NPM and Windows Authentication

We currently are using ProGet to host Nuget packages and are using integrated security which connects to our active directory.

We want to add an NPM feed but are having issues getting the NPM client to connect to the feed.

We switched the registry in the npm client to the proget feed by running npm config set registry

When we run npm install it gets an authentication error.

We tried creating a user "npm_test" and tried using that user and calling npm login and passing user id and password and a bogus email and got the same authentication error.

Are we missing something? Can we not use integrated security and host an NPM feed that can be connected to? What do you guys recommend?

Product: ProGet
Version: 3.8.6

Unfortunately, the npm client does not support Windows Authentication.

As a work-around, you can set up second site in IIS witha diferent hostname or port, that does not have Windows Auth enabled (only Anonymous), and points to the same directory on disk. That does not require an additional server license.

I tried this work around but it doesn't seem to be working. I created a clone of the ProGet website in IIS and disabled windows authentication and forms authentication and enabled anonymous authentication.

When I went to the website it asked me for a user name and password which I didn't expect since annonymous authentication was turned on but anwyay it logged in when I provided by ad user name and password.

I then proceeded to update the registry config on npm client to point to the new website (just different port) and attempted to run an npm update command and it failed with the same error:

npm ERR! registry error parsing json
npm ERR! Windows_NT 6.1.7601
npm ERR! argv "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\Exter
nal\\node.exe" "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\Exte
rnal\\node_modules\\npm\\bin\\npm-cli.js" "update"
npm ERR! node v5.4.1
npm ERR! npm  v3.3.4

npm ERR! Unexpected token <
npm ERR! <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3
.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
npm ERR! <html xmlns="http://www.w3.org/1999/xhtml">
npm ERR! <head>
npm ERR! <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
/>
npm ERR! <title>401 - Unauthorized: Access is denied due to invalid credentials.
</title>
npm ERR! <style type="text/css">
npm ERR! <!--
npm ERR! body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, san
s-serif;background:#EEEEEE;}
npm ERR! fieldset{padding:0 15px 10px 15px;}
npm ERR! h1{font-size:2.4em;margin:0;color:#FFF;}
npm ERR! h2{font-size:1.7em;margin:0;color:#CC0000;}
npm ERR! h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
npm ERR! #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"tre
buchet MS", Verdana, sans-serif;color:#FFF;
npm ERR! background-color:#555555;}
npm ERR! #content{margin:0 0 0 2%;position:relative;}
npm ERR! .content-container{background:#FFF;width:96%;margin-top:8px;padding:10p
x;position:relative;}
npm ERR! -->
npm ERR! </style>
npm ERR! </head>
npm ERR! <body>
npm ERR! <div id="header"><h1>Server Error</h1></div>
npm ERR! <div id="content">
npm ERR!  <div class="content-container"><fieldset>
npm ERR!   <h2>401 - Unauthorized: Access is denied due to invalid credentials.<
/h2>
npm ERR!   <h3>You do not have permission to view this directory or page using t
he credentials that you supplied.</h3>
npm ERR!  </fieldset></div>
npm ERR! </div>
npm ERR! </body>
npm ERR! </html>
npm ERR!
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     c:\devl\products\QFC\Main\AddInTest\MvcAddInTestV1\npm-debug.log

These are the contents of the debug log file:

