A little info on our setup:
So this has worked for a few months now (the new piece being the package feed for our own-developed NuGet packages). On an MVC project utilizing our build servers, the NuGet Restore task fails when trying to connect to our package feed. On fail, the message is:
http://TFS_URL:8080/tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json: Unable to load the service index for source http://TFS_URL:8080/tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json.
Response status code does not indicate success: 401 (Unauthorized).
That's all the info that the build log spits out; I dove deeper and spun up WireShark and got the following:
Request
GET /tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json HTTP/1.1
user-agent: NuGet Command Line/4.4.1 (Microsoft Windows NT 6.2.9200.0)
X-NuGet-Client-Version: 4.4.1
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Authorization: Basic <base64_token>
Host: tfs:8080
Response
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-TFS-ProcessId: d9a45aba-cc82-4f2c-98a3-e4441bfa456f
ActivityId: e780f2d6-1216-46ac-8c66-cb89379c7811
X-TFS-Session: e780f2d6-1216-46ac-8c66-cb89379c7811
X-VSS-E2EID: e780f2d6-1216-46ac-8c66-cb89379c7811
X-FRAME-OPTIONS: SAMEORIGIN
WWW-Authenticate: Bearer
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="tfs"
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Tue, 16 Oct 2018 19:57:17 GMT
Content-Length: 1293
Response page message
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
However, there's a .NET Core app that still restores packages fine as far as I can tell (unless it's only retrieving the packages from cache).
The credentials for the service account have not changed at all. I've made sure the service accounts have access to the feed, according to these docs: https://learn.microsoft.com/en-us/azure/devops/artifacts/feeds/feed-permissions?view=vsts&tabs=previous-nav
I've also tried disabling Basic Auth in IIS for the TFS site on the TFS server, and enabling Windows auth. Neither of which worked either.
So I'm at a loss at what the issue could be from all that I've tried/looked into.
Even after upgrading to Azure DevOps Server 2019.0.1, I was still receiving a 401 Unauthorized when attempting to authenticate to a package feed that was hosted in the same collection.
Workaround
The work around I had used was to place the package binaries inside the build server's package cache folder, located here: C:\Users\.nuget\packages
Working Solution
However a solution has been found with the help of Microsoft's VS Community. An updated cred provider needs to be used with the NuGet Restore task.
Nuget 4.8+ needs to be used for this to work, and then 2 build variables need to be added to the build definition: NuGet_ForceEnableCredentialProviderV2 = true NuGet.ForceEnableCredentialProvider = false
According to a Microsoft rep, this will be enabled by default on ADOS 2019.1 update.
You can view the full thread here: https://developercommunity.visualstudio.com/content/problem/360323/tfs-build-agent-cant-connect-to-package-feed.html