Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Moving from IIS to Integrated Web Server
-
Hi all,
we are trying to update from ProGet 2024 to ProGet 2025.
As I understood the documentation we have to move from IIS to integrated web server.
Right now we are running ProGet on two IIS sites. One where windows authentication is enabled and one where it is disabled (necessary for npm).
Is this still possible when moving to Integrated Web Server?
We need to keep the windows authentication but I am not sure if our npm tasks will continue working.
Maybe you can clarify that for me.Thanks,
Caterina
-
Hi @caterina ,
First and foremost, Microsoft has effectively discontinued Windows Integrated Authentication (WIA) in favor of more modern and secure environments. As such, we strongly advise taking this opportunity to simply move away from it.
Our recommended environment is:
- No authentication required to view/download packages
- the only exception to this is packages containing things like trade secrets.
- that should not be the default, as "when everything is secret nothing is"
- API Key required to publish packages
- minimal permissions (i.e. no overwrite)
- limit to feeds when appropriate, so you don't have too many keys
- consider rotating annually
That said, WIA is still supported in the Integrated Web Server and unsupported feeds (like
npm) are automatically excluded from WIA when Kestrel is used (i.e. when you are NOT doing port sharing, and binding to a port). You can also explicitly exclude NuGet feeds.However, it's not possible to do "authentication by port", like what was possible by creating two sites in IIS.
Hope that helps,
Steve
- No authentication required to view/download packages
