6

A few months ago I created a private npm feed in Azure Artifacts. Authentication with this feed worked fine.

Recently others have started using this feed and authentication is not working for them using the tokens they have generated from Azure Artifacts. When npm installing they get the following error

npm ERR! Unable to authenticate, your authentication token seems to be

invalid. npm ERR! To correct this please trying logging in again with:

npm ERR! npm login

In the npm debug log there is this error

verbose stack Error: Unable to authenticate, need: Bearer, Basic realm="{{redacted url}}", NTLM

It appears that the structure of the authentication token which we put in the global .npmrc file has changed in Azure Artifacts

From:

; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 27/02/2020.

; begin auth token

//{{redacted URL}}/_packaging/{{redacted user name}}/npm/registry/:_authToken={{redacted token string}}

//{redacted URL}}/_packaging/{{redacted user name}}/npm/:_authToken={{redacted token string}}

; end auth token

To

; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 14/04/2020.
; begin auth token
//{{redacted url}}/npm/registry/:username={{redacted username}}
//{{redacted url}}/npm/registry/:_password={{redacted password}}
//{{redacted url}}/npm/registry/:email=npm requires email to be set but doesn't use the value
//{{redacted url}}/_packaging/{{redacted username}}/npm/:username={{redacted user name}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:_password={{redacted password}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:email=npm requires email to be set but doesn't use the value
; end auth token

When the second token is used (or indeed any of the tokens I now generate from Azure Artifacts), we cannot npm install, we get the error shown above. If other people use the same token (in the old format) as I have, this works fine. But this token will expire soon.

I have tried providing an email address instead of the strings "npm requires email to be set but doesn't use the value" but this also did not work.

This may be unrelated but we recently upgraded from tfs version 16.131.28507.4 to Azure Devops Server version Dev17.M153.3.

Does anyone know why the authentication token format has changed? And/Or how I can make the new tokens work with my private feed?

npm version: 6.13.0

node version: 10.12.0

Azure Devops Server version: Dev17.M153.3

Community
  • 1
  • 1
Michael Hancock
  • 2,260
  • 1
  • 17
  • 32
  • I have a similar [problem](https://stackoverflow.com/questions/59746514/npm-command-not-sending-authorization-token-in-request-unable-to-authenticate) to you which I posted yesterday and my npm debug log is showing that same error statement. However, it works for one feed but not for another feed and they are both using the new authentication token structure in the npmrc file. I'll be keen to learn if you find anything more about it. – methon.dagger Jan 16 '20 at 04:52
  • @methon.dagger That is interesting. We also have 2 feeds. I have been unable to install packages from either of them using the new token format. If you find out how to fix this before I do please let us know. I have not been able to find any Microsoft guidance for this issue. – Michael Hancock Jan 16 '20 at 08:14
  • Can you have a try adding `strict-ssl=false` to the end of your global .npmrc? (or run npm config set strict-ssl false). I was encountering self-signed cerficate error. And fixed by add `strict-ssl=false`. Donot know if it will work for your case? – Levi Lu-MSFT Jan 16 '20 at 09:57
  • @LeviLu-MSFT Thank you for the suggestion. Unfortunately I have tried this and i get the same error. We have also tried using the [PAC](https://docs.microsoft.com/en-gb/azure/devops/artifacts/npm/npmrc?view=azure-devops&tabs=windows#set-up-authentication-in-a-build-task) codes. Do you have any insight as to why the code format has changed? – Michael Hancock Jan 16 '20 at 11:56
  • @MichaelHancock U I have little insight about the format changes. I noticed this code format allow user to use both password and PAT to authenticate. Have you tried using your domain\username as username, and base64_encoded_password as password to authenticate? – Levi Lu-MSFT Jan 20 '20 at 10:12
  • @LeviLu-MSFT I have tried this and I get the same error. If I try to provide those credentials as part of `npm login`. It complains at the username step that ``` npm WARN Name may not contain non-url-safe chars ```. Can you point me to where in the Microsoft documentation it says to do this? The username and password fields are prepopulated when you click "Connect to feed" so I assumed they would be right. – Michael Hancock Jan 20 '20 at 10:27
  • I havenot found the related documents, I refered to the solution provided in this [similar thread](https://developercommunity.visualstudio.com/content/problem/639665/unable-to-login-to-azure-artifacts-on-devops-serve-1.html) – Levi Lu-MSFT Jan 21 '20 at 01:40

2 Answers2

0

After further investigation and a conversation with Microsoft Azure support we determined what was causing the issue for us.

The new format of tokens which have been rolled out for Azure Artifacts no longer work if your instance of TFS (Azure Devops) is hosted on a machine which is running IIS Basic Authentication. This probably then only applies to people hosting their TFS instance themselves on premises.

The only workaround available is to modify this new token and put a TFS user’s username and base 64 encoded password into the token string after the registry/:username= and registry/:_password= strings in the two places that these appear. This is not ideal as you effectively have to store a password in almost plain text on your build server. But it seems that is now your only choice if you do need IIS Basic Authentication enabled. Disabling this and using a different authentication scheme does fix the token authencation and you can avoid having to do the above.

Michael Hancock
  • 2,260
  • 1
  • 17
  • 32
-1

I'm not sure if this causes your problem - on our azure devops instance, we recently had conditional access enabled, which can disable a lot of the PAT/token based authentication streams without a clear error message - e.g. if you are using the token outside of your normal machine/access route (we were passing a token to a build service that we couldn't use 2FA to authenticate from, and it just stopped working overnight)

David
  • 1
  • Thanks for the suggestion but I am sceptical that this is the issue. All of our old tokens in the older format still work. But all of the new tokens which the Artifacts page is generating for me now – Michael Hancock Jan 16 '20 at 08:16