The remote server returned an error: (403) Forbidden.

I have a proget feed which is configured to work only with authenticated users.

In visual studio when i setup this feed, in order to show me the package list, it asks for a username a password, which i provide. The list then is displayed correctly. But, when i hit install on a specific package, i get this:

Image Text

This error is also occurring in octopus deploy application. Same thing happens there, the package is listed, but the installation fails with 403!

So visual studio and octopus deploy both have the same behavior, this makes me think that the problem lies with proget. Can anyone reproduce this?

Thanks!!

Product: ProGet
Version: 2.2.13

Forgot to mention i use nuget vs extension 2.8.50126.400

I tried adding the mime type application/zip for the .nupkg extension but the same thing happens.
I'm stuck. The primary reason i use ProGet is for private feeds, and this feature isn't working!

This is some configuration on your end; can you post a fiddler trace?

GET http://cis:8000/api/v2/package/Releases/permissionsCheck/1.0.0 HTTP/1.0
NuGet-Operation: Install
NuGet-ProjectGuids: {349c5851-65df-11da-9384-00065b846f21};{fae04ec0-301f-11d3-bf4b-00c04f79efbc}
User-Agent: NuGet VS Packages Dialog/2.8.50126.400 (Microsoft Windows NT 6.1.7601 Service Pack 1, VS Ultimate/11.0)
Host: cis:8000

HTTP/1.1 403 There was an error processing the request: You are not authorized to download this package.
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 14 Mar 2014 10:07:58 GMT
Connection: close
Content-Length: 1233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

So i can list the packages for a feed, i can push a new package with my credentials as api key, but i cannot install a package!!

How can this be a configuration on my side? I only added a user and a privilege from the proget ui.

this what happens in package manager console:

Image Text

What do your permissions look like, i.e. can you take a screenshot of your privileges and roles page? I'm guessing one of the roles assigned is missing the Feeds_DownloadPackage task.

the user is a member of the admin group, with all the tasks assigned.

Image Text

I found it!

If the privilege that grants the anonymous user the view only role doesn't exist (exists by default) then you can't install the package as described above!!

I have this privilege removed because, i don't want anonymous access at all!

Can you reproduce this?

Thanks for additional information - we were able to reproduce this in our test environment. Typical access uses the -ApiKey username:password format from the nuget.exe command line to supply credentials, but there seems to be no way that I can find to force the VS extension to use an API key, even if it's stored in NuGet.config.

I've put an issue in our internal issue tracker (PG-186) to investigate this further.

any update on this one?

thanks

The issue PG-186 was resolved in v3.0.1 Beta - it should work if you download that version.

Where Can I find the beta version.
I'm having same troubles with ProGet; I want only access by authenticated users; no anonymous access.

You can find the beta on the all versions download page:
http://inedo.com/proget/versions

I installed latest beta.

I do not want anonymous access. So I removed DownloadPackage from ReadOnly.
When I try to logon to feed in Visual Studio I get a popup where I need to provide user name and password. But when I enter the correct user and password, the prompt keeps coming back. Only when I enable anonymous access everything works, but we want to protected our packages. Any ideas?

I must be missing something here, but if you remove the View Only privilege to download packages, you should be forbidden from downloading packages... Are you saying you removed your View Only privileges, or that you removed them from the Anonymous User such that it has no privileges?

If it's the latter, can you send a Fiddler trace containing the requests that Visual Studio extension is attempting to send?