nuget.exe ignores packageSourceCredentials in nuget.config when downloading a package

[ilatypov]

Our poorly coded pipeline uploaded public xunit packages to a local (password-protected) jFrog artifactory. Attempts to download them using nuget.exe's packageSourceCredentials with a clear-text (encrypted) jFrog user name and password failed showing 403 Forbidden messages. Proxying the traffic through BURP showed that nuget.exe ignored the credentials supplied in nuget.config.

Details about Problem

NuGet product used (NuGet.exe | VS UI | Package Manager Console | dotnet.exe): nuget.exe

NuGet version (x.x.x.xxx): 4.9.4.5839 and 5.2.0.6090

VS version (if appropriate): 2019 Enterprise with both the above Nuget.exe versions and 2017 (15.0) with Nuget 4.9.4

OS version (i.e. win10 v1607 (14393.321)):

$ wmic os get Caption,CSDVersion /value
Caption=Microsoft Windows Server 2008 R2 Enterprise
CSDVersion=Service Pack 1

Worked before? If so, with which NuGet version: it did a day ago but stopped (I installed a dotnet 4.7 devpack using choco in between).

Detailed repro steps so we can see the same problem

1. Run CMD as an administrator (after logging in as a local user). Change to a top-level directory of the drive to work around nuget.exe's failure to handle long file names. (Alternatively, set repositoryPath to d:\packages in nuget.config and create a cmd symlink using mklink /d from packages to d:\packages to resolve hard-coded relative links in the Visual Studio solution). Set up a BURP proxy in Internet Options, install the BURP cert into the Certification Authorities store.

   Create a nuget.config, delete other nuget.config's such as %userprofile%\appdata\nuget\nuget.config, purge the cached and installed packages.

<configuration>
   <packageSources>
     <add key="example-nuget" value="https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget" />
   </packageSources>
   <disabledPackageSources>
     <add key="nuget.org" value="true" />
   </disabledPackageSources>
   <packageSourceCredentials>
     <example-nuget>
       <add key="Username" value="USER" />
       <add key="ClearTextPassword" value="ENCRYPTEDPASS" />
     </example-nuget>
   </packageSourceCredentials>
   <config>
     <add key="repositoryPath" value="d:/packages" />
   </config>
</configuration>

$ rm -rf /cygdrive/c/Users/a-CIUSER/.nuget/packages/xunit.runner.console/2.3.1/ packages/xunit.runner.console.2.3.1/

2. Set up a password-protected local repo in a jFrog artifactory, upload an external package such as xunit console runner 2.3.1 into it (to reproduce mistakes in pipelines). Set up a virtual repo that includes both the local repo and the remote one (Microsoft gallery). This results in artifactory allowing anonymous FindByPackageIds() calls but requiring authentication to download the above public package (xunit console runner).

   Confirm the setup with curl.

$ curl -iIsS "https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/FindPackagesById()?id='xunit.runner.console'"
HTTP/1.1 200 OK
Server: Artifactory/6.11.1
X-Artifactory-Id: 3a259f8962a8e2174ae3210a51df7369bc75a123
X-Artifactory-Node-Id: Artifactory2
DataServiceVersion: 2.0
Content-Type: application/atom+xml;charset=utf-8
Transfer-Encoding: chunked
Date: Thu, 05 Sep 2019 00:50:31 GMT
Strict-Transport-Security: max-age=31536000;

$ curl -iIsS -u 'USER:ENCRYPTEDPASS' "https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1"
HTTP/1.1 200 OK
Server: Artifactory/6.11.1
X-Artifactory-Id: 3a259f8962a8e2174ae3210a51df7369bc75a123
X-Artifactory-Node-Id: Artifactory2
Last-Modified: Wed, 04 Sep 2019 21:11:05 GMT
ETag: c62240bb835ad327ab4c319f37fd1d2da6d6178b
X-Checksum-Sha1: c62240bb835ad327ab4c319f37fd1d2da6d6178b
X-Checksum-Sha256: 5abbbddd519fef9f49809fe001bfe2ae02b2a47fe9be47934e6ee47ce0825812
X-Checksum-Md5: 7b3534b73f0132604f43f48e78d8cea9
Accept-Ranges: bytes
X-Artifactory-Filename: xunit.runner.console.2.3.1.nupkg
Content-Disposition: attachment; filename="xunit.runner.console.2.3.1.nupkg"
Content-Type: application/x-nupkg
Content-Length: 735916
Date: Thu, 05 Sep 2019 00:51:56 GMT
Strict-Transport-Security: max-age=31536000;

$ curl -sS -o x.r.c.2.3.1.nupkg -u 'USER:ENCRYPTEDPASS' 'https://artifactory.COMPANY.TLD/artifactory/example-nuget/xunit.runner.console.2.3.1.nupkg'

$ unzip -t x.r.c.2.3.1.nupkg
Archive:  x.r.c.2.3.1.nupkg
    testing: xunit.runner.console.nuspec   OK
[...]

$ curl -isS -u 'USER:ENCRYPTEDPASS' "https://artifactory.COMPANY.TLD/artifactory/example-nuget-local/xunit.runner.console.2.3.1.nupkg" -T x.r.c.2.3.1.nupkg
HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Server: Artifactory/6.11.1
X-Artifactory-Id: 3a259f8962a8e2174ae3210a51df7369bc75a123
X-Artifactory-Node-Id: Artifactory2
Location: https://artifactory.COMPANY.TLD/artifactory/example-nuget-local/xunit.runner.console.2.3.1.nupkg
Content-Type: application/vnd.org.jfrog.artifactory.storage.ItemCreated+json;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 05 Sep 2019 02:44:01 GMT
Strict-Transport-Security: max-age=31536000;

{
  "repo" : "example-nuget-local",
  "path" : "/xunit.runner.console.2.3.1.nupkg",
  "created" : "2019-09-05T02:44:01.366Z",
  "createdBy" : "USER",
  "downloadUri" : "https://artifactory.COMPANY.TLD/artifactory/example-nuget-local/xunit.runner.console.2.3.1.nupkg",
  "mimeType" : "application/x-nupkg",
  "size" : "735916",
  "checksums" : {
    "sha1" : "c62240bb835ad327ab4c319f37fd1d2da6d6178b",
    "md5" : "7b3534b73f0132604f43f48e78d8cea9",
    "sha256" : "5abbbddd519fef9f49809fe001bfe2ae02b2a47fe9be47934e6ee47ce0825812"
  },
  "originalChecksums" : {
    "sha256" : "5abbbddd519fef9f49809fe001bfe2ae02b2a47fe9be47934e6ee47ce0825812"
  },
  "uri" : "https://artifactory.COMPANY.TLD/artifactory/example-nuget-local/xunit.runner.console.2.3.1.nupkg"
}

$ curl -iIsS "https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1"
HTTP/1.1 403 Forbidden
Server: Artifactory/6.11.1
X-Artifactory-Id: fd91a10aaf5e92305bba3b37f8ecc7aa3dcb8dcf
X-Artifactory-Node-Id: art3
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 05 Sep 2019 00:52:31 GMT
Strict-Transport-Security: max-age=31536000;

3. Have a Visual Studio "classic" solution with a dependent project containing the reference to the above package in its packages.config.

