Unable to Open Repository from Azure DevOps

[mikew3432]

Hello dear reader - this is a networking-caused issue but hard to fathom and hoping for assistance. It is probably an error handling bug?

I go to Open Remote Repository and Open Repository from Azure Repos, the Azure Active Directory Tenant picker is not displayed - and goes straight to an empty Azure DevOps Organization picker.

The catch is - this only happens connected on our new VPN. The problem is, how to determine what is broken. The network appliance logs are (too) abundantly full of successful connections... The root cause is undoubtedly some network/security policy, it works fine on our old VPN. However I'm finding it hard to troubleshoot and the network flow is not documented afaik.

Issue in pictures:

<-- normally at this point in the sequence, I would get shown a couple of AAD tenant IDs, however it skips it -->

^^^ Unable to open a Azure DevOps repo.

[mikew3432]

@lszomoru @joyceerhl This issue has progressed - not quite to a happy conclusion,

In testing with our vendors, we learned that on our new SASE solution we are doing https decryption and inspection on more internet URLs including where we previously we were not - due to our company threat protection policy and application of security vendor best practices.

To make VS Code Remote Repository to Azure DevOps work, we applied a very large number of exceptions to https decryption, based on this Microsoft page: https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4

We have not narrowed it down any further as yet.

*** Typically issues like this are TLS certificate trust - where our internally trusted certificate is not trusted. Anyway where there is an issue, the client (normally a browser) will report the issue and we can resolve it.

However in this case the client is VS Code extension, and the extension does not report an issue - it just silently fails.

We currently don't actually know a precise fix for it, just a shotgun of exceptions that is not ideal. Https decryption and inspection is a critical plank of our security infrastructure.

Can the VS Code and/or extension logging and/or error presentation to the user be improved?

[lszomoru]

@mikew3432, could you check the "Azure Repos" output channel to see if there are any errors there?
You can access that by using the View -> Output menu, and then in the channel dropdown pick "Azure Repos". Thanks!

[mikew3432]

Thank you @lszomoru! that is very helpful.

2023-12-06 16:00:04.444 [info] [ 2] ChangeStore.getWorkspacesWithChanges()
2023-12-06 16:00:04.445 [info] [ 2] ChangeStore.getWorkspacesWithChanges() took 0 ms
2023-12-06 16:00:06.064 [info] [ 5] AzDO.ensureAuthenticated
2023-12-06 16:00:07.056 [warning] [ 5] AzDO.ensureAuthenticated took 991 ms
2023-12-06 16:00:07.057 [info] [ 6] AzDO.ensureAuthenticated
2023-12-06 16:00:07.193 [error] ClientRequest.
FetchError: request to https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.0 failed, reason: unable to get issuer certificate
2023-12-06 16:00:07.194 [error] ClientRequest.
FetchError: request to https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.0 failed, reason: unable to get issuer certificate

We can use this info. Actually I didn't know about the Output panels. Much appreciated.

[lszomoru]

Glad the information is helpful. Please keep me posted on whether things will work out.

[Furka-090]

Merhaba sevgili okuyucu - bu ağ kaynaklı bir sorundur ancak anlaşılması zordur ve yardım umuyorum. Muhtemelen bir hata işleme hatasıdır?

Uzak Depoyu Aç ve Azure Depolarından Depoyu Aç'a gidiyorum, Azure Active Directory Kiracı seçicisi görüntülenmiyor ve doğrudan boş bir Azure DevOps Kuruluş seçicisine gidiyor.

İşin püf noktası şu - bu yalnızca yeni VPN'imize bağlıyken gerçekleşiyor. Sorun, neyin bozulduğunu nasıl belirleyeceğimiz. Ağ cihazı günlükleri (çok) başarılı bağlantılarla dolu... Kök neden şüphesiz bir ağ/güvenlik politikası, eski VPN'imizde gayet iyi çalışıyor. Ancak sorun gidermeyi zor buluyorum ve bildiğim kadarıyla ağ akışı belgelenmemiş.

Resimli sorun:

<-- normalde dizinin bu noktasında, bana birkaç AAD kiracı kimliği gösterilirdi, ancak bunu atlıyor -->

^^^ Azure DevOps deposu açılamıyor.
/