0 info it worked if it ends with ok
1 verbose cli [ 'C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\External\\node.exe',
1 verbose cli   'C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\External\\node_modules\\npm\\bin\\npm-cli.js',
1 verbose cli   'update' ]
2 info using npm@3.3.4
3 info using node@v5.4.1
4 silly mapToRegistry name @jonathan_florentino/qmposercore
5 silly mapToRegistry scope (from package name) @jonathan_florentino
6 verbose mapToRegistry no registry URL found in name for scope @jonathan_florentino
7 silly mapToRegistry using default registry
8 silly mapToRegistry registry http://qhoudepend04-v:83/npm/QBS_Core_Release_npm
9 silly mapToRegistry uri http://qhoudepend04-v:83/npm/QBS_Core_Release_npm/@jonathan_florentino%2fqmposercore
10 verbose request uri http://qhoudepend04-v:83/npm/QBS_Core_Release_npm/@jonathan_florentino%2fqmposercore
11 verbose request no auth needed
12 info attempt registry request try #1 at 4:51:44 PM
13 verbose request id 7060b3c7d05f5f3f
14 http request GET http://qhoudepend04-v:83/npm/QBS_Core_Release_npm/@jonathan_florentino%2fqmposercore
15 http 401 http://qhoudepend04-v:83/npm/QBS_Core_Release_npm/@jonathan_florentino%2fqmposercore
16 verbose bad json <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
16 verbose bad json <html xmlns="http://www.w3.org/1999/xhtml">
16 verbose bad json <head>
16 verbose bad json <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
16 verbose bad json <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
16 verbose bad json <style type="text/css">
16 verbose bad json <!--
16 verbose bad json body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
16 verbose bad json fieldset{padding:0 15px 10px 15px;}
16 verbose bad json h1{font-size:2.4em;margin:0;color:#FFF;}
16 verbose bad json h2{font-size:1.7em;margin:0;color:#CC0000;}
16 verbose bad json h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
16 verbose bad json #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
16 verbose bad json background-color:#555555;}
16 verbose bad json #content{margin:0 0 0 2%;position:relative;}
16 verbose bad json .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
16 verbose bad json -->
16 verbose bad json </style>
16 verbose bad json </head>
16 verbose bad json <body>
16 verbose bad json <div id="header"><h1>Server Error</h1></div>
16 verbose bad json <div id="content">
16 verbose bad json  <div class="content-container"><fieldset>
16 verbose bad json   <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
16 verbose bad json   <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
16 verbose bad json  </fieldset></div>
16 verbose bad json </div>
16 verbose bad json </body>
16 verbose bad json </html>
17 error registry error parsing json
18 verbose headers { 'cache-control': 'private',
18 verbose headers   'content-type': 'text/html',
18 verbose headers   server: 'Microsoft-IIS/8.5',
18 verbose headers   'x-aspnet-version': '4.0.30319',
18 verbose headers   'www-authenticate': 'Basic realm="ProGet Feed QBS_Core_Release_npm"',
18 verbose headers   'x-powered-by': 'ASP.NET',
18 verbose headers   date: 'Tue, 15 Nov 2016 22:51:42 GMT',
18 verbose headers   'content-length': '1293' }
19 silly get cb [ 401,
19 silly get   { 'cache-control': 'private',
19 silly get     'content-type': 'text/html',
19 silly get     server: 'Microsoft-IIS/8.5',
19 silly get     'x-aspnet-version': '4.0.30319',
19 silly get     'www-authenticate': 'Basic realm="ProGet Feed QBS_Core_Release_npm"',
19 silly get     'x-powered-by': 'ASP.NET',
19 silly get     date: 'Tue, 15 Nov 2016 22:51:42 GMT',
19 silly get     'content-length': '1293' } ]
20 verbose stack SyntaxError: Unexpected token <
20 verbose stack <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
20 verbose stack <html xmlns="http://www.w3.org/1999/xhtml">
20 verbose stack <head>
20 verbose stack <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
20 verbose stack <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
20 verbose stack <style type="text/css">
20 verbose stack <!--
20 verbose stack body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
20 verbose stack fieldset{padding:0 15px 10px 15px;}
20 verbose stack h1{font-size:2.4em;margin:0;color:#FFF;}
20 verbose stack h2{font-size:1.7em;margin:0;color:#CC0000;}
20 verbose stack h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
20 verbose stack #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
20 verbose stack background-color:#555555;}
20 verbose stack #content{margin:0 0 0 2%;position:relative;}
20 verbose stack .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
20 verbose stack -->
20 verbose stack </style>
20 verbose stack </head>
20 verbose stack <body>
20 verbose stack <div id="header"><h1>Server Error</h1></div>
20 verbose stack <div id="content">
20 verbose stack  <div class="content-container"><fieldset>
20 verbose stack   <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
20 verbose stack   <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
20 verbose stack  </fieldset></div>
20 verbose stack </div>
20 verbose stack </body>
20 verbose stack </html>
20 verbose stack
20 verbose stack     at Object.parse (native)
20 verbose stack     at CachingRegistryClient.<anonymous> (C:\Program Files (x86)\Microsoft Visual Studio 14.0\Web\External\node_modules\npm-registry-client\lib\request.js:199:23)
20 verbose stack     at Request._callback (C:\Program Files (x86)\Microsoft Visual Studio 14.0\Web\External\node_modules\npm-registry-client\lib\request.js:172:14)
20 verbose stack     at Request.self.callback (C:\Program Files (x86)\Microsoft Visual Studio 14.0\Web\External\node_modules\request\request.js:344:22)
20 verbose stack     at emitTwo (events.js:87:13)
20 verbose stack     at Request.emit (events.js:172:7)
20 verbose stack     at Request.<anonymous> (C:\Program Files (x86)\Microsoft Visual Studio 14.0\Web\External\node_modules\request\request.js:1239:14)
20 verbose stack     at emitOne (events.js:82:20)
20 verbose stack     at Request.emit (events.js:169:7)
20 verbose stack     at IncomingMessage.<anonymous> (C:\Program Files (x86)\Microsoft Visual Studio 14.0\Web\External\node_modules\request\request.js:1187:12)
21 verbose cwd c:\devl\products\QFC\Main\AddInTest\MvcAddInTestV1
22 error Windows_NT 6.1.7601
23 error argv "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\External\\node.exe" "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\Web\\External\\node_modules\\npm\\bin\\npm-cli.js" "update"
24 error node v5.4.1
25 error npm  v3.3.4
26 error Unexpected token <
26 error <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
26 error <html xmlns="http://www.w3.org/1999/xhtml">
26 error <head>
26 error <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
26 error <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
26 error <style type="text/css">
26 error <!--
26 error body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
26 error fieldset{padding:0 15px 10px 15px;}
26 error h1{font-size:2.4em;margin:0;color:#FFF;}
26 error h2{font-size:1.7em;margin:0;color:#CC0000;}
26 error h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
26 error #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
26 error background-color:#555555;}
26 error #content{margin:0 0 0 2%;position:relative;}
26 error .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
26 error -->
26 error </style>
26 error </head>
26 error <body>
26 error <div id="header"><h1>Server Error</h1></div>
26 error <div id="content">
26 error  <div class="content-container"><fieldset>
26 error   <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
26 error   <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
26 error  </fieldset></div>
26 error </div>
26 error </body>
26 error </html>
27 error If you need help, you may report this error at:
27 error     <https://github.com/npm/npm/issues>
28 verbose exit [ 1, true ]

