Ask A Question

View Question

We have a ProGet 4.7.14 install that is brand new. It is a load-balanced instance that is set up like:

  • PROGET-01, PROGET-02: Two IIS web front ends
  • PRODATA-01: ProGet indexing service, SQL Server 2016 Express, file share for package storage
  • PROGET: Load balancer entry that delegates to PROGET-01 and PROGET-02

IIS is set up with anonymous authentication enabled and nothing else - we aren't using Windows Authentication at this point.

ProGet is set up with "Active Directory with Multiple Domains." I've verified that we can correctly search both domains and locate principals.

Anonymous users are set up to be able to download packages and view all feed contents. Reading packages and listing feed contents works.

We have four users set up as server administrators, of which I am one. I have verified that anonymous users can't get to administration tasks but the appropriate authenticated users can. LDAP is working.

If you log in through the web app as a user with an appropriate permission set you can click the "Add Package" button and manually upload a package into the feed. SQL Server and the file share permissions are set correctly.

I can log into the web UI using the load-balanced endpoint PROGET we have set up and manage the system. It shows up as registered, the Web.LoadBalancingMode setting is enabled in ProGet, the license on the web front ends shows as valid, feed contents are visible, the Web.BaseUrl is set in advanced settings. Load balancing is working.

What I can't do is nuget push packages. Using nuget.exe I have tried every combination of everything I can think of to get packages pushed but I consistently get a 403 response from the ProGet server.

  • I've tried doing nuget sources add and adding a source with my user credentials. I have verified that this has added my username/password to %APPDATA%\NuGet\NuGet.config.
  • I've tried using myusername:mypassword as the -ApiKey parameter.
  • I've tried adding Anonymous User to be able to publish to all feeds.

In all of these cases, nuget push yields a 403 response. I thought it odd, especially since, as noted, I can add Anonymous with publish permissions and it still yields 403.

Looking at a Fiddler trace, even with my creds in NuGet.config I don't see any authentication headers or anything getting passed. If I specify -ApiKey I do see that getting added to the request.

Am I missing some configuration setting?

Product: ProGet
Version: 4.7.14

Hi Travis; thank you for the very detailed write-up.

Basically it would seem that, in any situation, a 403 is issued when you try to push a NuGet package?

In this case, it's likely that something is intercepting the request and issuing a 403. I think that a "nuget push" does a PUT, which is often blocked by things like WebDAV. So I would make sure it's disabled, and that the load balancer isn't disabling it.

It's not the load balancer because I also can't push directly to any of the web nodes - same 403.

I will have to do some more research. I didn't know if there was some additional configuration I may be missing in ProGet or a manual install step I could have been missing. I'll keep you posted.

I figured it out, and it was a bit confusing.

The short version: Even with LDAP configured and no Windows Authentication turned on, I needed to provide only an API key for authentication.

What I did to test things was set up a new, temporary Universal Package feed. Since upack.exe doesn't have the equivalent of NuGet.config or nuget sources add I figured I could use that to test authentication and HTTP PUT. With a universal feed, you have to pass an API key and that's the only authentication mechanism. I was able to push a package doing this.

I then decided to remove any NuGet feed credentials from my NuGet.config and only pass an API key in the form username:password. This goes directly against what is specified in the docs, where LDAP being enabled should ignore any API key. Passing only an API key worked.

I'm not sure if something has changed since the API key docs were written but maybe they need to be revisited for newer versions of NuGet/ProGet?

Hi Travis, thank you for the additional update.

I was very confused by this as well... the problem is the documentation that says if "LDAP" is enabled... it should say "if Integrated Authentication is enabled then the API key is ignored". When those docs were written, those 2 were 1 in the same.

I guess the whole point of this is to never use a feed "NuGet API key" since it duplicates what the "ProGet API keys" already do in terms of authentication.

Answer Question