$ grep console DotNetClassic_Library.Tests/packages.config
  <package id="xunit.runner.console" version="2.3.1" targetFramework="net472" developmentDependency="true" />

4. Run nuget restore with the created nuget.config and verbose diagnostics.

D:\temp\jgp_classic>nuget restore -configfile nuget.config -v d -DisableParallelProcessing -NonInteractive
NuGet Version: 5.2.0.6090
Restoring NuGet packages for solution D:\temp\jgp_classic\DotNetClassic_Library.sln.
MSBuild auto-detection: using msbuild version '16.0.461.62831' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\bin'. Use option -MSBuildVersion to force nuget to use a specific version of MSBuild.
MSBuild P2P timeout [ms]: 120000
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\bin\msbuild.exe "C:\Users\a-CIUSER\AppData\Local\Temp\NuGetScratch\x450xxfy.v0w.nugetinputs.targets" /t:GenerateRestoreGraphFile /nologo /nr:false /v:q /p:NuGetRestoreTargets="C:\Users\a-CIUSER\AppData\Local\Temp\NuGetScratch\wydlma2h.u5h.nugetrestore.targets" /p:RestoreUseCustomAfterTargets="True" /p:Restor
eTaskAssemblyFile="C:\ProgramData\chocolatey\lib\NuGet.CommandLine\tools\nuget.exe" /p:RestoreSolutionDirectory="D:\temp\jgp_classic\\" /p:RestoreConfigFile="nuget.config" /p:SolutionDir="D:\temp\jgp_classic\\" /p:SolutionName="DotNetClassic_Library"

Restoring NuGet package xunit.runner.console.2.3.1.
Missing C:\Users\a-CIUSER\.nuget\packages\xunit.runner.console\2.3.1\xunit.runner.console.2.3.1.nupkg
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Packages(Id='xunit.runner.console',Version='2.3.1')
  OK https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Packages(Id='xunit.runner.console',Version='2.3.1') 158ms
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
Using C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\CommonExtensions\Microsoft\NuGet\Plugins\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe as a credential provider plugin.
Using credentials from config. UserName: USER
    [CredentialProvider.202447]Running in plug-in mode
    [CredentialProvider.202447]Command-line v0.1.11: "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\C
ommonExtensions\Microsoft\NuGet\Plugins\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe" -Plugin
    [CredentialProvider.202447]Handling 'Request' 'GetOperationClaims' - {}
    [CredentialProvider.202447]Handling 'Request' 'SetLogLevel' - {"LogLevel":"Debug"}
    [CredentialProvider]Handling 'Request' 'SetCredentials' - {"PackageSourceRepository":"/artifactory/api/nuget/example-nuget"}
    [CredentialProvider.202447]Handling 'Request' 'Initialize' - {"ClientVersion":"5.2.0","Culture":"en-US","RequestTimeout":"00:0
0:05"}
    [CredentialProvider]Handling 'Request' 'GetAuthenticationCredentials' - {"Uri":"https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget","IsRetry":false,"IsNonInteractive":true,"CanShowDialog":true}
    [CredentialProvider]Creating a progress reporter with interval: 00:00:02
    [CredentialProvider]Handling auth request, Uri: https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget,
IsRetry: False, IsNonInteractive: True, CanShowDialog: True
    [CredentialProvider]URI: https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget
    [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTaskServiceEndpoint.VstsBuildTaskServiceEndpointCredentialProvider, cannot provide credentials for https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget
    [CredentialProvider]VstsBuildTaskCredentialProvider - This credential provider must be run under the Team Build tasks for NuGet. Appropriate environment variables must be set.
    [CredentialProvider]VstsBuildTaskServiceEndpointCredentialProvider - This credential provider must be run under the Team Build
 tasks for NuGet with external endpoint credentials. Appropriate environment variable needs to be set.
    [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTask.VstsBuildTaskCredentialProvider, cannot
 provide credentials for https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget
    [CredentialProvider]GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget
    [CredentialProvider]Skipping NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider, cannot provide credentials for https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget
WARNING: The plugin credential provider could not acquire credentials. Authentication may require manual action. Consider re-running the command with --interactive for `dotnet`, /p:NuGetInteractive="true" for MSBuild or removing the -NonInteractive switch for
`NuGet`
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 2810ms
WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/examp
le-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 182ms

WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 177ms

WARNING: Unable to find version '2.3.1' of package 'xunit.runner.console'.
  C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\packages\'.
  https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
  Response status code does not indicate success: 403 (Forbidden).

WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
WARNING: Unable to find version '2.3.1' of package 'xunit.runner.console'.
  C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\packages\'.
  https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
  Response status code does not indicate success: 403 (Forbidden).


Errors in packages.config projects
    Unable to find version '2.3.1' of package 'xunit.runner.console'.
      C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\packages\'.
      https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1'
 from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
      Response status code does not indicate success: 403 (Forbidden).

NuGet Config files used:
    D:\temp\jgp_classic\nuget.config

Feeds used:
    C:\Users\a-CIUSER\.nuget\packages\
    https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget

5. Observe passwordless requests and responses in BURP.

GET /artifactory/api/nuget/example-nuget HTTP/1.1
X-NuGet-Session-Id: a2887b9a-63b7-44b2-b22a-bb567837bec6
user-agent: NuGet Command Line/5.2.0 (Microsoft Windows NT 6.1.7601 Service Pack 1)
X-NuGet-Client-Version: 5.2.0
Accept-Language: en-US
Host: artifactory.COMPANY.TLD
Accept-Encoding: gzip, deflate
Connection: close

HTTP/1.1 200 OK
Server: Artifactory/6.11.1
X-Artifactory-Id: 5b8f5b39d030c37a5292a71d537d8b510050617f
X-Artifactory-Node-Id: Artifactory1
DataServiceVersion: 1.0
Content-Type: application/xml;charset=utf-8
Date: Thu, 05 Sep 2019 00:25:00 GMT
Connection: close
Strict-Transport-Security: max-age=31536000;
Content-Length: 577

<?xml version="1.0" encoding="utf-8"?>
<!--
  ~
  ~ Copyright 2016 JFrog Ltd. All rights reserved.
  ~ JFROG PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->

<service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xml:base="https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget">
    <workspace>
        <atom:title>Default</atom:title>
        <collection href="Packages">
            <atom:title>Packages</atom:title>
        </collection>
    </workspace>
</service>

GET /artifactory/api/nuget/example-nuget/Packages(Id='xunit.runner.console',Version='2.3.1') HTTP/1.1
Accept: application/atom+xml, application/xml
X-NuGet-Session-Id: 056977a0-ec9f-4cdc-8506-f4e32fe3c089
user-agent: NuGet Command Line/5.2.0 (Microsoft Windows NT 6.1.7601 Service Pack 1)
X-NuGet-Client-Version: 5.2.0
Accept-Language: en-US
Host: artifactory.COMPANY.TLD
Accept-Encoding: gzip, deflate
Connection: close

HTTP/1.1 200 OK
Server: Artifactory/6.11.1
X-Artifactory-Id: 5b8f5b39d030c37a5292a71d537d8b510050617f
X-Artifactory-Node-Id: Artifactory1
DataServiceVersion: 2.0
Content-Type: application/atom+xml;charset=utf-8
Date: Thu, 05 Sep 2019 00:25:00 GMT
Connection: close
Strict-Transport-Security: max-age=31536000;
Content-Length: 3279

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xml:base="https://artifactory.COMPANY.TLD/artifactory/api/nuget/nuget-local/">
  <id>https://artifactory.COMPANY.TLD/artifactory/api/nuget/nuget-local/Packages(Id='xunit.runner.console',Version='2.3.1')</id>
  <lowerCaseId>https://artifactory.COMPANY.TLD/artifactory/api/nuget/nuget-local/packages(id='xunit.runner.console',version='2.3.1')</lowerCaseId>
  <title type="text">xunit.runner.console</title>
  <summary type="text">Console runner for the xUnit.net framework. Capable of running xUnit.net v1.9.2 and v2.0+ tests. Supports .NET 4.5.2 or later, .NET Core 1.x, and .NET Core 2.x.</summary>
  <updated>2018-10-29T15:28:21Z</updated>
  <author>
    <name>James Newkirk,Brad Wilson</name>
  </author>
  <link rel="edit" title="V2FeedPackage" href="Packages(Id='xunit.runner.console',Version='2.3.1')"/>
  <link rel="self" title="V2FeedPackage" href="Packages(Id='xunit.runner.console',Version='2.3.1')"/>
  <category term="NuGetGallery.OData.V2FeedPackage" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/>
  <content type="application/zip" src="https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1"/>
  <m:properties xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">
    <d:lastUpdated>2018-10-29T15:28:21</d:lastUpdated>
    <d:Version>2.3.1</d:Version>
    <d:Created m:type="Edm.DateTime">2018-10-29T15:28:21</d:Created>
    <d:Dependencies></d:Dependencies>
    <d:Description>Console runner for the xUnit.net framework. Capable of running xUnit.net v1.9.2 and v2.0+ tests. Supports .NET 4.5.2 or later, .NET Core 1.x, and .NET Core 2.x.</d:Description>
    <d:DownloadCount m:type="Edm.Int32">2</d:DownloadCount>
    <d:IconUrl>https://raw.githubusercontent.com/xunit/media/master/logo-512-transparent.png</d:IconUrl>
    <d:IsLatestVersion m:type="Edm.Boolean">true</d:IsLatestVersion>
    <d:IsAbsoluteLatestVersion m:type="Edm.Boolean">true</d:IsAbsoluteLatestVersion>
    <d:IsPrerelease m:type="Edm.Boolean">false</d:IsPrerelease>
    <d:Language m:null="true"/>
    <d:Published m:type="Edm.DateTime">2018-10-29T15:28:21</d:Published>
    <d:LicenseUrl>https://raw.githubusercontent.com/xunit/xunit/master/license.txt</d:LicenseUrl>
    <d:PackageHash>nyiBNOCMzszb9eohU1u922RGKY4ZapXUv7niuGMY/8dbH1RSByf4L439txSu4MSo/zdZH+vj7h8zQozQ+7GzWg==</d:PackageHash>
    <d:PackageHashAlgorithm>SHA512</d:PackageHashAlgorithm>
    <d:PackageSize m:type="Edm.Int64">735916</d:PackageSize>
    <d:ProjectUrl>https://github.com/xunit/xunit</d:ProjectUrl>
    <d:RequireLicenseAcceptance m:type="Edm.Boolean">false</d:RequireLicenseAcceptance>
    <d:Title>xUnit.net [Runner: Console]</d:Title>
    <d:VersionDownloadCount m:type="Edm.Int32">2</d:VersionDownloadCount>
    <d:Authors>James Newkirk,Brad Wilson</d:Authors>
    <d:MinClientVersion m:null="true"/>
    <d:Summary>Console runner for the xUnit.net framework.</d:Summary>
  </m:properties>
</entry>

GET /artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 HTTP/1.1
X-NuGet-Session-Id: af946c0b-07d8-4d2d-a0e2-184682b6aa9c
user-agent: NuGet Command Line/5.2.0 (Microsoft Windows NT 6.1.7601 Service Pack 1)
X-NuGet-Client-Version: 5.2.0
Accept-Language: en-US
Host: artifactory.COMPANY.TLD
Accept-Encoding: gzip, deflate
Connection: close

HTTP/1.1 403 Forbidden
Server: Artifactory/6.11.1
X-Artifactory-Id: fd91a10aaf5e92305bba3b37f8ecc7aa3dcb8dcf
X-Artifactory-Node-Id: art3
Content-Type: application/json
Date: Thu, 05 Sep 2019 00:25:00 GMT
Connection: close
Strict-Transport-Security: max-age=31536000;
Content-Length: 185

{
  "errors" : [ {
    "status" : 403,
    "message" : "Download request for repo:path 'example-nuget-local:xunit.runner.console.2.3.1.nupkg' is forbidden for user 'anonymous'."
  } ]
}

6. Similarly, the older nuget.exe v. 4.9.4 shows 403 Forbidden.

D:\temp\jgp_classic>d:\util\nuget restore -configfile nuget.config -v d -DisableParallelProcessing -NonInteractive
NuGet Version: 4.9.4.5839
Restoring NuGet packages for solution D:\temp\jgp_classic\DotNetClassic_Library.sln.
MSBuild auto-detection: using msbuild version '16.0.461.62831' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterpris
e\MSBuild\Current\bin'. Use option -MSBuildVersion to force nuget to use a specific version of MSBuild.
MSBuild P2P timeout [ms]: 120000
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\bin\msbuild.exe "C:\Users\a-CIUSER\AppData\Local\T
emp\NuGetScratch\ihwnphjw.jtt.nugetinputs.targets" /t:GenerateRestoreGraphFile /nologo /nr:false /v:q /p:NuGetRestoreTargets="C:\U
sers\a-CIUSER\AppData\Local\Temp\NuGetScratch\icpnoxqu.mwn.nugetrestore.targets" /p:RestoreUseCustomAfterTargets="True" /p:Restor
eTaskAssemblyFile="d:\util\nuget.exe" /p:RestoreSolutionDirectory="D:\temp\jgp_classic\\" /p:RestoreConfigFile="nuget.config" /p:S
olutionDir="D:\temp\jgp_classic\\" /p:SolutionName="DotNetClassic_Library"

Restoring NuGet package xunit.runner.console.2.3.1.
Missing C:\Users\a-CIUSER\.nuget\packages\xunit.runner.console\2.3.1\xunit.runner.console.2.3.1.nupkg
  CACHE https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Packages(Id='xunit.runner.console',Version='2.3.1')
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
Using credentials from config. UserName: USER
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 919ms

WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/examp
le-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 475ms

WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/examp
le-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
  GET https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1
  Forbidden https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 313ms

WARNING: Unable to find version '2.3.1' of package 'xunit.runner.console'.
  C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\pack
ages\'.
  https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1' fro
m 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
  Response status code does not indicate success: 403 (Forbidden).

WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/examp
le-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
WARNING: Error downloading 'xunit.runner.console.2.3.1' from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/examp
le-nuget/Download/xunit.runner.console/2.3.1'.
Response status code does not indicate success: 403 (Forbidden).
WARNING: Unable to find version '2.3.1' of package 'xunit.runner.console'.
  C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\pack
ages\'.
  https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1' fro
m 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
  Response status code does not indicate success: 403 (Forbidden).


Errors in packages.config projects
    Unable to find version '2.3.1' of package 'xunit.runner.console'.
      C:\Users\a-CIUSER\.nuget\packages\: Package 'xunit.runner.console.2.3.1' is not found on source 'C:\Users\a-CIUSER\.nuget\
packages\'.
      https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget: Error downloading 'xunit.runner.console.2.3.1'
 from 'https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1'.
      Response status code does not indicate success: 403 (Forbidden).

NuGet Config files used:
    D:\temp\jgp_classic\nuget.config

Feeds used:
    C:\Users\a-CIUSER\.nuget\packages\
    https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget

7. A BURP trace of the 4.9.4 client follows.

GET /artifactory/api/nuget/example-nuget HTTP/1.1
X-NuGet-Session-Id: 98d52ea7-b203-46a4-bd5b-fc1c0a2b3d7b
user-agent: NuGet Command Line/4.9.4 (Microsoft Windows NT 6.1.7601 Service Pack 1)
X-NuGet-Client-Version: 4.9.4
Accept-Language: en-US
Host: artifactory.COMPANY.TLD
Accept-Encoding: gzip, deflate
Connection: close

HTTP/1.1 200 OK
Server: Artifactory/6.11.1
X-Artifactory-Id: fd91a10aaf5e92305bba3b37f8ecc7aa3dcb8dcf
X-Artifactory-Node-Id: art3
DataServiceVersion: 1.0
Content-Type: application/xml;charset=utf-8
Date: Thu, 05 Sep 2019 00:36:58 GMT
Connection: close
Strict-Transport-Security: max-age=31536000;
Content-Length: 577

<?xml version="1.0" encoding="utf-8"?>
<!--
  ~
  ~ Copyright 2016 JFrog Ltd. All rights reserved.
  ~ JFROG PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  -->

<service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:app="http://www.w3.org/2007/app" xml:base="https://artifactory.COMPANY.TLD/artifactory/api/nuget/example-nuget">
    <workspace>
        <atom:title>Default</atom:title>
        <collection href="Packages">
            <atom:title>Packages</atom:title>
        </collection>
    </workspace>
</service>

GET /artifactory/api/nuget/example-nuget/Download/xunit.runner.console/2.3.1 HTTP/1.1
X-NuGet-Session-Id: 67175435-7ae7-4b91-b0f9-62d0ecef1370
user-agent: NuGet Command Line/4.9.4 (Microsoft Windows NT 6.1.7601 Service Pack 1)
X-NuGet-Client-Version: 4.9.4
Accept-Language: en-US
Host: artifactory.COMPANY.TLD
Accept-Encoding: gzip, deflate
Connection: close

HTTP/1.1 403 Forbidden
Server: Artifactory/6.11.1
X-Artifactory-Id: fd91a10aaf5e92305bba3b37f8ecc7aa3dcb8dcf
X-Artifactory-Node-Id: art3
Content-Type: application/json
Date: Thu, 05 Sep 2019 00:36:58 GMT
Connection: close
Strict-Transport-Security: max-age=31536000;
Content-Length: 185

{
  "errors" : [ {
    "status" : 403,
    "message" : "Download request for repo:path 'example-nuget-local:xunit.runner.console.2.3.1.nupkg' is forbidden for user 'anonymous'."
  } ]
}

[nkolev92]

Hey @ilatypov Thanks for the detailed issue. Apologies for the late response, I hope you were able to figure out the solution here.

The biggest takeaway is that NuGet is not correlating the source and credentials.
That on it's own is easy to reproduce.

Unfortunately I was not able to reproduce this with config provided.

At some point we had #7516. Does your source name have spaces?

Thanks.

[ilatypov]

I suspect that nuget tries the passwordless GET /../api/../Packages(Id='...') request first, sees its success, then assumes that the download can be passwordless as well. (Why Artifactory has the inconsistency between the search and the download access, that is another story).

nuget should stop making the assumption (if it did) and stop even trying the passwordless queries.

[nkolev92]

Each request to a server is treated individually.
So NuGet won't assume that a request doesn't need creds.

You pointing out that it's the packages endpoint that's failings makes me think that it might be related to: #2869 since they both use the same underlying infrastructure.

[ckolumbus]

I am encountering the same issue right now. AFAIK the problem scenario matches the one described by @ilatypov and i created a minimal setup where I have setup a nuget.config with the feed configuration and access credentials and a nuget install PostSharp fails for authenticated feeds.

The curl examples above show similar results. I've also tried to setup ClearTextPasswords in the nuget.config to make sure, that the same credentials are used for nuget.exe as well as curl.exe.

One DIFFERENCE though: when calling curl with no credentials at all, I get a 404 Not Found, not a 401 Unauthorized. maybe this impacts nuget.

My version setup:

• nuget 6.0.0.280
• Artifactory 7.25.7

I'll also try to get some feedback from the JFrog guys regarding this.

[ckolumbus]

SOLVED at least for me: you need to enable "Force Authentication" on the protected nuget feeds in Artifactory. Here's the StackOverflow reference that solved it for me.