That error page is coming from IIS (not ProGet), which means that Windows Integrated Authentication is still enabled on the site you are visiting.

These are the settings that I put so as far as I can tell this is all that is needed to disable windows authentication (from the web.config on :

<system.web>
    <customErrors mode="Off" />
    <compilation debug="false" targetFramework="4.0" tempDirectory="C:\ProgramData\ProGet\Temporary ASP.NET Files" />
    <authentication mode="None">
      <forms defaultUrl="/" loginUrl="/log-in" />
    </authentication>
    <httpHandlers>
      <clear />
      <add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="true" />
      <add type="Inedo.Web.Handlers.DynamicHttpHandling,InedoLib" verb="*" path="*" />
    </httpHandlers>
    <httpModules>
      <clear />
      <add name="ProGetHttpModule" type="Inedo.ProGet.WebApplication.ProGetHttpModule" />
    </httpModules>
    <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" maxRequestLength="1048576" executionTimeout="86400" />
        <anonymousIdentification enabled="true" />
  </system.web>

Authentication mode is set to none and anonymous authentication is enabled. I've also disabled the other authentication types in the website.

I'm also curious since they are both pointing to the same folder they are both sharing the same web.config file so if I change something for the annonymous website it would affect the other one.

How is this supposed to work?

You'll want to configure via IIS interface, not by editing web.config.

ProGet is installed with a "Classic" pipeline mode, so this configuration file is not used by IIS. This is how two sites work.

I configured through IIS interface. This doesn't allow you to post screenshots which is why I showed the resulting config file.

Is there a set of instructions that Inetdo provides regarding this setup?

If editing via the web interface changed the web.config file, then the AppPool pipeline is probably configured for "Integrated" mode. So, if you change it to "classic" ,then you can make this setting outside of the config file.

I confirmed the app pool is set to classic pipeline mode.

I confirm that if I go to chrome and attempt to access the feed via a url like this:

http://<host>:<port>/npm/QBS_Core_Release_npm/jquery

I get a prompt for credentials even though annonymous authentication is enabled in IIS management and everything else is disabled.

Hmm that's strange, it should work... it's been reported to by other users; perhaps try copying the webapp on disk and then set up a second app pool as well.

One key thing to look for in the message is the "IIS/Microsoft" HTML styling, as opposed ProGet; if the request is reaching ProGet, you'll either get a very short message (like from the API) or one with tons of HTML/JavaScript/CSS (as opposed to the very simple HTML from above).

Lastly --- we are working on a "per feed" setting to disable this, it's not easy, but we hope to have it in next ProGet (4.6).

Do you know the estimated release date for version 4.6?

If its coming out very soon I might just wait until then else I would need to keep trying to get this work around going.

We're currently targeting Dec 2

I see that the new version was released. I looked at the release notes and didn't find an explicit item indicating the security per feed for NPM. Can you confirm if this new feature made it to the new release or not?

We weren't able to get this fix in v4.6.0, but we did add some infrastructure to support it. We're targeting v4.6.1 currently.

Do you know the scheduled release date for 4.6.1?

In the next day or two is our target.

Is there any update on this yet?

marc.woolfson_6961

I've managed to get this working in v5.0.11 by setting up the second ProGet website in IIS with anonymous authentication enabled and pointing to the same physical path as the original website. The same AppPool is shared between the two and is using the Integrated pipeline. No other IIS or .config configuration was required.

In ProGet, for the npm feed that required anonymous access I added the Anonymous user to the feed permissions under Administration > Security > Users & Tasks. Restarting the web services then enabled the anonymous access to the feed using the second website's bindings.