Azure DevOps Pipelines checkout failing on specific self-hosted agents:

Hi @McKay, Suzi (Frisco) ,

Thanks for reaching out to Microsoft Q&A.

This redirect-to-signin behavior usually means your self-hosted agent’s Git client isn’t actually honoring the OAuth token header that Azure Pipelines injects for non-interactive HTTPS checkouts. Instead Git falls back to an interactive login flow (hence the redirect).

Here's why it happens and what you can try:

1. Git version / preference on self-hosted agents
   • On Microsoft-hosted Windows agents, we bundle and use a Git build that fully supports the -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" trick Azure Pipelines uses for checkouts.
   • On self-hosted (and on any non-Windows agent), the agent defaults to whatever git is in your PATH (via System.PreferGitFromPath=true). If that Git is too old or was built without full HTTP header/TLS support, it will ignore the extraheader and Git HTTPS ends up prompting you to sign in.
2. Proxy or TLS interception
   • If you’re behind a corporate proxy that interrupts or replaces TLS connections, you may actually be getting your internal proxy’s login page instead of the real Azure DevOps JSON response. In that scenario Git sees HTML and tries to launch an interactive sign-in.
3. “Allow scripts to access OAuth token” must be on
   • In your pipeline settings you need Allow scripts to access the OAuth token enabled so that $(System.AccessToken) is available during checkout.

Try below steps:

Check which Git your agent is using:

• Run git --version on the agent machine
  • Look in the agent logs to see the Git path

If it’s an older or custom Git, either:

• Install a newer Git (2.21+ with full HTTPS & extraheader support) in your PATH
  • Or force the agent to use its bundled Git by setting System.PreferGitFromPath=false in the pipeline or environment

Verify your network/proxy:

• Ensure direct TLS to dev.azure.com (or your Azure DevOps domain) works, without corporate intercepts
  • If you must use a proxy, set http_proxy/https_proxy env vars for Git and confirm it doesn’t inject HTML sign-in flows

Double-check pipeline security:

• In the YAML or pipeline UI, make sure Allow scripts to access the OAuth token is turned on.

Hope this helps!

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Self-hosted Azure DevOps agents receive interactive sign-in redirects during Git HTTPS operations when the agent machine does not fully trust the TLS/SSL certificate used by Azure DevOps Server (or the Git endpoint), or when SSL validation is otherwise failing. In that situation, Git/HTTP cannot complete a normal non-interactive OAuth flow, and the connection falls back to behavior that expects an interactive sign-in, which a pipeline agent cannot satisfy.

On self-hosted agents, this typically happens when:

1. The Azure DevOps Server (or proxy/SSL terminator in front of it) uses a self-signed or internal CA certificate that is not installed in the agent machine’s OS certificate store.
2. Git on the agent is not configured to trust that certificate/CA, so HTTPS requests fail certificate validation.
3. The agent then cannot complete secure, non-interactive OAuth-based Git operations, so checkout fails.

To fix this for self-hosted agents:

1. Ensure the server certificate is trusted by the agent OS
   • Install the self-signed or internal CA certificate into the machine’s certificate store so the SSL handshake succeeds.
   • For Azure DevOps Server:
     • Windows: install into the Windows certificate store.
     • Linux: install into the OpenSSL certificate store.
     • macOS: for agent version 2.125.0 or above, use Keychain; for older agents, OpenSSL store.
   • After installation, verify that an HTTPS request to the Azure DevOps Server completes the SSL handshake successfully.
2. Configure Git on the agent to trust the certificate
   • If using Windows, configure Git to use the Windows certificate store (SChannel) so it automatically trusts what Windows trusts:

          git config --global http.sslBackend schannel
     

   • Or export the root/intermediate CA as a Base-64 .crt file and point Git to it:

          git config --global http.sslCAInfo C:/path/to/my-ca-cert.crt
     

   • Avoid disabling SSL verification (http.sslVerify=false) except for temporary testing, because it removes protection against man-in-the-middle attacks.
3. For the Azure Pipelines agent itself
   • If the agent is connecting to Azure DevOps Server over HTTPS with a self-signed certificate, ensure that certificate is trusted as above.
   • Only if the certificate truly cannot be installed, the agent can be configured with --sslskipcertvalidation during setup to ignore SSL validation errors, but this is not recommended because it is insecure:

          ./config.cmd --sslskipcertvalidation
     

     Use this only as a last resort.

Once the agent machine and Git both trust the server certificate, HTTPS Git operations can complete with normal OAuth tokens, and the non-interactive pipeline checkout will succeed without sign-in redirects.

References:

• Run an agent with a self-signed certificate
• Git FAQs
• Azure Pipelines agents
• Self-hosted Windows agents
• Troubleshoot pipeline runs