Build created in TFS 2017 fails to clone Git repository created on another TFS 2017 server with error: Too many redirects or authentication replays

Question

I have two on prem TFS 2017 update 1 installations.

TFS1: It is located on the Intranet of my company. Only ours developers have access to it.

TFS2: It is located on the public internet. This is meant for external providers and vendors pushing code for us.

TFS1 can connect to TFS2 but no viceversa.

I have a Git repo in TFS2 (HTTPS).

I can clone the repo from the intranet. I can pull and push code without any problems using the right credentials from TFS2. I am using an account created locally on TFS2.

I created in TFS1 a build that fetches from external TFS2. I created a new Service Endpoint (External Git) using the same credentials I use on my dev environment.

The build fails cloning the repo with the following error:

2017-05-18T22:34:28.2542280Z Syncing repository: Header TfsGit external (Git)
2017-05-18T22:34:28.3323346Z Starting clone
2017-05-18T22:34:40.3485989Z ##[error]LibGit2Sharp.LibGit2SharpException: Too many redirects or authentication replays
2017-05-18T22:34:40.3485989Z ##[error]   at LibGit2Sharp.Core.Ensure.HandleError(Int32 result)
2017-05-18T22:34:40.3485989Z ##[error]   at LibGit2Sharp.Core.Proxy.git_clone(String url, String workdir, GitCloneOptions& opts)
2017-05-18T22:34:40.3642360Z ##[error]   at LibGit2Sharp.Repository.Clone(String sourceUrl, String workdirPath, CloneOptions options)
2017-05-18T22:34:40.3642360Z ##[error]   at Microsoft.TeamFoundation.DistributedTask.Task.Internal.Core.GitHelper.CloneRepository(String repositoryPath, Uri repositoryUrl, Boolean checkoutSubmodules, String username, String password)
2017-05-18T22:34:40.3642360Z ##[error]   at Microsoft.TeamFoundation.DistributedTask.Task.Internal.Core.GitHelper.SyncRepository(Uri repositoryUrl, String rootPath, Boolean cleanRepository, Boolean checkoutSubmodules, String sourceVersion, String username, String password)
2017-05-18T22:34:40.3642360Z ##[error]   at Microsoft.TeamFoundation.DistributedTask.Task.Internal.Core.GitHelper.SyncRepository(ITaskEndpoint endpoint, String rootPath, Boolean cleanRepository, Boolean checkoutSubmodules, String sourceVersion)
2017-05-18T22:34:40.3642360Z ##[error]   at Microsoft.TeamFoundation.DistributedTask.Task.Internal.Core.GitHelper.SyncAndCheckout(Boolean cleanRepository, String sourceBranch, String sourceVersion, Boolean checkoutSubmodules, CancellationToken cancellationToken)
2017-05-18T22:34:40.3642360Z ##[error]   at Microsoft.TeamFoundation.DistributedTask.Plugin.Build.GitSourceProvider.<>c__DisplayClass3_0.<PrepareRepositoryAsync>b__0()

I created a build in Jenkins and it successfully fetches the Git repo.

I tried a few solutions I found online. I enabled Basic Authentication on TFS2 (IIS server), I tried both authentication modes in TFS2: NTLM and Negotiate.

How can make a build in TFS that uses a repository that is located on another TFS server?

Answer 1

Ok, The problem is fixed.

We were using TFS agents installed more than year ago for a platform with TFS 2015. We removed and installed the latest version of TFS agent (https://go.microsoft.com/fwlink/?linkid=842100)

Configuration took a while and I had to apply the fix suggested on this link: https://github.com/Microsoft/vsts-agent/issues/759

Bottomline, If using TFS 2017, use the latest version of TFS agent.

Answer 2

I think you'd start with line 3 in your question: "TFS1 can connect to TFS2 but no viceversa." The error message indicate authentication failures, so it sounds like the build on TFS1 has some component in the definition where TFS2 is retrieving credentials for TFS1. As to what this might be, my first thought was that trying to mix (I assume) AD for TFS1 and a non-AD user in a single build might cause a famous 'undocumented feature'. I'm a newb in network infrastructure, so be gentle if I'm nowhere close. Hopefully it will trigger some other ideas for you at least.

edit Since it DOES work in Jenkins, more likely to be IIS related.