Clone repo from Azure DevOps Server (on-premise) - Authentication failed

Hi @Conner, Mike@Energy ,

Thanks for reaching out to Microsoft Q&A.

Here’s what you can check and try:

1. Generate the PAT on your on-prem server
   • Sign into https://devops.energy.ca.gov
   • Click your avatar =>Security =>Personal access tokens
   • New token: give it a name, set the expiration, and under “Scopes” at minimum enable Code (Read & write)
   • Copy the full token (you won’t be able to see it again)
2. Use the PAT with Git Option A: include it in the clone URL (you may need to URL-encode special characters):

    git clone https://<yourUserName>:<YOUR_PAT>@devops.energy.ca.gov/DefaultCollection/MIDAS/_git/midas-aws-migration  
   

   Option B: let Git prompt you for credentials (preferred):

    git clone https://devops.energy.ca.gov/DefaultCollection/MIDAS/_git/midas-aws-migration  
   

   When prompted for Username, enter your username; when prompted for Password, paste the PAT
3. Install or update Git Credential Manager (GCM)
   • This helps avoid retyping credentials and handles OAuth/Microsoft Entra tokens automatically
   • Docs: https://learn.microsoft.com/azure/devops/repos/git/use-credential-manager
4. Verify permissions and server support
   • Make sure your account has at least Basic access and is in the Contributors group on the MIDAS project
   • Confirm your Azure DevOps Server version supports PATs (PATs were introduced in Azure DevOps Server 2019)
   • If you’re behind a proxy or using SSL inspection, try enabling Git trace logs (GIT_TRACE=1, GIT_CURL_VERBOSE=1) to see more details

Hope this helps!

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

For Azure DevOps (including on-premises Azure DevOps Server), the supported and documented pattern is to use the PAT as the HTTP password, not embedded in the URL.

Use either:

git clone https://devops.energy.ca.gov/DefaultCollection/MIDAS/_git/midas-aws-migration

When prompted for credentials:

• Username: any non-empty string (often the actual username, but it can be anything)
• Password: the PAT value

If using command-line automation where interactive prompts are not possible, follow the documented pattern of configuring the PAT via headers or a credential manager instead of embedding it directly in the URL. For example, with Azure DevOps Services the pattern is:

MY_PAT=yourPAT
export HEADER_VALUE=$(echo -n "Authorization: Basic "$(printf ":%s" "$MY_PAT" | base64))

git --config-env=http.extraheader=HEADER_VALUE clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

On Windows PowerShell:

$MyPat = 'yourPat'
$headerValue = "Authorization: Basic " + [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":" + $MyPat))
$env:GIT_AUTH_HEADER = $headerValue

git --config-env=http.extraheader=GIT_AUTH_HEADER clone https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

The form

git clone https://{user}:{PAT}@devops.energy.ca.gov/DefaultCollection/MIDAS/_git/midas-aws-migration

is not the recommended or documented approach and may fail or expose the PAT in logs and history.

If authentication continues to fail even when using the PAT as the password, verify:

• The PAT was created in the correct Azure DevOps Server instance and has the required scopes for code access.
• No stale or conflicting credentials are cached (for example, via Git Credential Manager or OS credential store).

References:

• Authentication with Azure Repos
• Use Git Credential Manager to generate tokens
• Clone an existing Git repo
• Git FAQs