Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Anonymous access to feeds, integrated security to administration

    Scheduled Pinned Locked Moved Support
    ldapprogetsecurity
    12 Posts 1 Posters 70 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      That's too bad. I have actually tried disabling Windows authentication and this allows me to login using my domain account through forms/basic authentication. Unfortunately this still does not allow anonymous access to the feeds, because when using LDAP I can't assign any privileges to the build-in Anonymous principal and thus it requires me to sign-in. It does say that I should assign privileges to the Anonymous user when I'm trying to access the ProGet server anonymously, but I'm not able to do so. Sounds like an easy fix to me, but I'm not sure about the internals.

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        I see; this scenario is not that common, and as you can see, we do not currently have an "anonymous user" concept when using AD. This may be something we can trivially add, or at least put on our roadmap for when redoing/rethinking the auth.

        Are you a current enterprise customer? Suggest to submit a something via the contact or ticket forms, and we can explore implementation more.

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          We are currently evaluating ProGet Enterprise. I was personally mostly interested in the Integrated Security features because of the auditing, but since we're having trouble separating feed access from administration in terms of security I'm now leaning more towards sticking with the built-in security features and thus wouldn't really require the Enterprise edition.

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Hello everyone. Just wanted to know if there's any update on this topic. We're in the same point that Jonathan mentions, evaluating Proget (v3.8.6) as the respository for the corporate packages and would like to have the feeds open to everyone while the administration secured and restricted to certain individuals in the domain.
            When enabling the LDAP directory that autmatically switches the feeds / repositories to use Active Directory users which is not desirable (even though nuget can work with integrated security, that's not the case for npm or bower).
            There's a rationale behind this and is keep the package feeds / repositories working the same way the originals does, but securing the administration with a corporate directory.

            I'll check the alternative mentioned of having two instances (one with LDAP and the other with Built-In) and fiddle with connectors, however we'd appreciate having just one instance; and I'm quite sure there'll be other people looking for a smilar configuration. Regards

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              While you can use LDAP/ActiveDirectory with npm, bower, maven, etc., none of those clients support "NTLM authentication" (i.e. Windows Integrated Authentication).

              Unfortunately, IIS only supports this level of authentication at a site level, so it's not possible for us to enable/disable it per feed. We aren't aware of any libraries we can use to negotiate a kerberos/NTLM ticket, so we would need to fully implement this ourselves... which took Microsoft about 10 years to get right ;-)

              Hopefully in future versions of Windows or .NET, they will expose the negotiation library for us to use. Or, if anyone happens to know of a way for us to use it, or otherwise programmatically enable NTLM on a per-request basis with IIS, please do share!

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                Hi,

                Any update on this? We are facing the same issue and it seems to be a roadblock for us.

                We have a universal feed that with a Proget instance using LDAP. We have build processes that that don't use AD service accounts that need to read\pull packages from ProGet feeds.

                Mike

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  The best work-around for now is to set-up a second Site under a different hostname and/or port in IIS that has anonymous access enabled; this will then allow you two different endpoints depending on access desired.

                  Note that you can still use LDAP, it's just on the second "anonymous" site, it won't support NTLM authentication, only Basic.

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    Hi Alana,

                    Thank you for replying. So you're suggesting to install a Proget instance on a different web server. If so, this will have a different ProGet DB.

                    If I understand correctly it WILL NOT share any feeds between the 2 ProGet instances.

                    Mike

                    1 Reply Last reply Reply Quote 0
                    • ? This user is from outside of this forum
                      Guest
                      last edited by

                      No; just create a second site in IIS that points to the same directory. Then it will use same database, web.config, etc.

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        That worked! Definitely a big work around. We additionally had to set the AppPool for the new site to Classic and disable Forms Auth in the bindings.

                        1 Reply Last reply Reply Quote 0

                        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                        With your input, this post could be even better 💗

                        Register Login
                        • 1 / 1
                        • First post
                          Last post
                        Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation