-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication behaviour changing depending on Basic Auth or CredentialProvider #12546
Comments
Hi @chrisdecker1201 ,may I know if you have a chance to take a look at this doc? |
Hi @heng-liu, yes. I had a chance to look at the doc. Sadly nothing of the proposals are a solution. As I mentioned, I have credentials that work without the CredentialProvider. If I install the CredentialProvider and using this I see in fiddler that it now tries to authenticate with NTLM, but it should use Kerberos like when I'm not using the CredentialProvider. Please see the issue I created at the CredentialProvider with all the comments. There are also the fiddler logs: microsoft/artifacts-credprovider#383 |
Hi @chrisdecker1201 , may I know if you had a chance to try to install the Azure Artifacts NuGet Credential Provider and then run command |
I did the following, but without success:
iex "& { $(irm https://aka.ms/install-artifacts-credprovider.ps1) }"
dotnet new classlib --name proget_experimental
cd proget_experimental
dotnet new nugetconfig
dotnet nuget disable source nuget
dotnet nuget add source "https://internalproget.server.com/nuget/Experimental/v3/index.json" --name "ProGet Experimental (Basic Auth)"
dotnet add package MsgPack.Cli --no-restore
dotnet restore --interactive And get the following: edited by zivkan: put in a collapsable summary as the detailed logs are very long
Additonally I tried to set again the data for the CredentialProvider, but with the same output: $env:VSS_NUGET_EXTERNAL_FEED_ENDPOINTS = '{"endpointCredentials": [{"endpoint":"https://internalproget.server.com/nuget/Experimental/v3/index.json", "username":"username", "password":"password"}]}'
|
TL;DR: My guess is that the artifacts-credprovider is telling NuGet that the creds are only good for the @chrisdecker1201 the fiddler lines you copied in the artifacts-credprovider issue can be summarized as "when the server responds with HTTP 401, it returns two WWW-Authenticate headers, with the The way that NuGet sends credentials to a server is by setting
And to wrap up the auth process, NuGet has an implementation of Therefore, putting everything together, and making a few guesses:
|
When I'm understanding it correct: Would it be a solution if the credential provider sends the correct auth type instead of always basic? In my case I know it must be kerberos, but basic is wrong. |
I asked someone in the Azure Artifacts team, and they pointed me to the line where the Artifacts Credential Provider hardcodes basic as the only allowed authentication type: https://github.com/microsoft/artifacts-credprovider/blob/9abad78d08ba6aab6531adbbec3c9575088b37c5/CredentialProvider.Microsoft/RequestHandlers/GetAuthenticationCredentialsRequestHandler.cs#L76 So, both NuGet and the Artifacts Cred Provider are working as designed. Unfortunately your scenario is outside the intended use-case for the Azure Artifacts Credential Provider. You didn't explain why you would have liked to use the cred provider, rather than <Contoso>
<add key="Username" value="user@contoso.com" />
<add key="ClearTextPassword" value="%ContosoPassword%" />
</Contoso> So, this command line might work, as long as the shell doesn't transform the value before it reaches NuGet's process. Otherwise you'll need to escape the special characters, however your shell needs to do that.
Again, if this doesn't work, it may be the shell transforming the value before it gets to NuGet. You can try |
@zivkan I try to get Azure Pipelines running with an external nuget feed. I investigated the behavior by the described scripts. As far as I understand, NuGetAuthenticate@1 in the Azure Pipelines correct, it "simply" downloads the latest Credential Provider and try to connect to the configured service connection. As I configured my external nuget feed with Basic Authentication as Service Connection, that's the steps I used to reconstruct the behavior. |
@chrisdecker1201 As previously discussed, HTTP Basic is a different authentication scheme to Negotiate (Kerberos uses Negotiate). So, unless your ProGet server starts accepting HTTP Basic (Fiddler will show a header While the NuGet team has contacts with the Azure Artifacts team, we are different teams in different parts of the organization, so if you would like to submit a feature request to have Azure DevOps service connections and the Azure Artifacts Credential Provider both support auth schemes other than Basic, github.com/NuGet/ isn't the right team. I believe you can submit the feature request here: https://developercommunity.visualstudio.com/AzureDevOps/suggest An alternative is to save your secrets in a Variable Group instead of the service connection, and instead of using the Note that if you're using a CI agent that does not get wiped after every build, and you use the secret directly, rather than the environment variable syntax in the nuget.config, there's increased risk of leaking credentials, if someone else's build runs on the same machine after your build runs. You can use |
NuGet Product Used
dotnet.exe
Product Version
6.0.407
Worked before?
No response
Impact
I'm unable to use this version
Repro Steps & Context
Hello,
I think I've everything described here: microsoft/artifacts-credprovider#383, but it seems no problem from the CredentialProvider.
We use the following systems:
Azure DevOps Pipelines
external Feed (ProGet from Inedo https://inedo.com/proget)
self hosted build agents (Windows Server 2022)
We have the following issue:
I can't get the restore running with the external feed, if I use the CredentialProvider. It does not work in the pipeline and it does not work manually.
I try the following:
And I'm getting:
I prepared the system with the following:
When I manually add the dependcy to the *.csproj file
and run
dotnet restore -v d
, I get the following output:When I add username and password everything is working:
When I execute the following, I also have a positive response:
The difference (as described here microsoft/artifacts-credprovider#383) between Basic Auth and authorize with the CredentialProvider is that in the CredentalProvider NTLM is used and with Basic Auth it's using Kerberos. But in both cases the CredentialProvider defines "Basic" as authenticationType.
Maybe you can help me :)?
Thank you
Verbose Logs
No response
The text was updated successfully, but these errors were encountered: