How do I deploy using MSDeploy and TeamCity with Integrated Windows Authentication?

Asked 8/11, 2011 at 16:7 Answered 25/2, 2013 at 3:46

msbuild teamcity msdeploy msdeployserviceagent

I had a MSDeploy deployment working beautifully with TeamCity when I passed in the user credentials. The command line parameters (using env. variables for some values) were:

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%

Worked great. But now I want to use integrated auth. I tried following Troy's suggestions over from Can MSBuild deploy using integrated authentication or only basic? but it's not doing the trick. I've tried various combinations of passing in a blank username and specifying

/p:AuthType=NTLM

The closest I get is by specifying /p:AuthType=NTLM and passing in a blank username. But that still results in this error:

Connected to the destination computer ("[my destination server name]") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. The remote server returned an error: (401) Unauthorized

I have the Web Management Service running on both the local and remote servers. I changed both instances to run as a user I know has proper access to the site - the same user that works if I manually pass in credentials.

I also tried manually giving that user IIS Manager Permissions on the destination site (though not sure why that would be necessary since the user can publish to the site when their credentials are manually passed).

One thing I am noticing is that in the WMsvc log it's not logging any username for the attempts made with NTLM auth.

Any idea what's going on here. I really don't want to have to store user credentials in my TeamCity configuration.

Thanks.

Platter answered 8/11, 2011 at 16:7 Comment(0)

I know I'm a little late submitting and answer on this, but for the benefit of anyone else chasing this type of problem, I've just managed to get this working.

Similar to the OP, I was trying to get TeamCity on Windows Server 2008R2 to publish a web site on a remote IIS 7.5 server using WMsvc.

I was struggling with the 401 error until I completed all of these steps:

Ensure AuthType=NTLM parameter set.
Ensure Username parameter supplied, but set to a blank value.
Ensure NTLM authentication enabled on the remote web server, this involved adding a registry entry:
```
HKLM\Software\Microsoft\WebManagement\Server
DWORD WindowsAuthenticationEnabled = 1
```
Ensure user context under which the build agent runs on the build server can successfully do a windows integrated auth connection to the WMsvc. I actually had to logon to the build server as this user, then open up IE, and add the target website to the Local Intranet Zone. Basically, I kept hitting this URL and altering settings in IE until I could get straight to it without authentication prompts or 401 errors:
```
https://[the server]:8172/MsDeploy.axd?site=[the site]
```

Incidentally, when I got the auth working, the remote WMSvc started giving me 404 errors in the brownser instead, which turned out to be a good sign. During this process, I also set up an SSL cert on the remote WMsvc which was trusted by the build server - possibly not a necessity but it helped my testing.

Once I got completed the above, TeamCity deployments started reporting this error:

An error occurred when the request was processed on the remote computer.
The server experienced an issue processing the request. Contact the server administrator for more information.

I couldn't find anything useful in the Event Log, but the fix here was just to ensure that the authenticated user had the necessary filesystem permissions on the target folder. You may want to be more selective, but I just gave them Full Control over Inetpub.

Setser answered 25/2, 2013 at 3:46 Comment(2)

Just a note for anyone adding the reg key WindowsAuthenticationEnabled manually - learn from the 3 hours I've just wasted troubleshooting a deployment and make sure you don't accidentally paste a trailing space into the key name! Gah. – Setser 28/6, 2013 at 14:55

+1 for pointing out the Local Intranet Zone issue. I got it working when I tried to use computerName='192.168....:8172' instead of a hostname. However specifying a blank username seems useless to get it working. – Assassinate 5/12, 2013 at 14:44

Is the build agent service running under the account you want to use? You mention the web management service, but remember it's the build agent which is actually doing the work and needs the rights.

Paulettapaulette answered 9/11, 2011 at 2:59 Comment(2)

Sorry I should have pointed that out. Yes, the TeamCity Build Agent Service is also running under the account with proper permissions. That was always the case, I just updated the Web Management Service since the error indicated "using the Web Management Service." – Platter 9/11, 2011 at 13:21

@Troy have you successfully connected to the WMSvc using NTLM? A simple test like msdeploy.exe -verb:dump -source:apphostconfig,wmsvc=SERVER123,username=,authType=ntlm -allowUntrusted where I am an admin on SERVER123, yields 401 errors. – Benzoic 24/12, 2011 at 6:38

I assume that the deployment is executed with the account of the TeamCity-Agent. This would explain your error. Make sure that this account has the appropriate rights for the deployment.

Mossy answered 8/11, 2011 at 18:29 Comment(1)

See comment above. Short answer, it has. – Platter 9/11, 2011 at 13:22

Recommended topics

Hot tags