24

The release notes for NuGet 1.5 state

NuGet now supports connecting to private repositories that require basic 
or NTLM authentication.

However, the link contained in there simply leads to the hosting your own nuget feeds page, without any further mention of how to set up authentication.

I would like to set up a NuGet server that is accessible via https from the internet, but only allows people who can successfully authenticate to view or download the packages on the server.

I did create an application without auth as described in the Creating Remote Feeds section in the documentation, and it works nicely on the intranet. What do I have to do to enable authentication on this repo?

An additional requirement would be that solution should not cost hundreds of dollars (the first two answers promote products that might solve the problem but cost a lot).

Wilbert
  • 6,534
  • 6
  • 38
  • 81

3 Answers3

46

This can be done by enabling Windows Authentication on the Web Site and adding credentials on the build server via the Sources command-line option, by default the credentials are stored using a DPAPI key restricted to the current user on the current machine (thus, for a build server, you would need to add credentials while logged in under the service account.)

For Developer workstations you only need to add the feed in NuGet Package Manager and then input/store credentials when refreshing the feed (you should be prompted.)

Step 1 - Require Authentication on NuGet Server (IIS Configuration)

You need to make sure the authentication module you wish to use is installed for IIS, for NTLM auth you will need the Windows Authentication module. Once installed you can open IIS Manager and drill down to your website, open the Authentication settings and Enable Windows Authentication, be sure to disable any authentication modules you do not want to support (such as Anonymous, Basic, etc.)

To ensure that user credentials are used, right-click on the Site and select "Advanced Settings", then click on the button for "Physical Path Credentials". In the dialog ensure that "Application User (pass-through authentication)" is selected.

More detailed information about standard IIS configuration for Windows Authentication can be found on TechNet including configuring from a command-line and enabling Negotiate (if that was your goal.)

Step 2 - Add Sources to NuGet Config (Build Server, Publishers)

nuget.exe sources add -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/"
nuget.exe sources add -Name "Fabirkam Publish" -Source "https://nuget.fabirkam.com:443/"

Here we are adding two entries, one which will be used as the normal, authenticated Feed URL (for fetching packages from the server.) The second will be used for publishing to the server (adding or updating nupkg files.)

Step 3 - Update Credentials for Added Sources (Build Server, Publishers)

nuget.exe sources update -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/" -UserName "Developer" -Password "g0d"
nuget.exe sources update -Name "Fabrikam Publish" -Source "https://nuget.fabrikam.com:443/" -UserName "Developer" -Password "g0d"

Here we have added credentials to the config, if you view %APPDATA%\NuGet\NuGet.config you should see the feeds you have added as well as encrypted credentials.

If you do not have the ability to log in as the server it is possible to store credentials in clear text by utilizing the StorePasswordInClearText option, but this is not advised in a shared environment.

Step 4 - (Optional) Disable the Publish URL in Visual Studio (Developers)

Open Visual Studio and navigate to the NuGet Package Manager Settings Dialog, untick the "Fabrikam Publish" feed. This will not affect your ability to publish, however, if you do not disable this feed you will receive errors when you try and refresh packages for "All" sources (as it is a publish URL, not a feed URL.)

Step 5 - (Optional) Store Windows Credentials in Visual Studio (Developers)

Open Visual Studio and navigate to the NuGet Package Manager, click on "Fabrikam Feed". You should be prompted for credentials. You can enter credentials here and tick the save/remember options. This ensures that attempting to refresh the feed in Visual Studio doesn't constantly ask for credentials. In the latest releases of NuGet Package Manager the feed is fetched using a standard HTTP request and the credentials you've stored to nuget.config are NOT used.

Notes:

  1. You do not need a third party solution to host private, secure feeds. NuGet server is freely available and NTLM/AD/Windows security is supported by both IIS and NuGet tooling.

  2. Developers who do not need to publish to the feed do not need to store credentials in their config. They also do not need a 'Publish' feed configured. This is only necessary for build servers or other publishers (re: Steps 2 and 3.)

  3. All developers who will use the package feed will be interested in Step 5, this should be all that is required for most developers. They can simply add the feed from within Visual Studio, then enter their credentials when prompted.

  4. If credentials change you can navigate to Start -> Manage Windows Credentials and delete "VSCredentials_nuget.fabrikam.com".

  5. Step 2 can be performed in visual studio, but for clarity I've given the command-line here. Step 3, however, must be performed via command-line (or using the NuGet APIs.)

  6. In a future release of NuGet rumor is credential information can be stored at the solution or project level (details are unclear), this is likely only of interest to people in a multi-tenant build environment where they do not have access to the build server.

Hope this helps someone else out there!

Ágúst
  • 3
  • 2
Shaun Wilson
  • 8,320
  • 3
  • 46
  • 46
  • This answer does not actually answer the question. It only concerns setting up nuget on the client, not on the server. It assumes that the actual problem posed in the question(the authenticated server) is already solved. – Wilbert Dec 18 '13 at 13:22
  • 2
    That's because the original SO title was "configuring nuget to use authentication" which is a common problem, however, I've updated the answer with an additional step for IIS auth config, including a link to the technet reference article which explains auth config in detail. This answer should serve as a rounded solution for NuGet Server, Build Server/Publishers, and Developers. – Shaun Wilson Dec 19 '13 at 00:49
  • So if I enable the NTLM on IIS as you suggest, only people with valid AD credentials can download the packages from this server? – Wilbert Jan 08 '14 at 15:41
  • @Shaun Wilson, great post! Thanks a lot. Though it's not 100% accurate as the step 2 & step 3 approach doesn't work in the latest version of Nuget due too a bug. see https://nuget.codeplex.com/workitem/4096?FocusElement=CommentTextBox – Spons Jul 17 '14 at 06:55
  • aye.. i actually created that bug report, as a result we keep a copy of nuget 2.7.x on our build server for the purpose of performing 'nuget push', but developer workstations of course have the latest tools (2.8.x) and most of the above still applies from a developer (non-publisher) perspective. hopefully they fix that bug at some point and we can go back to using the latest nuget.exe for pushing packages. – Shaun Wilson Jul 17 '14 at 14:49
  • I tried steps 1-3 and setup users to login, and enabled my NuGet server's Win authentication, but when I try to login to the server with the credentials in packageSourceCredentials XML NuGet.config I am still unable to login. It seems like my IIS serever site has no connection/information with this config credentials. Am I missing some kind a setup in between? Maybe configuration in IIS permissions? – Nazo Tajrian Jan 13 '16 at 14:31
2

The solution I actually chose was to use TeamCity as NuGet server; while it's a bit of a hassle to set up because it lacks nuget push functionality, it now works nicely and at no additional cost serving NuGet packages to authenticated users only.

Wilbert
  • 6,534
  • 6
  • 38
  • 81
0

If you want really secure feeds and expose them to the internet, you might want to take a look at MyGet.org where you can create private feeds requiring basic authentication, by default on SSL/HTTPS.

Invite the people you want on your feed and assign their permissions, within a few clicks of signing up using your preferred identity provider (Live Id, Facebook, Google, Stackoverflow, GitHub, OAuth, etc), or even your own corporate ADFS (enterprise plan).

More info: https://www.myget.org/plans For help on setting up authentication within visual studio or on your build server, check our documentation at https://docs.myget.org and our blog. If you need further assistance, we'd be happy to help on Twitter, through our contact form or through StackOverflow questions tagged with MyGet.

Xavier Decoster
  • 14,182
  • 4
  • 33
  • 45