Anonymous read-only access to feeds

I've currently got ProGet v3.7.3 setup with LDAP authentication. However the problem is that when our build process tries to download feeds it's prompted for a username and password. I'm not really sure how to setup ProGet so that the build process can access the feeds anonymously to download packages, but genuine interactive users are prompted for a username/password (if accessing from different domain) or automatically logged straight in if they have permissions and accessing from the same domain as the server. I think something is not right with my settings because even if I try and access ProGet from a machine on the same domain as the server (say after an iisreset), even though LDAP authentication is enabled and I have admin privileges, I still get prompted for a username & password.

Product: ProGet
Version: 3.7.3

I am getting exactly the same message with the same setup.

Product: ProGet
ver 3.7.3

What is your build process using to download feeds? Is it nuget.exe, or some other tool?

It's nuget.exe. Our build process does a nuget restore prior to building the solution.

Just wondering if there was any update on this?

What URL are you using to access the feed? Does it have a period in it when it doesn't work? What happens if you grant access to "Everyone", does it prompt then?

Where do I set access for "everyone"? I'm using ldap authentication so the only place this would make sense is under assign privileges, but if I try and select that and enter "everyone" in the principals field it says no matches found.

What authentication settings should I have setup in IIS? At the moment I've only got Windows authentication setup. If I enable anonymous authentication then it takes me to a (different) login prompt - /log-in?ReturnUrl=%2F.

Would it be possible to get an update on this?

If you're using Integrated/Windows Authentication, then all clients must be able to authenticate against the server using a valid Kerberos authentication ticket. Web browsers do this automagically, as does (some) versions of NuGet.exe, but it only works if the domain is properly configured with SPNs.

So, your build process needs to be (1) running under a Windows Domain account with access to ProGet, (2) use the right version of NuGet.exe, and (3) be configured properly to generate the ticket.

is true - the build process is running under a managed service account. Can you provide more details on 2) & 3) please?

If you're using a service account, then I would log-in to the build server using that account, then try to visit proget using the same url you are in the build process.

If you're prompted for credentials by the browser there (but not on your workstation), then you know it's a Kerberos thing, and that's between the browser and IIS. That's hard to track down, and can be ONE THOUSAND things from a time difference more than 5 minutes to SPNs.

If it works in the browser but not with NuGet.exe, then just try a different version. The 2.6's seem to balance working integrated auth with no other major bugs, but it will throw errors on some newer packages. The proget client tools still work for the most part, but aren't supported anymore.

Everything seems to prompt me for credentials, even though the logged on user is setup in LDAP in ProGet. Even trying to restore a package from within devstudio prompts me to login to the ProGet server. What would be helpful is some information on how IIS should be configured for what I'm trying to acheive.

I see, in that case, your network/server is not properly configured. This is not trivial to troubleshoot, and this is happening before the request hits our software.

The most likely culprit is an invalid/missing SPN, and a domain administrator must add that.

Here are some additional resources to follow:

Search terms, "diagnosing windows authentication iis"