-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chocolatey/ProGet Assets/Azure DevOps Pipelines: Unauthorized asset downloads #3263
Comments
@norbertstoll I'm trying to replicate this setup, but without an AZDO pipeline, I'm not sure if I fully can. From what I'm reading in the issue here, I think you might actually be encountering a double-hop issue. If I'm reading the AZDO pipeline configuration and documentation properly, it sounds like it uses WinRM to connect to the server as the username/password you provide. It then runs the In my testing, I have the following setup:
To test this theory, first I setup a test user on Based on this testing, I believe this is a feature request (and there may in fact already be some existing for adding authentication abilities to the chocolatey web handling cmdlets). So I will label this as such. |
Is this potentially the same thing as #1021 ? |
Hi @corbob, as this is my second request within a short time thanks again for a quick response and your analysis! We've been thinking of a double hop issue, too and also I tried to get around it by using CredSSP (though it has its security downside) in ADO. Sadly this isn't an option and not allowed because of internal guidelines. @TheCakeIsNaOH I've been looking at this function, too, thinking that might be the right place to implement credential support. Regards, |
@norbertstoll are you able to confirm whether this is something that was working for you in 1.4.0 of Chocolatey and something which has stopped working now that you have moved to 2.x, or whether this is actually a new feature/improvement that you are looking for. |
@gep13 This hasn't been working in any version starting from 1.3.1. I'm not quite sure if this a new feature but some kind of circumstance when using ProGet assets combined with Chocolatey. |
Just to drill down a little further on this, to make sure we are talking about the same thing... Are you saying that this used to work in a version of Chocolatey CLI before 1.3.1? Or are you saying that since you started using Chocolatey CLI, which was with 1.3.1, this hasn't worked? |
Apologies... We started using Chocolatey with version 1.3.1. So I can't say anything about versions earlier than that one. |
There is no need to apologise here. I just wanted to make sure that we have all the facts, in order to know how to move forward with this issue. |
I've tested this scenario with Chocolatey CLI versions 1.0.0, 1.1.0, 1.2.0, and 1.3.0. None of them are able to download the msi from a windows authenticated web server, they also do not download the nupkg without being provided the username/password along with the source. At this point, I'm going to close this issue as a duplicate of #1021 as TheCakeIsNaOH suggested. If we determine a scenario where this isn't a duplicate, and isn't related to the double hop issue, we can always reopen this issue. |
Duplicate of #1021 |
Checklist
What You Are Seeing?
We are using packages with external dependencies like this one: https://community.chocolatey.org/packages/GoogleChrome
Since we're not allowed to use external sources on client systems, we are downloading the installers from official sources then uploading it to ProGets assets feed. The next step is to re-create the package by editing the download url of the installer in chocolateyInstall.ps1. Everything else remains unchanged.
ProGet and IIS have windows integrated authentication enabled. Permissions are set correctly.
Using chocolatey within an authenticated user session resp. PowerShell-session everything is working fine with those packages:
Chocolatey first downloads the nupkg-file, then the installer itself from ProGets asset feeds. Installations are finished successfully.
We also use Azure DevOps pipelines to get our stuff automated and that's where it comes to issues though we're using windows integrated authentication, too:
The nupkg gets downloaded but the download of the installer from the asset feed fails with HTTP 401 - Unauthorized.
The edited url64bit value in chocolateyInstall.ps1:
Google Chrome's package in ProGet's asset feed:
What in the end leads to this:
The relevant part of code in ADO pipelines:
What is Expected?
Download and installation of nupkg-files with dependencies on ProGet asset feeds, having windows authentication enabled, are working fine in ADO pipelines, too.
How Did You Get This To Happen?
Environment:
We're using ProGet in combination with Microsoft IIS:
System Details
Installed Packages
Output Log
Additional Context
Succesful installation of Google Chrome as a logged on user:
The text was updated successfully, but these errors were encountered: