Azure DevOps: pipeline can't use NuGet package from artifact

Question

I'm trying to use a Azure DevOps Server 2019 (née TFS) project in multiple ways:

• the Repos feature to keep the code,
• the Artifacts feature to add some private packages,
• the Pipelines feature to do CI (mainly just pull the packages, build from the code, publish to a staging server)

(Presumably, this sort of integration is the entire point.)

My pipeline has a .NET Core Restore step, which has Path to NuGet.config set to a custom config inside the repo. So far, so good.

The config looks like:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />

    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="(some private server)" value="http://nuget.example/NuGet" /> <!-- (this one works fine!) -->
    <add key="(the actual private feed in question)" value="https://azure-devops.example/MyCollection/_packaging/MyProject/nuget/v3/index.json" />
  </packageSources>
</configuration>

In the build log, I do see that that config is respected, in that all three above sources are being used. However, the third fails with an error:

         NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://azure-devops.example/MyCollection/_packaging/MyProject/nuget/v3/index.json.
          ---> System.ComponentModel.Win32Exception (0x8009030E): No credentials are available in the security package.
            at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)
            at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
            at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
            at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
            at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
            at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
            at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            at NuGet.Protocol.ServerWarningLogHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            at NuGet.Protocol.HttpSourceAuthenticationHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
            at NuGet.Protocol.TimeoutUtility.StartWithTimeout[T](Func`2 getTask, TimeSpan timeout, String timeoutMessage, CancellationToken token)
            at NuGet.Protocol.HttpRetryHandler.SendAsync(HttpRetryHandlerRequest request, ILogger log, CancellationToken cancellationToken)
            at NuGet.Protocol.HttpSource.GetThrottledResponse(Func`1 requestFactory, TimeSpan requestTimeout, TimeSpan downloadTimeout, Int32 maxTries, Guid sessionId, ILogger log, CancellationToken cancellationToken)
            at NuGet.Protocol.HttpSource.<>c__DisplayClass14_0`1.<<GetAsync>b__0>d.MoveNext()

This looks like some authentication problem, but it really sounds like it doesn't actually try to authenticate.

I've run out of possible causes:

• The build agent runs at its own user tfsbuildagent. I've explicitly added that the feed permissions as a contributor (even though reader is presumably enough).
• I've changed it from a local user to one in the Active Directory domain, in case local users don't work properly.
• I've upgraded from 2019 to 2019.1.1, lest it is a bug.
• I've tried adding a service connection to the Credentials for feeds outside this organization/collection field. But this feed isn't outside. It's the very same project!

My guess is I need to tell it how to authenticate (just use current Windows credentials), but I can't make out from the exception what it's even trying and failing at.

Answer 1

It looks like something wrong with dotnet restore task in Azure DevOps Server 2019. It's still one open issue in github/azure-pipelines-tasks.

As a workaround: You can use a command-line task to call dotnet/nuget(latest nuget.exe) cli directly to restore nuget packages for your solution. (In your build server, restore those packages successfully before do that in Azure Devops Server)

More details and more available workarounds you can refer to this Microsoft engineer's suggestions.