MSDeploy.exe can connect as Administrator, but not any other Windows account
Asked Answered
I

6

15

I'm integrating MSDeploy into my build process, and having problems authenticating. The following command works fine:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=Administrator,password=secret -dest:package=c:\DeployTest\KPC.zip

However, this does NOT work:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=kpcpublish,password=secret -dest:package=c:\DeployTest\KPC.zip

And yields the error:

Error Code: ERROR_USER_NOT_ADMIN
More Information: Connected to '192.168.0.11' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administ
rator on '192.168.0.11'.  Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.

I've followed the instructions in the link above, and any other docs I could find, which pretty much all say the same thing:

  1. I created an account called kpcpublish
  2. I added this account to a group called MSDepSvcUsers - Heck, I even added the account to Administrators
  3. I right clicked on the site and selected Deploy->Configure Web Deploy Publishing and added kpcpublish to the list. It says the following:

.

Publish enabled for 'SERVER\kpcpublish' Granted 'SERVER\kpcpublish'
full control on 'C:\Website' Successfully created settings file
'C:\Users\Administrator\Desktop\SERVER_kpcpublish_KitchenPC.PublishSettings'

There must be some step I'm missing, but I just can't figure out what could be.

UPDATE:

Using the full HTTP path for the computerName property, I get the error:

Error Code: ERROR_DESTINATION_NOT_REACHABLE More Information: Could not connect to the remote computer ("192.168.0.3"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DES TINATION_NOT_REACHABLE. Error: Unable to connect to the remote server Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection fa iled because connected host has failed to respond 192.168.0.3:8192 Error count: 1.

I've checked and the Web Management Service is indeed running.

Another Update:

I've completely paved the system and set it up again from scratch. I've done nothing out of the ordinary, just installed the IIS role and made sure to check "Management Service" under Management Tools, which is required for WMSVC to run. I then installed Web PI, and installed "Recommended Configuration for Hosting Providers", which will install Web Deploy 3.0. However, I did notice there was an error while installing this (I believe I got this error the last time as well). It looks like:

enter image description here

I've also attached the log files here.

I then tried to install Web Deploy 3.0 manually, however it says it's already installed. Next, I downloaded the MSI directly from http://www.iis.net/download/webdeploy and ran it in "Repair" mode. That seems to have worked. I also noticed that the WMSVC service is up and running. So this looks good.

Still, MSDeploy will not connect. I thought it might be some sort of firewall issue, so I ran it locally. I've tried using both HTTPS and HTTP to connect. HTTPS gives me an error, HTTP just times out after 2-3 minutes.

HTTPS:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'f3a54096-adc4-4f54-9e4f-ad8fde12edb6' for connections to the remote server.
Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED
More Information: Connected to the remote computer ("staging") using the specified process ("Web Management Service"), but could not verify the server's certifi
cate. If you trust the server, connect again and allow untrusted certificates.
Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Error: The remote certificate is invalid according to the validation procedure.
Error count: 1.

HTTP:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=http://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'ebee66f0-08e5-4d9d-98ea-0c2e59784895' for connections to the remote server.
Error: Could not complete the request to remote agent URL 'http://staging:8172/msdeploy.axd'.
Error: The operation has timed out
Error count: 1.
Investment answered 20/10, 2012 at 3:21 Comment(3)
just a thought : should not the file 'SERVER_kpcpublish_KitchenPC.PublishSettings' file be stored somewhere in the deploy folder, and not in your desktop ?Disqualification
@Disqualification - Not following. For the time being, I'm just trying to sync from the web server to a local zip archive to make sure things work. I'm actually not sure what to do with the PublishSettings file, I thought it was just so you didn't have to type in all the connection info on the command line.Investment
The settings file is only relevant if you're using it to inject values into your config files at the time of deployment.Designer
S
18

(Updated 2016-03-07 - NOTE: non-Administrator deployments also require ?site=IIS_SITE_NAME after msdeploy.axd, otherwise the connection is treated as global and requires Administrator access)

Not sure how missed this originally, but your problem is the computerName parameter. Non-administrator deployments are only supported when using WMSVC, for which you need to specify the full URL.

Try the following

msdeploy -verb:sync ^
  -source:appHostConfig="KitchenPC",computerName=https://192.168.0.3:8172/MsDeploy.axd,userName=kpcpublish,password=secret,authType=Basic ^ 
  -dest:package=c:\DeployTest\KPC.zip 

From the docs:

The computer name will be translated to the default Web Deploy URL. For example, computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote service is running with a custom port or URL, you must specify the full URL

And from the install instructions:

The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments

(I couldn't find a more explicit canonical source that describes WMSVC as a requirement for non-admin deployments)

Sechrist answered 20/10, 2012 at 3:42 Comment(13)
Same error with setting the authType. By machine name, you mean the DNS name? Same error with that. And remember, it does connect and it works with the admin credentials.Investment
Hrm, is MSDeploy v3 installed on both the client and server?Sechrist
Yes. As I said, it works perfectly if I use the Administrator username and password.Investment
I believe you :) I'd take a look at the MSDeploy event log (in Applications and Services Logs) and see what information that yields. And I wouldn't rule out configuring deployments for the user in IIS again, either.Sechrist
Absolutely nothing in the event log.. I just deleted kpcpublish, created a brand new account called Publish with a new password, added that to the Administrators group, and configured it in IIS Mgr. Still, same error. I'm starting to think WebDeploy doesn't actually support this.Investment
Yea, something must not be setup right on this server (or I broke it messing with all the settings, though it still works with the Administrator account).. I've tried every combination and just no go..Investment
@MikeChristensen - Even with the full /msdeploy.exe path as your computer name? You're right, something must be messed up. Non-admin deployments definitely work, though (I use them on a daily basis)Sechrist
What do you mean full /msdeploy.exe path? Also, the URL http://192.168.0.3:8172/msdeploy.axd doesn't appear to even load in a browser. It justs sits there for several minutes and times out..Investment
Apologies, I meant msdeploy.axd. I'm not sure how the handler is designed to act when accessed from a browser, so I don't know if that's the expected behavior or not.Sechrist
I'm actually just re-paving this machine and starting from scratch. I must have messed stuff up royally somewhere, but I can't figure out what's going on. Hopefully everything will work better this time around.Investment
With a completely new setup, I'm still running into the same problems as last time. I updated the question with more information. I'm pretty close to just giving up on this.Investment
This is 95% the answer. Keep in mind, HTTP won't work (at least, by default - there's probably some way to change that) and you must refer to the computerName using HTTPS. If you're using a self-signed certificate, you'll have to add the -allowUnsigned command line parameter too. Thanks for all your help! Hopefully this will save someone else the hours I spent on this. Yeesh!Investment
Bah, sorry about that! Not sure why I typed http.Sechrist
I
17

Figured It Out!

So, it seems that (at least by default), WMSVC only listens on HTTPS, and HTTP will just time out. However, since my certificate was self-signed, I had to use the -allowUntrusted command line option.

That was almost enough. I also had to specify authType=Basic like Richard originally suggested. So, to put it all together, this is the MSDeploy command line that will actually work:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://192.168.0.3:8172/msdeploy.axd,authType=Basic,userName=Publish,password=secret -dest:package=c:\DeployTest\KPC.zip -allowUntrusted
Investment answered 20/10, 2012 at 19:15 Comment(9)
Thanks for your updates etc. Getting suicidal over a 404 from msdeploy.exe, remote IIS which uses 8172 works.Gilder
@LukePuplett - Yea it's usually an evening of frustration getting this to work, however it's pretty slick when it does! Way better than FTP'ing files around. I eventually wrapped it all up in PowerShell scripts so I can just say publish stage or publish prodInvestment
I can't understand why this isn't a bunch of PowerShell CmdLets anyway - there's a load of new CmdLets for Web Management so I might even skip MsDeploy in future. It's always a PITA. I've got my own question running on my 404 #13871061Gilder
@LukePuplett - I actually wrote a blog post about getting this all working on my site. Maybe it'll help you..Investment
+1 Thank you! I almost gave up on web deploy.. again. Works great with https and that switch tho! Funny, I was inspired to give it (yet) another shot after reading your blog post which, hours and hours later, landed me here. I owe you 2 beers now.Pentothal
Hi Mike - me again, if you get a mo, can you clarify what fixed your original problem with the rights? I get an unauthorized error using an account I added to the Administrators group, which should work.Gilder
@LukePuplett - Are you using https:// to connect? I think I had to use that, as well as the -allowUntrusted option before it worked..Investment
@MikeChristensen Thanks Mike, yes to all of that. I think I'm going to just add my deploy account specifically as a remote manager to the sites in IIS and be done with it.Gilder
@LukePuplett - Yea, I'm also not an expert. I just tinkered around with things until they happened to work. Now I don't touch anything!Investment
C
2

After configuring Web Deploy my server as follows. I continued to get HTTP 404 connection failures. In may what worked for me was the following additional efforts...

  1. Uninstall all previous version of Web Deploy that existed. I was not even aware they existed; however, previous versions appear to conflict with completing a connection to the latest Web Deploy service. Newer version don't uninstall their predecessors. In the last part, I was getting HTTP 401.7 - File Extension Denied.
  2. For good measure, performed a repair of the current version of Web Deploy, currently Microsoft Web Deploy 3.6
  3. For good measure, recreate and import my Visual Studio 2013 deployment profile...
    1. recreate the publish settings file using the Configure Web Deploy Publishing dialogue available from the Deploy context menu option of the target website in IIS Manager's Connections panel. (Note, the publish settings file will be recreated when you press Setup as the file whose full path is specified in the dialogue entry, Specify a location to save the publish settings file)
    2. Copy or otherwise make the publish settings file available to Visual Studio and selecting Publish from your project's context menu, create a Visual Studio publish profile by importing the publish settings file.
Colonial answered 7/11, 2015 at 19:49 Comment(0)
M
1

Try restarting the wmsvc service on the target machine

Merth answered 24/10, 2014 at 10:16 Comment(2)
This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post.Imparadise
I do not know why you would say that. I answered this because that was the exact action that resolved the issue for me. I was having the same issue as mentioned in this post and none of the answers here helped me but the one I posted. And my intention is to help anyone who might face similar issue in futureMerth
S
0

As alluded to above, make sure that you are connecting over HTTPS. If you are attempting to connect as Admin, but not using SSL, you get the following error:

Error Code: ERROR_USER_NOT_ADMIN

More Information: Connected to 'host' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administrator on 'host'.

(Where 'host' is your server name)

Sporocarp answered 13/7, 2015 at 17:45 Comment(0)
M
0

For me the problem was that my password expired... I've noticed it when loging out and then tried to login back trhough remote desktop.

Mesolithic answered 13/4, 2016 at 22:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.