Anonymous access to feeds, integrated security to administration

I'm trying to set up ProGet 3.5.5 Enterprise to allow anonymous access to the NuGet feeds, but require authentication for everything else. The problem is that I'm experiencing problems authenticating to the feed through Visual Studio because our developer workstations are not part of the domain. However, I would like to keep the auditing feature and have useful usernames there, hence I would like to use integrated security for everything else.

Is this something that can be set up? I've read on StackOverflow that I should add the View Only role to the Everyone group, but I'm not able to select this group and I don't think it exists in our AD anyway.

Product: ProGet
Version: 3.5.5

As far as we've been able to tell, there is no way to have both "integrated authentication" and "access from outside the domain" at the same time using IIS. You can disable the integrated auth of course, and just use domain credentials via forms/basic auth

If you need this dual-access, then you'll want to set-up two different ProGet servers, and use either a connector or sync to have them interact.

That's too bad. I have actually tried disabling Windows authentication and this allows me to login using my domain account through forms/basic authentication. Unfortunately this still does not allow anonymous access to the feeds, because when using LDAP I can't assign any privileges to the build-in Anonymous principal and thus it requires me to sign-in. It does say that I should assign privileges to the Anonymous user when I'm trying to access the ProGet server anonymously, but I'm not able to do so. Sounds like an easy fix to me, but I'm not sure about the internals.

I see; this scenario is not that common, and as you can see, we do not currently have an "anonymous user" concept when using AD. This may be something we can trivially add, or at least put on our roadmap for when redoing/rethinking the auth.

Are you a current enterprise customer? Suggest to submit a something via the contact or ticket forms, and we can explore implementation more.

We are currently evaluating ProGet Enterprise. I was personally mostly interested in the Integrated Security features because of the auditing, but since we're having trouble separating feed access from administration in terms of security I'm now leaning more towards sticking with the built-in security features and thus wouldn't really require the Enterprise edition.

Hello everyone. Just wanted to know if there's any update on this topic. We're in the same point that Jonathan mentions, evaluating Proget (v3.8.6) as the respository for the corporate packages and would like to have the feeds open to everyone while the administration secured and restricted to certain individuals in the domain.
When enabling the LDAP directory that autmatically switches the feeds / repositories to use Active Directory users which is not desirable (even though nuget can work with integrated security, that's not the case for npm or bower).
There's a rationale behind this and is keep the package feeds / repositories working the same way the originals does, but securing the administration with a corporate directory.

I'll check the alternative mentioned of having two instances (one with LDAP and the other with Built-In) and fiddle with connectors, however we'd appreciate having just one instance; and I'm quite sure there'll be other people looking for a smilar configuration. Regards

While you can use LDAP/ActiveDirectory with npm, bower, maven, etc., none of those clients support "NTLM authentication" (i.e. Windows Integrated Authentication).

Unfortunately, IIS only supports this level of authentication at a site level, so it's not possible for us to enable/disable it per feed. We aren't aware of any libraries we can use to negotiate a kerberos/NTLM ticket, so we would need to fully implement this ourselves... which took Microsoft about 10 years to get right ;-)

Hopefully in future versions of Windows or .NET, they will expose the negotiation library for us to use. Or, if anyone happens to know of a way for us to use it, or otherwise programmatically enable NTLM on a per-request basis with IIS, please do share!

Hi,

Any update on this? We are facing the same issue and it seems to be a roadblock for us.

We have a universal feed that with a Proget instance using LDAP. We have build processes that that don't use AD service accounts that need to read\pull packages from ProGet feeds.

Mike

The best work-around for now is to set-up a second Site under a different hostname and/or port in IIS that has anonymous access enabled; this will then allow you two different endpoints depending on access desired.

Note that you can still use LDAP, it's just on the second "anonymous" site, it won't support NTLM authentication, only Basic.

Hi Alana,

Thank you for replying. So you're suggesting to install a Proget instance on a different web server. If so, this will have a different ProGet DB.

If I understand correctly it WILL NOT share any feeds between the 2 ProGet instances.

Mike

No; just create a second site in IIS that points to the same directory. Then it will use same database, web.config, etc.

That worked! Definitely a big work around. We additionally had to set the AppPool for the new site to Classic and disable Forms Auth in the bindings.