I'm trying to use a Azure DevOps Server 2019 (née TFS) project in multiple ways:
- the Repos feature to keep the code,
- the Artifacts feature to add some private packages,
- the Pipelines feature to do CI (mainly just pull the packages, build from the code, publish to a staging server)
(Presumably, this sort of integration is the entire point.)
My pipeline has a .NET Core Restore step, which has Path to NuGet.config set to a custom config inside the repo. So far, so good.
The config looks like:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="(some private server)" value="http://nuget.example/NuGet" /> <!-- (this one works fine!) -->
<add key="(the actual private feed in question)" value="https://azure-devops.example/MyCollection/_packaging/MyProject/nuget/v3/index.json" />
</packageSources>
</configuration>
In the build log, I do see that that config is respected, in that all three above sources are being used. However, the third fails with an error:
NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://azure-devops.example/MyCollection/_packaging/MyProject/nuget/v3/index.json.
---> System.ComponentModel.Win32Exception (0x8009030E): No credentials are available in the security package.
at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at NuGet.Protocol.ServerWarningLogHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at NuGet.Protocol.HttpSourceAuthenticationHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at NuGet.Protocol.TimeoutUtility.StartWithTimeout[T](Func`2 getTask, TimeSpan timeout, String timeoutMessage, CancellationToken token)
at NuGet.Protocol.HttpRetryHandler.SendAsync(HttpRetryHandlerRequest request, ILogger log, CancellationToken cancellationToken)
at NuGet.Protocol.HttpSource.GetThrottledResponse(Func`1 requestFactory, TimeSpan requestTimeout, TimeSpan downloadTimeout, Int32 maxTries, Guid sessionId, ILogger log, CancellationToken cancellationToken)
at NuGet.Protocol.HttpSource.<>c__DisplayClass14_0`1.<<GetAsync>b__0>d.MoveNext()
This looks like some authentication problem, but it really sounds like it doesn't actually try to authenticate.
I've run out of possible causes:
- The build agent runs at its own user
tfsbuildagent
. I've explicitly added that the feed permissions as a contributor (even though reader is presumably enough). - I've changed it from a local user to one in the Active Directory domain, in case local users don't work properly.
- I've upgraded from 2019 to 2019.1.1, lest it is a bug.
- I've tried adding a service connection to the Credentials for feeds outside this organization/collection field. But this feed isn't outside. It's the very same project!
My guess is I need to tell it how to authenticate (just use current Windows credentials), but I can't make out from the exception what it's even trying and failing at.