c:877 <= Recv header, 0000000073 bytes (0x00000049)
09:49:21.105112 http.c:889 <= Recv header: WWW-Authenticate: Basic realm="https://<redacted>/tfs"
09:49:21.105112 http.c:877 <= Recv header, 0000000029 bytes (0x0000001d)
09:49:21.105112 http.c:889 <= Recv header: WWW-Authenticate: Negotiate
09:49:21.105112 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:21.105112 http.c:889 <= Recv header: WWW-Authenticate: NTLM
09:49:21.105112 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:21.105112 http.c:889 <= Recv header: X-Powered-By: ASP.NET
09:49:21.105112 http.c:877 <= Recv header, 0000000124 bytes (0x0000007c)
09:49:21.105112 http.c:889 <= Recv header: ...
09:49:21.105112 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:21.105112 http.c:889 <= Recv header: Lfs-Authenticate: NTLM
09:49:21.105112 http.c:877 <= Recv header, 0000000033 bytes (0x00000021)
09:49:21.105112 http.c:889 <= Recv header: X-Content-Type-Options: nosniff
09:49:21.105112 http.c:877 <= Recv header, 0000000037 bytes (0x00000025)
09:49:21.105112 http.c:889 <= Recv header: Date: Fri, 13 Mar 2026 08:49:21 GMT
09:49:21.105112 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:21.105112 http.c:889 <= Recv header: Content-Length: 20271
09:49:21.105112 http.c:930 == Info: Ignoring the response-body
09:49:21.105112 http.c:930 == Info: setting size while ignoring
09:49:21.105112 http.c:877 <= Recv header, 0000000002 bytes (0x00000002)
09:49:21.105112 http.c:889 <= Recv header:
09:49:21.106112 http.c:930 == Info: Connection #0 to host <redacted>:443 left intact
09:49:21.106112 http.c:930 == Info: Issue another request to this URL: 'https://<redacted>/tfs/<redacted>/_git/<redacted>/info/refs?service=git-upload-pack'
09:49:21.106112 http.c:930 == Info: Reusing existing https: connection with host <redacted>
09:49:21.106112 http.c:930 == Info: Server auth using Basic with user '<redacted>'
09:49:21.106112 http.c:877 => Send header, 0000000365 bytes (0x0000016d)
09:49:21.106112 http.c:889 => Send header: GET /tfs/<redacted>/_git/<redacted>/info/refs?service=git-upload-pack HTTP/1.1
09:49:21.106112 http.c:889 => Send header: Host: <redacted>
09:49:21.106112 http.c:889 => Send header: Authorization: Basic <redacted>
09:49:21.106112 http.c:889 => Send header: User-Agent: git/2.53.0.windows.2
09:49:21.106112 http.c:889 => Send header: Accept: */*
09:49:21.106112 http.c:889 => Send header: Accept-Encoding: deflate, gzip, br, zstd
09:49:21.106112 http.c:889 => Send header: Pragma: no-cache
09:49:21.106112 http.c:889 => Send header: Git-Protocol: version=2
09:49:21.106112 http.c:889 => Send header:
09:49:21.106112 http.c:930 == Info: Request completely sent off
09:49:21.139695 http.c:877 <= Recv header, 0000000027 bytes (0x0000001b)
09:49:21.139695 http.c:889 <= Recv header: HTTP/1.1 401 Unauthorized
09:49:21.139695 http.c:877 <= Recv header, 0000000040 bytes (0x00000028)
09:49:21.139695 http.c:889 <= Recv header: Content-Type: text/html; charset=utf-8
09:49:21.139695 http.c:877 <= Recv header, 0000000055 bytes (0x00000037)
09:49:21.139695 http.c:889 <= Recv header: X-TFS-ProcessId: <redacted>
09:49:21.139695 http.c:877 <= Recv header, 0000000050 bytes (0x00000032)
09:49:21.139695 http.c:889 <= Recv header: ActivityId: <redacted>
09:49:21.139695 http.c:877 <= Recv header, 0000000053 bytes (0x00000035)
09:49:21.140838 http.c:889 <= Recv header: X-TFS-Session: <redacted>
09:49:21.140838 http.c:877 <= Recv header, 0000000051 bytes (0x00000033)
09:49:21.140838 http.c:889 <= Recv header: X-VSS-E2EID: <redacted>
09:49:21.140838 http.c:877 <= Recv header, 0000000064 bytes (0x00000040)
09:49:21.140838 http.c:889 <= Recv header: X-VSS-SenderDeploymentId: <redacted>
09:49:21.140838 http.c:877 <= Recv header, 0000000706 bytes (0x000002c2)
09:49:21.140838 http.c:889 <= Recv header: X-TFS-SoapException: <redacted>
09:49:21.140838 http.c:877 <= Recv header, 0000000144 bytes (0x00000090)
09:49:21.140838 http.c:889 <= Recv header: X-TFS-ServiceError: <redacted>
09:49:21.140838 http.c:877 <= Recv header, 0000000026 bytes (0x0000001a)
09:49:21.140838 http.c:889 <= Recv header: WWW-Authenticate: Bearer
09:49:21.140838 http.c:930 == Info: Basic authentication problem, ignoring.
09:49:21.140838 http.c:877 <= Recv header, 0000000073 bytes (0x00000049)
09:49:21.140838 http.c:889 <= Recv header: WWW-Authenticate: Basic realm="https://<redacted>/tfs"
09:49:21.140838 http.c:877 <= Recv header, 0000000029 bytes (0x0000001d)
09:49:21.140838 http.c:889 <= Recv header: WWW-Authenticate: Negotiate
09:49:21.140838 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:21.140838 http.c:889 <= Recv header: WWW-Authenticate: NTLM
09:49:21.140838 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:21.140838 http.c:889 <= Recv header: X-Powered-By: ASP.NET
09:49:21.140838 http.c:877 <= Recv header, 0000000124 bytes (0x0000007c)
09:49:21.140838 http.c:889 <= Recv header: ...
09:49:21.140838 http.c:877 <= Recv header, 0000000024 bytes (0x00000018)
09:49:21.140838 http.c:889 <= Recv header: Lfs-Authenticate: NTLM
09:49:21.140838 http.c:877 <= Recv header, 0000000033 bytes (0x00000021)
09:49:21.140838 http.c:889 <= Recv header: X-Content-Type-Options: nosniff
09:49:21.140838 http.c:877 <= Recv header, 0000000037 bytes (0x00000025)
09:49:21.140838 http.c:889 <= Recv header: Date: Fri, 13 Mar 2026 08:49:21 GMT
09:49:21.140838 http.c:877 <= Recv header, 0000000023 bytes (0x00000017)
09:49:21.140838 http.c:889 <= Recv header: Content-Length: 20271
09:49:21.140838 http.c:877 <= Recv header, 0000000002 bytes (0x00000002)
09:49:21.141847 http.c:889 <= Recv header:
09:49:21.141847 http.c:930 == Info: Connection #0 to host <redacted>:443 left intact
warning: Due to its cryptographic weaknesses, NTLM authentication has been
disabled in Git by default. You can re-enable it for trusted servers
by running:
git config set http.https://<redacted>.allowNTLMAuth true
fatal: Authentication failed for 'https://<redacted>/tfs/<redacted>/_git/<redacted>/'