Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Via HTTP Post, unable to promote ProGet package
-
Tod,
I was trying the URL directly based on the ProGet promotion API doc that showed that so if that isn't supported you may want to update the doc. Also a bit more detailed example there might be helpful. Of course the ultimate solution would be to just add a Promote Build function to the ProGet extension in BuildMaster! I've already submitted a feature request for that one.Anyway, I tried what you said and still hit the same error. I'll try it in Fiddler when I can but I could only try it from BuildMaster at the moment. Here's what I put in:
Post-Http http://progetserver/api/promotions/promote ( ContentType: application/json, TextData: >> { key: "apikeyvalue", packageName: "Sci.Framework.Service.Sm.Core", version: "41.0.0", fromFeed: "Development", toFeed: "Released", user: "adminuseraccount", comments: "This package promoted to Release by BuildMaster" }>>, LogRequestData: true, LogResponseBody: true );Thanks.
-
We will add that operation at some point. The problem is that the API doesn't send 401s (all forbidden API keys result in a 403). The 401s are coming from IIS or the integrated web server before the request goes through PG - so my only guess is that the BuildMaster service account must not have access to the ProGet server. Note the HTTP operations currently run from the BuildMaster server only, so executing in a
for serverblock will still be sent from the BuildMaster service (this will likely change in a future InedoCore extension as it's a bit counter-intuitive).Another thing I noticed is that the JSON representation doesn't support the
keyargument. You can either supply"API_Key": "yourApiKey"in the JSON, or add a new operation argumentRequestHeaders: %(X-ApiKey: "yourApiKey")that doesn't need to be escaped.Unfortunately with Windows Integrated Auth, it cannot be disabled for some URLs... it's all or nothing (though we're working on a resolution to this currently, especially for npm which doesn't support WIA at all).
-
Tod,
the buildmaster server has full access to our ProGet server, the user each service runs as is the same domain account and it is full system admin on both as well.I did try moving the API key to the Request Headers as you suggested but still get the exact same error.
Both servers are using the IIS setup done by BuildMaster and ProGet installers, are there any new settings that need to be made for it that may not have occurred in an upgrade?
Thanks.
-
The 401s are occurring before the request reaches the API (it's blocked by the web server), so it doesn't really matter what conent you are sending.
Unfortunately, sometimes just setting the service account to a domain account isn't enough to get integrated authentication working; I suggest to logon to the server with that service account, and then try to access the web UI. You should not be prompted for a password from the browser.
Windows Integrated Auth can be very complex to get working between service accounts; are these running on the same machine? Getting a machine to "talk to itself" is a challenge, and you may need to use setspn or another domain admin tool to do so.
-
Well to add to all this, I can use the Jenkins plugin using the exact same account without issue. It's using the Native API I believe, at least that's which API Key it has but it does work.
For some reason this seems to only be an issue from BuildMaster.I'm not familiar with this SetSPN but after reading it I'm not to sure what we're trying to do with it. The account being used is what both Windows services are running as on their respective machines. I have logged into both with that account as well.
You mentioned using the UI on the Proget server, which UI did you mean? Progets or BuildMaster? I did try both and did not have any issue so not sure what it was you wanted me to try.
The other thing is I can, from the BuildMaster server, enter the URL - http://progetserver/api/json/Connectors_GetConnectors?API_Key=nativeAPIKey
and that works. But from BuildMaster it does not. -
I can't say why Jenkins works, the problem is the client (BuildMaster service), server (ProGet website), or both. Since the application happens below the application layer, Diagnosing it is not trivial unfortunately. When WIA is enabled, all our server software "sees" is an integrated request.
I would also try to restart the BuildMaster machine as well, maybe that will do something the domain and service principal names.
If all else fails, you'll will need to monitor network traffic; you can do this by:
1. installing Fiddler on BuildMaster machine 2. running it 3. editing proxy settings on buildmaster to use a proxy with windows settings 4. stop/restart the serviceyou should see requests being pushed through fiddler, then on to their destination. This will give you more insight into where the request is not being handled...
-
Before I do that, does it matter what the App Pool runs as for each service? it will be next week before i have a chance to work with Fiddler.
-
I finally had a chance to run Fiddler and it's not showing any attempt to talk to the ProGet server via HTTP post.
I see other requests occurring by BuildMaster, updates, Jira, but not the HTTP Post to promote.
So for some reason BuildMaster isn't even making an attempt. -
So after searching online I did find that if I Enable Anonymous Authentication on the ProGet server that this then works.
However, big problem here is that this then Breaks Windows Authentication whenever you browse to the ProGet server.I would hope you have a way to configure these since they are both your products, what would I change in IIS to handle both situations?
-
Discussion should be moved to a new post or followed here:
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login