Cannot restore packages from secured feed without write permissions on global nuget.config


Example scenario which is currently unsupported:
NuGet package restore from a secured package source during deployments to Windows Azure Web Sites is impossible.


  • Encrypted package source credentials are machine bound / non-portable
  • Kudu process does not have write permissions on %appdata%\nuget\nuget.config (likely because of shared environment)
  • Kudu process is running impersonated or without user profile loaded, which makes nuget.exe throw a CryptographicException during password encryption
  • No support for passing in -Username / -Password to nuget.exe install command
  • My pull request to support clear-text credentials in local nuget.config is still under review :-)
Edit, the following is no longer applicable as the new -ConfigFile command option fixed this:
  • <strikethrough>Storing encrypted package source credentials only supports %appdata%\nuget\nuget.config (no way to target a local config for on-the-fly encrypting & storing of credentials)</strikethrough> (just fell in love with the codeplex rich editor here...)
I can't find any working approach to support this scenario with the current version of NuGet.
Closed Apr 12, 2013 at 7:26 AM by JeffHandley


XavierDecoster wrote Mar 24, 2013 at 2:01 PM

Just noticed the new -ConfigFile command option, works great on NuGet side :)
I'm adding the package src + credentials on-the-fly during pre-package-restore in the local nuget.config (and remove them after pkg install).

But... now I think the issue turns into a Windows Azure Web Sites issue, because of this:
C:\DWASFiles\Sites\securedpackagerestore\VirtualDirectory0\site\repository\.nuget\nuget.targets(92,7): error : System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating. 
This exception is thrown during the following command in my nuget.targets:
$(NuGetCommand) sources update -name MySecureFeed -User xavierdecoster -Password somepassword -verbosity detailed -ConfigFile nuget.config

dotnetjunky wrote Mar 24, 2013 at 4:44 PM

Fixed in changeset 26f2e70d610f

dotnetjunky wrote Mar 28, 2013 at 5:07 PM

Fixed in changeset 26f2e70d610f9549916399be77842ef278aed8c8

danliu wrote Apr 10, 2013 at 11:25 PM

** Closed by danliu 04/10/2013 4:25PM