Azure Artifacts Private npm Feed Authentication Failed

Question

A few months ago I created a private npm feed in Azure Artifacts. Authentication with this feed worked fine.

Recently others have started using this feed and authentication is not working for them using the tokens they have generated from Azure Artifacts. When npm installing they get the following error

npm ERR! Unable to authenticate, your authentication token seems to be

invalid. npm ERR! To correct this please trying logging in again with:

npm ERR! npm login

In the npm debug log there is this error

verbose stack Error: Unable to authenticate, need: Bearer, Basic realm="{{redacted url}}", NTLM

---

It appears that the structure of the authentication token which we put in the global .npmrc file has changed in Azure Artifacts

From:

; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 27/02/2020.

; begin auth token

//{{redacted URL}}/_packaging/{{redacted user name}}/npm/registry/:_authToken={{redacted token string}}

//{redacted URL}}/_packaging/{{redacted user name}}/npm/:_authToken={{redacted token string}}

; end auth token

To

; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 14/04/2020.
; begin auth token
//{{redacted url}}/npm/registry/:username={{redacted username}}
//{{redacted url}}/npm/registry/:_password={{redacted password}}
//{{redacted url}}/npm/registry/:email=npm requires email to be set but doesn't use the value
//{{redacted url}}/_packaging/{{redacted username}}/npm/:username={{redacted user name}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:_password={{redacted password}}
//{{redacted url}}/_packaging/{{redacted username}}/npm/:email=npm requires email to be set but doesn't use the value
; end auth token

When the second token is used (or indeed any of the tokens I now generate from Azure Artifacts), we cannot npm install, we get the error shown above. If other people use the same token (in the old format) as I have, this works fine. But this token will expire soon.

I have tried providing an email address instead of the strings "npm requires email to be set but doesn't use the value" but this also did not work.

This may be unrelated but we recently upgraded from tfs version 16.131.28507.4 to Azure Devops Server version Dev17.M153.3.

Does anyone know why the authentication token format has changed? And/Or how I can make the new tokens work with my private feed?

---

npm version: 6.13.0

node version: 10.12.0

Azure Devops Server version: Dev17.M153.3

Answer 1

After further investigation and a conversation with Microsoft Azure support we determined what was causing the issue for us.

The new format of tokens which have been rolled out for Azure Artifacts no longer work if your instance of TFS (Azure Devops) is hosted on a machine which is running IIS Basic Authentication. This probably then only applies to people hosting their TFS instance themselves on premises.

The only workaround available is to modify this new token and put a TFS user’s username and base 64 encoded password into the token string after the registry/:username= and registry/:_password= strings in the two places that these appear. This is not ideal as you effectively have to store a password in almost plain text on your build server. But it seems that is now your only choice if you do need IIS Basic Authentication enabled. Disabling this and using a different authentication scheme does fix the token authencation and you can avoid having to do the above.

Answer 2

I'm not sure if this causes your problem - on our azure devops instance, we recently had conditional access enabled, which can disable a lot of the PAT/token based authentication streams without a clear error message - e.g. if you are using the token outside of your normal machine/access route (we were passing a token to a build service that we couldn't use 2FA to authenticate from, and it just stopped working overnight)