401 Unauthorized error with WebDeploy using non-administrator user
Asked Answered
N

4

14

<TLDR>
Is it at all possible to use ms web deploy to deploy a web application to a remote host from the command line with a non-administrator user?
</TLDR>

I have followed every point in Microsoft's guide for Installing and Configuring Web Deploy. My goal is to be able to do a remote web deploy with an IIS user/non-administrator user.

After doing all the steps as described under Install and configure web deploy for non-administrator deployments, I get the following log messages (indicating that everything is OK):

Publish enabled for 'deploy_user'
Granted 'deploy_user' full control on 'C:\inetpub\wwwroot'
Successfully created settings file 'C:\Users\...\Desktop\deploy_user_Default Web Site.PublishSettings'

Next, when I from my local machine try to run the following command:

.\my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd -allowUntrusted /U:deploy_user /P:deploy_password /A:Basic /T

I get an error message saying: Error: The remote server returned an error: (401) Unauthorized.

If I on the target machine go into the Event Viewer > Custom Views > Administratove Events, I see a "matching" error with this message:

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

Only Windows Administrators are allowed to connect using a server connection. Other users should use the 'Connect To Site or Application' task to be able to connect.

Process:WMSvc User=deploy_user

This error is the exact same as described in this question. And the accepted answer suggests that what I've already done is the correct approach.

I have tried several workarounds suggested, like this, but nothing seems to be helping. Management Service is set to allow remote connections (both Windows and IIS Manager), and I have run the configuration for both a build-in windows user (non-administrator) and an IIS Manager User, and still the same error. As soon as I run the deploy command with an administrator user however, it succeeds.

I am allowed to connect remotely through the IIS gui with my non-administrator deploy_user user (in IIS: Connect to Site > [server url]/[site name] > deploy_user/deploy_password), indicating that the necessary rights and rules are configured. It is however when I try to run the deploy script command line - with the same user - that it fails.

And if it actually is as the error message indicates, that any non-admin user can only use Connect To Site or Application through IIS Manager, what is then the recommended way to do deploys like this from the command line/a build server? I don't really wan't to enter the username/password of an admin user in clear-text in the config at the build server...

One option I've found that's working, is that if your build server and the machine you try to deploy to have a common Active Directory (or other means of sharing users), you can skip the /A:Basic flag and leave out the username and password altogether. You must only make sure that the user running the deploy also have administrator rights on the deploy target. However, in one case for us the build server and deploy target doesn't have a common user base, so this isn't an option and we're back to username/password in clear-text - which isn't desirable at all.

Nubia answered 26/3, 2014 at 15:46 Comment(5)
Maybe this can help? #2875439Crackdown
@EladLachmi: what suggested in the post you've linked to is exactly what I've done (see the output after the third paragraph in my question "After doing all the steps as described under...").Nubia
Right, now I see. Sorry.Crackdown
Can you try to add the site name after https://machine_name:8172/msdeploy.axd? Example: https://machine_name:8172/msdeploy.axd?site=[MySiteName]Crackdown
@EladLachmi: oh my, that actually worked! It never occurred to me to specify the site name in the machine parameter - both because it is already specified in the parameters file, and I can't remember seeing it in any examples either. Post that as an answer, and I'll accept it and reward you the bounty!Nubia
C
23

Since the user has Admin right only on the site level and not the IIS root level, you need to add the site name.

Instead of https://machine_name:8172/msdeploy.axd you need to have https://machine_name:8172/msdeploy.axd?site=[MySiteName].

When this is not added, msdeploy tries to access the site through the root of IIS. With the added parameter the site is accessed directly, and admin rights on the specific website are sufficient.

Crackdown answered 29/4, 2014 at 9:0 Comment(3)
To be specific remove '[' and ']'. It is not always clear as it is.Effloresce
Also, make sure to include the machine name with the user for the username field.Barsac
Having the same issue when publishing from VS2017. Is it possible to let Visual Studio specify the site as well?Mycah
T
6

Try running this directly from command line

msdeploy.exe
  -source:package='…\DemoProject.zip'
  -dest:auto,
        computerName='https://TESTWEB1:8172/MSDeploy.axd?site=DemoSite',
        userName='FABRIKAM\User',
        password='Pa$$w0rd',
        authtype='Basic'
  -verb:sync
  -setParamFile:"…\DemoProject.SetParameters.xml"  
  -allowUntrusted

Replace DemoProject.zip with your package, TESTWEB1 with your server. Also change username, password, DemoSite and DemoProject.SetParameters.xml accordingly

Quoted from here

Tymothy answered 28/4, 2014 at 18:18 Comment(1)
This command is more or less exactly the same that is emitted when running the my_deploy_package.cmd script, and thus makes no difference.Nubia
H
2

Assuming you did not use the MSI to install and you have got these steps cited below correctly installed and configured, make sure WMSvc is configured correctly on the server. See if this accepted answer helps you with that: https://mcmap.net/q/122209/-webdeploy-401-unauthorized-error

2.The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments. Windows component IIS, including Management Service, should be installed first to enable the handler component to install.

3.The MSI will not configure Web Management Service to allow non-administrator deployments if PowerShell v2 is not installed. This setup step includes creating delegation rules in the IIS server Administration.config file that allow non-administrator users to use Web Deploy. PowerShell v2 is built-in on Windows Server 2008 R2 but may require a Windows Update for Windows Server 2008. Alternatively the delegation rules may be added manually after install.

Hindquarter answered 28/4, 2014 at 18:36 Comment(1)
Everything was installed using Web Platform Installer. The WMSvc is in place and seemingly correctly configured. I've followed all steps as illustrated in the walk-through (iis.net/learn/install/installing-publishing-technologies/…) to set up delegation rules etc. to allow non-administrator deploy. And non-administrator deploy do work when I do it through a remote IIS connection (again, indicating that all the access rights are configured correctly), but it fails when done from the command line.Nubia
U
2

Two things really helped me from this post.

  1. Specifying the site name
  2. Setting the authentication type to basic.

Also my web application name had spaces in it and I kept getting an error when I tried to specify the service url like this https://machine_name:8172/msdeploy.axd?site=my%20web%20app

I was able to resolve this my setting the site name using the additional msdeploy.exe flag "-setParam:name='IIS Web Application Name',value='my web app'"

My working command is:

my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd /U:deploy_user /P:deploy_password /A:basic -allowUntrusted "-setParam:name='IIS Web Application Name',value='my web app'"

Unsubstantial answered 8/11, 2016 at 23:32 Comment(1)
yes, specifying authentication method helped me a lot, but I also found it is necessary to write username with the domain name, such as: /U:domain\usernameCowes

© 2022 - 2024 — McMap. All rights reserved.