RE: How do deployments get recorded for a ProGet package?

I've been searching all over the internet and can't find an answer; is there a way to configure nuget.exe to pass custom headers in the requests or do you need to basically write your own tooling to do so?

I am trying to restore packages using "dotnet restore" AND "nuget restore" for a feed that requires authentication (AD auth). I have configured my system so that the username/password are stored in the nuget.config file. Whenever I do a restore I receive the following error:

The content at 'http://my.url.com/nuget/myfeed/FindPackagesById()?id='Package.Name'&semVerLevel=2.0.0' is not valid XML.
   For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
 Retrying 'FindPackagesByIdAsyncCore' for source 'http://my.url.com/nuget/myfeed/FindPackagesById()?id='Package.Name'&semVerLevel=2.0.0

I am concerned by the "not valid XML" message that I receive. I am not sure if I have misconfigured something within Proget or not. Is there some sort of limitation here?

Is it possible to configure proget as a whole, or a particular feed to require an api key to read packages? I would like to make one of our feeds require some sort of security for connecting. Publishing already has a key, but I'd like the option to restrict reading. If we enable active directory, is there a way to still use both/either? I need my build system to be able to pull from the "protected" feed and don't think I can provide credentials other than an api key when doing that.