Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

401 Unauthorized error with WebDeploy using non-administrator user

<TLDR>
Is it at all possible to use ms web deploy to deploy a web application to a remote host from the command line with a non-administrator user?
</TLDR>

I have followed every point in Microsoft's guide for Installing and Configuring Web Deploy. My goal is to be able to do a remote web deploy with an IIS user/non-administrator user.

After doing all the steps as described under Install and configure web deploy for non-administrator deployments, I get the following log messages (indicating that everything is OK):

Publish enabled for 'deploy_user'
Granted 'deploy_user' full control on 'C:\inetpub\wwwroot'
Successfully created settings file 'C:\Users\...\Desktop\deploy_user_Default Web Site.PublishSettings'

Next, when I from my local machine try to run the following command:

.\my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd -allowUntrusted /U:deploy_user /P:deploy_password /A:Basic /T

I get an error message saying: Error: The remote server returned an error: (401) Unauthorized.

If I on the target machine go into the Event Viewer > Custom Views > Administratove Events, I see a "matching" error with this message:

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

Only Windows Administrators are allowed to connect using a server connection. Other users should use the 'Connect To Site or Application' task to be able to connect.

Process:WMSvc User=deploy_user

This error is the exact same as described in this question. And the accepted answer suggests that what I've already done is the correct approach.

I have tried several workarounds suggested, like this, but nothing seems to be helping. Management Service is set to allow remote connections (both Windows and IIS Manager), and I have run the configuration for both a build-in windows user (non-administrator) and an IIS Manager User, and still the same error. As soon as I run the deploy command with an administrator user however, it succeeds.

I am allowed to connect remotely through the IIS gui with my non-administrator deploy_user user (in IIS: Connect to Site > [server url]/[site name] > deploy_user/deploy_password), indicating that the necessary rights and rules are configured. It is however when I try to run the deploy script command line - with the same user - that it fails.

And if it actually is as the error message indicates, that any non-admin user can only use Connect To Site or Application through IIS Manager, what is then the recommended way to do deploys like this from the command line/a build server? I don't really wan't to enter the username/password of an admin user in clear-text in the config at the build server...

One option I've found that's working, is that if your build server and the machine you try to deploy to have a common Active Directory (or other means of sharing users), you can skip the /A:Basic flag and leave out the username and password altogether. You must only make sure that the user running the deploy also have administrator rights on the deploy target. However, in one case for us the build server and deploy target doesn't have a common user base, so this isn't an option and we're back to username/password in clear-text - which isn't desirable at all.

like image 372
Julian Avatar asked Mar 26 '14 15:03

Julian


3 Answers

Since the user has Admin right only on the site level and not the IIS root level, you need to add the site name.

Instead of https://machine_name:8172/msdeploy.axd you need to have https://machine_name:8172/msdeploy.axd?site=[MySiteName].

When this is not added, msdeploy tries to access the site through the root of IIS. With the added parameter the site is accessed directly, and admin rights on the specific website are sufficient.

like image 102
Elad Lachmi Avatar answered Oct 30 '22 22:10

Elad Lachmi


Try running this directly from command line

msdeploy.exe
  -source:package='…\DemoProject.zip'
  -dest:auto,
        computerName='https://TESTWEB1:8172/MSDeploy.axd?site=DemoSite',
        userName='FABRIKAM\User',
        password='Pa$$w0rd',
        authtype='Basic'
  -verb:sync
  -setParamFile:"…\DemoProject.SetParameters.xml"  
  -allowUntrusted

Replace DemoProject.zip with your package, TESTWEB1 with your server. Also change username, password, DemoSite and DemoProject.SetParameters.xml accordingly

Quoted from here

like image 6
Vishnuraj V Avatar answered Oct 30 '22 23:10

Vishnuraj V


Assuming you did not use the MSI to install and you have got these steps cited below correctly installed and configured, make sure WMSvc is configured correctly on the server. See if this accepted answer helps you with that: https://stackoverflow.com/a/4834248/463478

2.The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments. Windows component IIS, including Management Service, should be installed first to enable the handler component to install.

3.The MSI will not configure Web Management Service to allow non-administrator deployments if PowerShell v2 is not installed. This setup step includes creating delegation rules in the IIS server Administration.config file that allow non-administrator users to use Web Deploy. PowerShell v2 is built-in on Windows Server 2008 R2 but may require a Windows Update for Windows Server 2008. Alternatively the delegation rules may be added manually after install.

like image 2
Only You Avatar answered Oct 31 '22 00:10

Only You