Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Mix of using API key or built-in username/password and integrated auth for nuget package pushes

    Scheduled Pinned Locked Moved Support
    proget
    2 Posts 1 Posters 5 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      Is it the case that having integrated authentication on will disable the ability to push nuget packages with an API key (either proget api key or username:password)? This seems to be the behavior I am observing.

      It would be useful to be able to have a mix of authentication methods, i.e. proget could attempt to fail back to the provided api key if the windows authentication fails.

      We want to be able to support a setup in our deployment tooling where teams can configure access to their feeds using a dedicated user. Integrated auth isn't a good fit here because the deployment agent runs under a windows account which would require access to every proget feed to be able to push to them. This opens a security hole. The alternative is setting up a dedicated agent for each team's feed(s) that runs under a windows account permissioned to those feeds.

      It would be much nicer if we could configure the user in our metadata. Would there be any way of going about this?

      Thanks

      Product: ProGet
      Version: 5.1.5

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        "Windows Authentication" is built in to Windows (web server), and is happens below the application layer (i.e. ProGet). It's by design (Microsoft), and the intention is to use domain/service accounts to control access.

        I'm not sure I see the security hole to be honest, since pushing to a feed isn't that sensitive of an operation. Just don't let these users overwrite/delete packages.

        1 Reply Last reply Reply Quote 0

        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

        With your input, this post could be even better 💗

        Register Login
        • 1 / 1
        • First post
          Last post
        Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation