配置 NuGet 服务器以使用身份验证 [英] Configuring NuGet server to use Authentication

问题描述

NuGet 1.5 状态的发行说明

The release notes for NuGet 1.5 state

NuGet now supports connecting to private repositories that require basic 
or NTLM authentication.

但是，其中包含的链接只是指向 托管您自己的 nugetfeeds 页面，没有进一步提及如何设置身份验证.

However, the link contained in there simply leads to the hosting your own nuget feeds page, without any further mention of how to set up authentication.

我想设置一个可以通过 https 从 Internet 访问的 NuGet 服务器，但只允许成功通过身份验证的人查看或下载服务器上的包.

I would like to set up a NuGet server that is accessible via https from the internet, but only allows people who can successfully authenticate to view or download the packages on the server.

我确实创建了一个没有身份验证的应用程序，如 文档，它在 Intranet 上运行良好.我需要做什么才能在这个 repo 上启用身份验证?

I did create an application without auth as described in the Creating Remote Feeds section in the documentation, and it works nicely on the intranet. What do I have to do to enable authentication on this repo?

另外一个要求是解决方案不应花费数百美元(前两个答案宣传可能解决问题但成本很高的产品).

An additional requirement would be that solution should not cost hundreds of dollars (the first two answers promote products that might solve the problem but cost a lot).

推荐答案

这可以通过在网站上启用 Windows 身份验证并通过 Sources 命令行选项，默认情况下，凭据使用限制为的 DPAPI 密钥存储当前机器上的当前用户(因此，对于构建服务器，您需要在使用服务帐户登录时添加凭据.)

This can be done by enabling Windows Authentication on the Web Site and adding credentials on the build server via the Sources command-line option, by default the credentials are stored using a DPAPI key restricted to the current user on the current machine (thus, for a build server, you would need to add credentials while logged in under the service account.)

对于开发人员工作站，您只需在 NuGet 包管理器中添加提要，然后在刷新提要时输入/存储凭据(应该会提示您.)

For Developer workstations you only need to add the feed in NuGet Package Manager and then input/store credentials when refreshing the feed (you should be prompted.)

第 1 步 - 要求在 NuGet 服务器上进行身份验证(IIS 配置)

您需要确保为 IIS 安装了您希望使用的身份验证模块，对于 NTLM 身份验证，您将需要 Windows 身份验证模块.安装后，您可以打开 IIS 管理器并深入了解您的网站，打开身份验证设置并启用 Windows 身份验证，请务必禁用您不想支持的任何身份验证模块(例如匿名、基本等)

You need to make sure the authentication module you wish to use is installed for IIS, for NTLM auth you will need the Windows Authentication module. Once installed you can open IIS Manager and drill down to your website, open the Authentication settings and Enable Windows Authentication, be sure to disable any authentication modules you do not want to support (such as Anonymous, Basic, etc.)

要确保使用用户凭据，请右键单击站点并选择高级设置"，然后单击物理路径凭据"按钮.在对话框中确保Application User (pass-through authentication)"被选中.

To ensure that user credentials are used, right-click on the Site and select "Advanced Settings", then click on the button for "Physical Path Credentials". In the dialog ensure that "Application User (pass-through authentication)" is selected.

有关 Windows 身份验证的标准 IIS 配置的更多详细信息，请参见 在 TechNet 上，包括从命令行配置和启用协商(如果那是您的目标.)

More detailed information about standard IIS configuration for Windows Authentication can be found on TechNet including configuring from a command-line and enabling Negotiate (if that was your goal.)

第 2 步 - 将源添加到 NuGet 配置(构建服务器、发布者)

nuget.exe sources add -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/"
nuget.exe sources add -Name "Fabirkam Publish" -Source "https://nuget.fabirkam.com:443/"

这里我们添加了两个条目，一个将用作正常的、经过身份验证的 Feed URL(用于从服务器获取包.)第二个将用于发布到服务器(添加或更新 nupkg 文件.)

Here we are adding two entries, one which will be used as the normal, authenticated Feed URL (for fetching packages from the server.) The second will be used for publishing to the server (adding or updating nupkg files.)

第 3 步 - 更新添加源的凭据(构建服务器、发布者)

nuget.exe sources update -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/" -UserName "Developer" -Password "g0d"
nuget.exe sources update -Name "Fabrikam Publish" -Source "https://nuget.fabrikam.com:443/" -UserName "Developer" -Password "g0d"

我们在此处为配置添加了凭据，如果您查看 %APPDATA%NuGetNuGet.config，您应该会看到您添加的提要以及加密的凭据.

Here we have added credentials to the config, if you view %APPDATA%NuGetNuGet.config you should see the feeds you have added as well as encrypted credentials.

如果您无法以服务器身份登录，则可以使用 StorePasswordInClearText 选项以明文形式存储凭据，但不建议在共享环境中这样做.

If you do not have the ability to log in as the server it is possible to store credentials in clear text by utilizing the StorePasswordInClearText option, but this is not advised in a shared environment.

第 4 步 -(可选)在 Visual Studio(开发人员)中禁用发布 URL

打开 Visual Studio 并导航到 NuGet 包管理器设置对话框，取消选中Fabrikam Publish".喂养.这不会影响您发布的能力，但是，如果您不禁用此提要，您将在尝试刷新所有"的包时收到错误消息.来源(因为它是发布 URL，而不是提要 URL.)

Open Visual Studio and navigate to the NuGet Package Manager Settings Dialog, untick the "Fabrikam Publish" feed. This will not affect your ability to publish, however, if you do not disable this feed you will receive errors when you try and refresh packages for "All" sources (as it is a publish URL, not a feed URL.)

第 5 步 -(可选)在 Visual Studio 中存储 Windows 凭据(开发人员)

打开 Visual Studio 并导航到 NuGet 包管理器，单击Fabrikam Feed".应提示您输入凭据.您可以在此处输入凭据并勾选保存/记住选项.这可确保尝试在 Visual Studio 中刷新提要不会不断要求提供凭据.在最新版本的 NuGet 包管理器中，提要是使用标准 HTTP 请求获取的，并且不会使用您存储到 nuget.config 的凭据.

Open Visual Studio and navigate to the NuGet Package Manager, click on "Fabrikam Feed". You should be prompted for credentials. You can enter credentials here and tick the save/remember options. This ensures that attempting to refresh the feed in Visual Studio doesn't constantly ask for credentials. In the latest releases of NuGet Package Manager the feed is fetched using a standard HTTP request and the credentials you've stored to nuget.config are NOT used.

注意事项:

1. 您不需要第三方解决方案来托管私密、安全的订阅源.NuGet 服务器免费提供，并且 IIS 和 NuGet 工具都支持 NTLM/AD/Windows 安全性.

1. You do not need a third party solution to host private, secure feeds. NuGet server is freely available and NTLM/AD/Windows security is supported by both IIS and NuGet tooling.

不需要发布到提要的开发人员不需要在他们的配置中存储凭据.他们也不需要配置发布"提要.这仅对构建服务器或其他发布者是必需的(参考:步骤 2 和 3.)

Developers who do not need to publish to the feed do not need to store credentials in their config. They also do not need a 'Publish' feed configured. This is only necessary for build servers or other publishers (re: Steps 2 and 3.)

所有将使用软件包提要的开发人员都会对第 5 步感兴趣，这应该是大多数开发人员所需的全部内容.他们可以简单地从 Visual Studio 中添加提要，然后在出现提示时输入他们的凭据.

All developers who will use the package feed will be interested in Step 5, this should be all that is required for most developers. They can simply add the feed from within Visual Studio, then enter their credentials when prompted.

如果凭据发生更改，您可以导航至开始 ->管理 Windows 凭据并删除VSCredentials_nuget.fabrikam.com".

If credentials change you can navigate to Start -> Manage Windows Credentials and delete "VSCredentials_nuget.fabrikam.com".

第 2 步可以在 Visual Studio 中执行，但为了清楚起见，我在这里给出了命令行.但是，第 3 步必须通过命令行(或使用 NuGet API)执行.

Step 2 can be performed in visual studio, but for clarity I've given the command-line here. Step 3, however, must be performed via command-line (or using the NuGet APIs.)

在 NuGet 的未来版本中，有传言称凭据信息可以存储在解决方案或项目级别(细节尚不清楚)，这可能只对多租户构建环境中的人们感兴趣，而他们不这样做可以访问构建服务器.

In a future release of NuGet rumor is credential information can be stored at the solution or project level (details are unclear), this is likely only of interest to people in a multi-tenant build environment where they do not have access to the build server.

希望这对其他人有帮助！

Hope this helps someone else out there!

这篇关于配置 NuGet 服务器以使用身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！