sdk: dotnet restore --interactive: 401 Unauthorized on Windows with Azure DevOps feed
Steps to reproduce
dotnet restore always fails on Windows when connecting to a private feed hosted on ADO.
>dotnet restore --interactive
Restoring packages for ....csproj...
Restoring packages for ...csproj...
C:\Program Files\dotnet\sdk\2.2.104\NuGet.targets(114,5): error : Unable to load the service index for source https://pkgs.dev.azure.com/microsoft/_packaging/something/nuget/v3/index.json. [....sln]
C:\Program Files\dotnet\sdk\2.2.104\NuGet.targets(114,5): error : Response status code does not indicate success: 401 (Unauthorized). [....sln]
Expected behavior
Running dotnet restore --interactive should prompt for code auth, like it does on macOS. Alternatively, running dotnet restore should behave like nuget restore does, and prompt for credentials allowing you to enter a PAT.
Actual behavior
On Windows 10, running dotnet restore --interactive or dotnet restore will always fail when connecting to a private feed on ADO.
Environment data
dotnet --info output:
.NET Core SDK (reflecting any global.json): Version: 2.2.104 Commit: 73f036d4ac
Runtime Environment: OS Name: Windows OS Version: 10.0.17763 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\2.2.104\
Host (useful for support): Version: 2.2.2 Commit: a4fd7b2c84
.NET Core SDKs installed: 2.1.4 [C:\Program Files\dotnet\sdk] 2.1.202 [C:\Program Files\dotnet\sdk] 2.1.402 [C:\Program Files\dotnet\sdk] 2.1.500 [C:\Program Files\dotnet\sdk] 2.1.502 [C:\Program Files\dotnet\sdk] 2.1.503 [C:\Program Files\dotnet\sdk] 2.2.102 [C:\Program Files\dotnet\sdk] 2.2.104 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed: Microsoft.AspNetCore.All 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 16 (4 by maintainers)
Turns out I had the cred provider plugin already installed on macOS, which is why --interactive was working.
For anyone interested reading this, Nikolche let me know that Microsoft decided not to put the plugin in dotnet.exe because there were concerns that shipping auth integration to Azure DevOps within the sdk would’ve been unfair to other feed providers. To resolve your 401 issues you need to install the auth plugin manually that Nikolche mentioned:
Grab the plugin from https://github.com/Microsoft/artifacts-credprovider/releases Install into ~/.nuget/plugins/netcore
Full instructions: https://github.com/Microsoft/artifacts-credprovider
I wish this was more clear in some way; maybe dotnet could give a warning that --interactive will not work without some credential manager instead of doing nothing?
@dylank
Is your provide feed azure devops?
If it is, then you need to install the credential provider from https://github.com/Microsoft/artifacts-credprovider.
One command solved:
And then try to restore again.
Ah, I found this. https://github.com/Microsoft/artifacts-credprovider#azure-devops-pipelines
This is really annoying and was very hard to find a solution to. This should be much clearer in the dotnet restore error message.
Selecting “Connect to feed” in ADO and picking the “dotnet” option, it specifically says:
However, since the decision was to not allow
dotnet restore --interactiveto prompt for credentials, it’d be helpful if Azure Devops Artifacts (and preferably dotnet.exe too) was a little more clear on the fact that the only way to use--interactivewith ADO is to install this credential provider plugin. I know there’s a link to it under the “Get the tools” link, but that only said something like “First time using dotnet on this machine?”, and maybe I’m a bit slow but to me that just sounds like it’s about installing dotnet core.I think it would save some frustration if the Azure Devops Artifacts “Connect to feed” page for dotnet could instead say something like
I’ve been fighting with this for a while. I installed the credential provider using the ps1 script, but am unclear on whether or not it is actually being picked up.
dotnet restore --interactivejust gives me a 401. however, if i manually runCredentialProvider.Microsoft.exe -I -V Verbose -U "https://pkgs.dev.azure.com/zzzzzzzzzzzzzz/zz/nuget/v3/index.jsonthen it comes back saying found credentials with username VssSessionToken and what looks like a PAT.anyway a giant +1 from me on
dotnet --interactivebeing clearer about the potential fix.1st update
after running the
dotnet restore --interactivewith-v detailedI was able to confirm that the plugin is being picked up. The debug spam seemed to indicate that it found credentials, somewhere, but I couldn’t determine WHERE. According to the docs https://github.com/microsoft/artifacts-credprovider#session-token-cache-locations the pathWindows: $env:UserProfile\AppData\Local\MicrosoftCredentialProvidershould be where the token is cached. i dont have this folder at all.2nd update (solved)
I finally got it! The problem was there was a hardcoded value set for
VSS_NUGET_EXTERNAL_FEED_ENDPOINTSwith a JSON blob containing something like{"endpointCredentials": [{"endpoint":"https://pkgs.dev.azure.com/***/**/**/nuget/v3/index.json","password":"***(some PAT)***"}]}. I deleted the env var completely and randotnet restore --interactiveand it popped up the UI to sign in. I now have theMicrosoftCredentialProviderfolder in AppData\Local and well… thank goodness thats over!!Came across this for the first time today and these instructions were an absolute life saver (coming back from mac to windows): I really do think there needs to be some form of indicator on the
--interactiveflag to let you know that no credential provider is installed.As a workaround, running
nuget restorein the dotnet core project will take a PAT token, and allow you connect to a private feed.