Git operation during TFS build: "fatal: could not read Password" (wincred used)

Question

We have an in-house TFS 2013 update 4 on Windows Server 2008 R2 Standard (TFS server), with Git version 2.5.0.windows.1.

Our TFS build process uses InvokeProcess activity to call Git from a batch file.

These are the calls to git we make from the batch file (in two lines for debugging purposes):

call git submodule init
call git submodule update

It is the second line that is giving me a problem, as shown below:

When I run the same batch file on the server manually (even from non-admin cmd.exe), all executes as expected, i.e. I am not prompted for any usernames or passwords.

We are currently using wincred as our credentials helper, having tried:

• winstore,
• git-credential-store,
• adding generic windows credentials via Credentials Manager (tried both git:http://xxxxxx:8080 and just http://xxxxxx:8080).
• setting credentials in .gitconfig globally and per repo.

Interestingly, Microsoft.TeamFoundation.Build.Activities.Git.GitPull has no problems cloning the superproject, but if I was to prompt Git to clone and pull via a batch file, I am getting the same "fatal: could not read Password" error.

Unfortunately, we do not have an option of upgrading to TFS 2015, where loading submodules is apparently a matter of ticking a check-box. Including username and password as part of the command in plain text is not an option either.

What do I need to try/do to allow Git to read the required Password using wincred? All thoughts and suggestions will be much appreciated...

Answer 1

The main problem was the fact that our TFS Build service was running under NETWORK SERVICE account, as opposed to the account which I was entering passwords for.

Steps that I took towards the solution (as alternative to using TFS Admin Console):

1. On TFS Server, go into Services (services.msc), and locate "Visual Studio Team Foundation Build Service Host 2013" service among "Services (local)".
2. Right-click on the service, and on "General" tab click "Stop"
3. On "Log On" tab, select "This account" and enter the details of the account you validated with wincred (it is assumed that this account exists under "Project Collection Build Service Accounts" and has all the required rights for your repos).
4. Take note of the email address as it is displayed after "Check names" has been clicked.
5. Click "Apply"
6. Back on the "General" tab, click "Start".
7. Do the same for "Visual Studio Team Foundation Background Job Agent" service (I did that for consistency with the build service).

A few more points worth checking:

• In your user account directory on TFS Server, ensure that the email address you saw after "Check names" in step 4 matches the email address used in the 'email' field under [user] in .gitconfig.
• Ensure you get prompted for credentials at some point by wincred (I did that by running "git config credential.helper store" first, then running "git config credential.helper wincred" (if you want to do "git config --global credential.helper store", followed by "git config --global credential.helper wincred", then you'll need to run your cmd.exe with elevated permissions).
• In my case the correctly saved credentials looked like this (in Credential Manager, under "Generic Credentials") - notice the absence of a username:

Hope this helps somebody with the same issue!