Home > Enterprise >  How to force the PS Find-Module command to use basic authentication (with PAT) in Windows Domain whe
How to force the PS Find-Module command to use basic authentication (with PAT) in Windows Domain whe

Time:09-09

I can invoke Find-Module without the -Credential argument and it works just fine. This is because:

  1. the module in question is found on an on-prem NuGet repo in the Windows Domain
  2. the default authentication is NTLM

Now I really want to use PAT, which forces me to pass the -Credential argument. However, in order to work the authentication must be switched to Basic. And this is where I am stuck.

I know how to configure the NuGet source with the PAT credentials (and ValidAuthenticationTypes = basic), so I am able to use nuget.exe with PAT. But I specifically need Find-Module (and Install-Module) to work.

This happens both on Windows Powershell and on PS Core. Here is Get-Module output on PS Core:

C:\Users\p11f70f> get-module

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Manifest   7.0.0.0               Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-Item, Clear-It…
Manifest   7.0.0.0               Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString…
Manifest   7.0.0.0               Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Ob…
Script     1.4.8.1               PackageManagement                   {Find-Package, Find-PackageProvider, Get-Package,…
Script     1.0.0                 Posh-Git                            {Add-PoshGitToProfile, Expand-GitCommand, Format-…
Script     2.2.5                 PowerShellGet                       {Find-Command, Find-DscResource, Find-Module, Fin…
Script     2.1.0                 PSReadLine                          {Get-PSReadLineKeyHandler, Get-PSReadLineOption, …

C:\Users\p11f70f>

CodePudding user response:

Using ILSpy I traced the execution of the Find-Module and my conclusion is that it is impossible to make it work with PAT if the server prefers NTLM.

This is quite frastrating, because some PS flows use in-house logic to interact with the NuGet server (like Find-Module and Install-Module) yet other flows fallback to dotnet.exe nuget or nuget.exe (like Publish-Module)

The latter recognize the PAT credentials saved in the $env:APPData\NuGet\NuGet.config file and the most importantly respect the validAuthenticationTypes property which forces them to override NTLM with Basic authentication.

The in-house PS logic does nothing of the kind. Moreover, it gets poisoned by the saved PAT credentials, which would be used with NTLM, which is totally wrong.

What a mess.

  • Related