Azure DevOps Artifacts authentication issues
Issues authenticating to Azure Artifacts typically have error message Response status code does not indicate success: 401 (Unauthorized).. However, sometimes the detailed message (inner exception) is not shown and the only error is similar to Unable to load the service index for source https://pkgs.dev.azure.com/contoso/_packaging/MyArtifactsFeed/nuget/v3/index.json.
Commonly when a developer is trying to access an Azure Artifacts feed for the first time (for example, they joined a new project, or clone a repo for the first time), their account might not have access. Typically NuGet sources are configured in nuget.config files, and there will be a line similar to <add key="MyPackages" value="https://pkgs.dev.azure.com/contoso/_packaging/MyArtifactsFeed/nuget/v3/index.json" />.
The first directory in that path, in this example contoso, is the Azure DevOps organization name.
To validate your access, first open https://dev.azure.com/{organization}, which in this example is https://dev.azure.com/contoso, and make sure you have access.
If this works, then open the full URL from the nuget.config file in your web browser.
In this example the URL is https://pkgs.dev.azure.com/contoso/_packaging/MyArtifactsFeed/nuget/v3/index.json.
If you see an error message, it means your account does not have access and you will need to talk to an administrator of your Azure DevOps project to get access.
If you see JSON with a property named Resources, which is an array and contains objects with @type values containing RegistrationsBaseUrl and SearchQueryService, then it means your account has permissions to the feed and therefore the issue you are experiencing is likely to be a configuration issue.
If your issue is in Visual Studio, skip this, as it's only relevant for command line tools.
For the dotnet CLI (for example dotnet restore, or dotnet build), you have two choices:
-
Install the Azure Artifacts NuGet Credential Provider
Instructions, source code, and issue tracking it available at https://github.com/microsoft/artifacts-credprovider. Note that the first time using the command line credential provider, you will need to use interactive mode, for example
dotnet restore --interactive. -
Save a Personal Access Token in your nuget.config file
If you use msbuild.exe on Windows and have Visual Studio installed, the .NET Framework version of the credential provider should already be installed, and you should be prompted for account selection or login when NuGet needs credentials.
In any CLI scenario, the artifacts-credprovider's readme has a troubleshooting section which might help resolve issues.
In CI pipelines, you may have other options. For example, on Azure Pipelines, the command line credential provider is already pre-installed on Microsoft Hosted Agents, and by using the NuGetAuthenticate task, NuGet will be able to authenticate as the pipeline's build agent.
If you open Visual Studio's Account Settings window, any account with expired credentials will have a message saying that the credentials need to be refreshed.
If you use a network tracing tool, such as Fiddler, you might see requests to an Azure DevOps host with path /_apis/Token/SessionTokens.
If these requests have response code 401, this is another indication that the account session has expired, and that credentials need to be refreshed before NuGet can successfully authenticate to Azure Artifacts.
In versions of Visual Studio lower than 17.4, the Azure Artifacts Credential Provider may fail if any account has expired, even if the expired account is not used to connect to the Azure Artifacts feed.
If you have access to multiple Azure Active Directory accounts, it may be that not all accounts have access to all Azure Artifacts Feeds.
Starting in Visual Studio 2022 17.4, when the account selection window appears, the window title will tell you the name of the Azure Artifacts feed that needs credentials.
In this screenshot, we can see the Azure Artifacts feed name is MyContosoFeed. You can check your nuget.config file, or open Visual Studio's NuGet Sources settings, to see the full URL.
Prior to Visual Studio 2022 17.4, there is not enough information displayed to inform you which feed is being accessed. If your project uses multiple NuGet package sources, but you don't have a single account that has access to all of the package sources, it is unfortunately a matter of trial and error to match the correct account to each package source.
If the above has not helped, additional things to try include:
- Sign out of all accounts
- Close VS
- Restart VS
- Open VS
- Sign into your account in Visual Studio again.
Please Report a problem in Visual Studio and provide the following information:
- A screenshot of your Visual Studio Account Settings window. The window can be resized to show all accounts, if you have multiple accounts added to Visual Studio. This helps us validate that none of the accounts have expired credentials.
- Follow the instructions above to validate that you have access to the feed, and send us a screenshot of your web browser's address bar and the beginning of the JSON response.
- A fiddler trace of the HTTP requests. It should include all requests to any domain ending in
azure.comorvisualstudio.com.- If NuGet is reporting TLS errors, edit
%localappdata%\Microsoft\VisualStudio\17.0_<randomid>\devenv.exe.config(note the17.0_will be different if you're using a different major version of VS) and change<servicePointManager checkCertificateRevocationList="true"/>'struetofalse. Note that VS regenerates this file (first run after an update, or installing/uninstall an extension), so this may need to be edited multiple times.
- If NuGet is reporting TLS errors, edit