Problem Note 70654: The sas-risk-cirrus-core pod services fail to start when the remote GIT repository (Azure DevOps Server) is configured to use Kerberos authentication
 |  |  |  |
The sas-risk-cirrus-core pod services fail to start when the remote GIT repository (Azure DevOps Server) is configured to use Kerberos authentication. As a result, the following error occurs:
{"level":"info","version":1,"source":"sas-risk-cirrus-core","messageKey":"The command to check if the remote repository URL \"https://<USERID>@xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB\" exists is being performed.","properties":{"logger":"riskCirrusCore/helper","caller":"githelper/GitURL.go:75"},"timeStamp":"2024-01-10T11:48:30.187711+00:00","message":"The command to check if the remote repository URL \"https://<USERID>@xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB\" exists is being performed."}
{"level":"error","version":1,"source":"sas-risk-cirrus-core","messageKey":"A Git operation error occurred. Error: The command \"git ls-remote\" could not be completed. Reason: fatal: Authentication failed for 'https://xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/'.","properties":{"logger":"riskCirrusCore/models","caller":"models/messages.go:232"},"timeStamp":"2024-01-10T11:48:30.402783+00:00","message":"A Git operation error occurred. Error: The command \"git ls-remote\" could not be completed. Reason: fatal: Authentication failed for 'https://xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/'."}
{"level":"error","version":1,"source":"sas-risk-cirrus-core","messageKey":"A Git operation error occurred. Error: The command \"git ls-remote\" could not be completed. Reason: fatal: Authentication failed for 'https://xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/'.","properties":{"logger":"riskCirrusCore/models","caller":"models/messages.go:232"},"timeStamp":"2024-01-10T11:48:30.402783+00:00","message":"A Git operation error occurred. Error: The command \"git ls-remote\" could not be completed. Reason: fatal: Authentication failed for 'https://xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/'."}
In addition, the following verbose GIT CURL error occurs:
10:53:00.405342 http.c:699 == Info: Issue another request to this URL: 'https://<USERID>:<TOKEN>@xyz.abc.com/DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/info/refs?service=git-upload-pack'
10:53:00.405381 http.c:699 == Info: Found bundle for host xyz.abc.com: 0x564a50dec630 [can multiplex]
10:53:00.405408 http.c:699 == Info: Re-using existing connection! (#0) with host xyz.abc.com
10:53:00.405423 http.c:699 == Info: Connected to xyz.abc.com (x.x.x.x) port 443 (#0)
10:53:00.411725 http.c:699 == Info: gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate.
10:53:00.411757 http.c:699 == Info: Server auth using Negotiate with user '<USERID>'
10:53:00.411781 http.c:699 == Info: Using Stream ID: 3 (easy handle 0x564a50dfd560)
10:53:00.411830 http.c:699 == Info: TLSv1.2 (OUT), TLS header, Unknown (23):
10:53:00.411899 http.c:646 => Send header, 0000000278 bytes (0x00000116)
10:53:00.411913 http.c:658 => Send header: GET /DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/info/refs?service=git-upload-pack HTTP/2
10:53:00.411922 http.c:658 => Send header: Host: xyz.abc.com
10:53:00.411928 http.c:658 => Send header: user-agent: git/2.39.3
10:53:00.411937 http.c:658 => Send header: accept: */*
10:53:00.411957 http.c:658 => Send header: accept-encoding: deflate, gzip, br
10:53:00.411969 http.c:658 => Send header: accept-language: en-US, *;q=0.9
10:53:00.411978 http.c:658 => Send header: pragma: no-cache
10:53:00.411987 http.c:658 => Send header: git-protocol: version=2
10:53:00.405381 http.c:699 == Info: Found bundle for host xyz.abc.com: 0x564a50dec630 [can multiplex]
10:53:00.405408 http.c:699 == Info: Re-using existing connection! (#0) with host xyz.abc.com
10:53:00.405423 http.c:699 == Info: Connected to xyz.abc.com (x.x.x.x) port 443 (#0)
10:53:00.411725 http.c:699 == Info: gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate.
10:53:00.411757 http.c:699 == Info: Server auth using Negotiate with user '<USERID>'
10:53:00.411781 http.c:699 == Info: Using Stream ID: 3 (easy handle 0x564a50dfd560)
10:53:00.411830 http.c:699 == Info: TLSv1.2 (OUT), TLS header, Unknown (23):
10:53:00.411899 http.c:646 => Send header, 0000000278 bytes (0x00000116)
10:53:00.411913 http.c:658 => Send header: GET /DefaultCollection/SAS_VIYA/_git/SAS_RISK_CODE_LIB/info/refs?service=git-upload-pack HTTP/2
10:53:00.411922 http.c:658 => Send header: Host: xyz.abc.com
10:53:00.411928 http.c:658 => Send header: user-agent: git/2.39.3
10:53:00.411937 http.c:658 => Send header: accept: */*
10:53:00.411957 http.c:658 => Send header: accept-encoding: deflate, gzip, br
10:53:00.411969 http.c:658 => Send header: accept-language: en-US, *;q=0.9
10:53:00.411978 http.c:658 => Send header: pragma: no-cache
10:53:00.411987 http.c:658 => Send header: git-protocol: version=2
Workaround
To circumvent this issue, do any of the following workarounds:
- See whether Kerberos for the Azure GIT Server can be configured to allow Basic authentication.
- Use a different GIT server other than the Azure DevOps Server (for example, GIT Lab Server). Note: You can use the Azure DevOps server once a patch is provided.
- See whether Kerberos (and likely NTLM) authentication can be unconfigured or disabled for the Azure GIT Server.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Risk Modeling | Linux for x64 | LTS 2023.10 | Viya platform | ||
| Type: | Problem Note |
| Priority: | medium |
| Date Modified: | 2024-02-16 10:57:45 |
| Date Created: | 2024-02-13 10:31:52 |