1. Home
  2. Categories
  3. Support
  4. Client side authentication problem (401) with ProGet 2022.17

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Client side authentication problem (401) with ProGet 2022.17

  • R

    Hello,
    after we updated from ProGet 6.0.20 to 2022.17 we are having some problems with authentication. We use the windows integrated authentication and once or twice a weak only one random user in our group is not allowed to authenticate.
    The only log messages we can find are from the hosting IIS. There we get for example:

    2023-06-07 06:56:24 172.19.134.24 GET /nuget/Acl/v3/index.json - 443 COMPANY\<username>172.18.2.17 NuGet+VS+VSIX/6.6.0+(Microsoft+Windows+NT+10.0.19045.0,+Enterprise/17.0) - 401 0 0 7

    To fix this we restart the IIS or sometimes even the whole server instance (with ProGet and IIS). In the example above you can see the feed "Acl", but we are receiving the same message for all feeds on our ProGet. Another way to fix the authentication problem is to wait for several hours 🙈. Then the user is magically allowed to consume packages again.

    Maybe we just have some missconfiguration with our IIS. Has anybody an idea?

    0
  • rhessinger
    inedo-engineer

    Hi @rosario-digiovanni_1930,

    When you say that a user in the group cannot authenticate, can you describe what happens? Are the users constantly prompted to log in or do you see an error?

    Thanks,
    Rich

    0
  • R

    Hello Rich @rhessinger,

    sorry for the delayed answer.
    As you imagined, the user is constantly prompted to log in. Even with correct credentials he is not allowed log in an gets error 401. The "normal" scenario is within VisualStudio. After changing a branch you want to restore nuget packages and suddenly you are asked to login to ProGet again. The only way out is to reboot the server instance of ProGet.

    I am afraid we are the only ones with such a behaviour.

    Kind regards,
    Rosario

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @rosario-digiovanni_1930 ,

    In an ideal environment, when a user is logged into a domain-joined Windows workstation, then Visual Studio or Edge/Chrome should never prompt the user when WIA is enabled. This applies to ProGet, or any other site/webapp that uses WIA.

    However, there are many things that can go wrong, and cause WIA to break. Even something as simple as an out-of-sync clock on a workstation. We've written some docs that try to explain how WIA works and give some tips on how to troubleshoot the issue:
    https://docs.inedo.com/docs/various-ldap-troubleshooting#integrated-authentication-not-working

    My personal opinion is that WIA was designed for a time before password managers and when everyone worked in an office without VPN. You may find it just not worthwhile to use.

    NOTE: you can still use your domain credentials (i.e. Active Directory / LDAP), but users will just be required to enter them into ProGet. They can use an API key inside of Visual Studio.

    Cheers,
    Steve

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation