MSDeploy.exe can connect as Administrator, but not any other Windows account
Solution 1
(Updated 2016-03-07 - NOTE: non-Administrator deployments also require ?site=IIS_SITE_NAME
after msdeploy.axd
, otherwise the connection is treated as global and requires Administrator access)
Not sure how missed this originally, but your problem is the computerName
parameter. Non-administrator deployments are only supported when using WMSVC, for which you need to specify the full URL.
Try the following
msdeploy -verb:sync ^
-source:appHostConfig="KitchenPC",computerName=https://192.168.0.3:8172/MsDeploy.axd,userName=kpcpublish,password=secret,authType=Basic ^
-dest:package=c:\DeployTest\KPC.zip
The computer name will be translated to the default Web Deploy URL. For example, computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote service is running with a custom port or URL, you must specify the full URL
And from the install instructions:
The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments
(I couldn't find a more explicit canonical source that describes WMSVC as a requirement for non-admin deployments)
Solution 2
Figured It Out!
So, it seems that (at least by default), WMSVC only listens on HTTPS, and HTTP will just time out. However, since my certificate was self-signed, I had to use the -allowUntrusted command line option.
That was almost enough. I also had to specify authType=Basic like Richard originally suggested. So, to put it all together, this is the MSDeploy command line that will actually work:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://192.168.0.3:8172/msdeploy.axd,authType=Basic,userName=Publish,password=secret -dest:package=c:\DeployTest\KPC.zip -allowUntrusted
Solution 3
After configuring Web Deploy my server as follows. I continued to get HTTP 404 connection failures. In may what worked for me was the following additional efforts...
- Uninstall all previous version of Web Deploy that existed. I was not even aware they existed; however, previous versions appear to conflict with completing a connection to the latest Web Deploy service. Newer version don't uninstall their predecessors. In the last part, I was getting
HTTP 401.7 - File Extension Denied
. - For good measure, performed a repair of the current version of Web Deploy, currently
Microsoft Web Deploy 3.6
- For good measure, recreate and import my Visual Studio 2013 deployment profile...
- recreate the
publish settings file
using theConfigure Web Deploy Publishing
dialogue available from theDeploy
context menu option of the target website inIIS Manager
'sConnections
panel. (Note, thepublish settings file
will be recreated when you pressSetup
as the file whose full path is specified in the dialogue entry,Specify a location to save the publish settings file
) - Copy or otherwise make the
publish settings file
available to Visual Studio and selectingPublish
from your project's context menu, create a Visual Studio publish profile by importing thepublish settings file
.
- recreate the
Solution 4
Try restarting the wmsvc service on the target machine
Mike Christensen
Founder and Chief Architect of KitchenPC.com, the world's most powerful recipe search engine. The technology behind KitchenPC is open-source, and available on GitHub.
Updated on April 14, 2020Comments
-
Mike Christensen about 4 years
I'm integrating MSDeploy into my build process, and having problems authenticating. The following command works fine:
msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=Administrator,password=secret -dest:package=c:\DeployTest\KPC.zip
However, this does NOT work:
msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=kpcpublish,password=secret -dest:package=c:\DeployTest\KPC.zip
And yields the error:
Error Code: ERROR_USER_NOT_ADMIN More Information: Connected to '192.168.0.11' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administ rator on '192.168.0.11'. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN. Error: The remote server returned an error: (401) Unauthorized. Error count: 1.
I've followed the instructions in the link above, and any other docs I could find, which pretty much all say the same thing:
- I created an account called kpcpublish
- I added this account to a group called MSDepSvcUsers - Heck, I even added the account to Administrators
- I right clicked on the site and selected Deploy->Configure Web Deploy Publishing and added kpcpublish to the list. It says the following:
.
Publish enabled for 'SERVER\kpcpublish' Granted 'SERVER\kpcpublish' full control on 'C:\Website' Successfully created settings file 'C:\Users\Administrator\Desktop\SERVER_kpcpublish_KitchenPC.PublishSettings'
There must be some step I'm missing, but I just can't figure out what could be.
UPDATE:
Using the full HTTP path for the
computerName
property, I get the error:Error Code: ERROR_DESTINATION_NOT_REACHABLE More Information: Could not connect to the remote computer ("192.168.0.3"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DES TINATION_NOT_REACHABLE. Error: Unable to connect to the remote server Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection fa iled because connected host has failed to respond 192.168.0.3:8192 Error count: 1.
I've checked and the Web Management Service is indeed running.
Another Update:
I've completely paved the system and set it up again from scratch. I've done nothing out of the ordinary, just installed the IIS role and made sure to check "Management Service" under Management Tools, which is required for WMSVC to run. I then installed Web PI, and installed "Recommended Configuration for Hosting Providers", which will install Web Deploy 3.0. However, I did notice there was an error while installing this (I believe I got this error the last time as well). It looks like:
I've also attached the log files here.
I then tried to install Web Deploy 3.0 manually, however it says it's already installed. Next, I downloaded the MSI directly from http://www.iis.net/download/webdeploy and ran it in "Repair" mode. That seems to have worked. I also noticed that the WMSVC service is up and running. So this looks good.
Still, MSDeploy will not connect. I thought it might be some sort of firewall issue, so I ran it locally. I've tried using both HTTPS and HTTP to connect. HTTPS gives me an error, HTTP just times out after 2-3 minutes.
HTTPS:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip Info: Using ID 'f3a54096-adc4-4f54-9e4f-ad8fde12edb6' for connections to the remote server. Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED More Information: Connected to the remote computer ("staging") using the specified process ("Web Management Service"), but could not verify the server's certifi cate. If you trust the server, connect again and allow untrusted certificates. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Error: The remote certificate is invalid according to the validation procedure. Error count: 1.
HTTP:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=http://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip Info: Using ID 'ebee66f0-08e5-4d9d-98ea-0c2e59784895' for connections to the remote server. Error: Could not complete the request to remote agent URL 'http://staging:8172/msdeploy.axd'. Error: The operation has timed out Error count: 1.
-
Mike Christensen over 11 yearsSame error with setting the
authType
. By machine name, you mean the DNS name? Same error with that. And remember, it does connect and it works with the admin credentials. -
binarydreams over 11 yearsHrm, is MSDeploy v3 installed on both the client and server?
-
Mike Christensen over 11 yearsYes. As I said, it works perfectly if I use the Administrator username and password.
-
binarydreams over 11 yearsI believe you :) I'd take a look at the MSDeploy event log (in
Applications and Services Logs
) and see what information that yields. And I wouldn't rule out configuring deployments for the user in IIS again, either. -
Mike Christensen over 11 yearsAbsolutely nothing in the event log.. I just deleted kpcpublish, created a brand new account called Publish with a new password, added that to the Administrators group, and configured it in IIS Mgr. Still, same error. I'm starting to think WebDeploy doesn't actually support this.
-
Mike Christensen over 11 yearsYea, something must not be setup right on this server (or I broke it messing with all the settings, though it still works with the Administrator account).. I've tried every combination and just no go..
-
binarydreams over 11 years@MikeChristensen - Even with the full
/msdeploy.exe
path as your computer name? You're right, something must be messed up. Non-admin deployments definitely work, though (I use them on a daily basis) -
Mike Christensen over 11 yearsWhat do you mean full
/msdeploy.exe
path? Also, the URLhttp://192.168.0.3:8172/msdeploy.axd
doesn't appear to even load in a browser. It justs sits there for several minutes and times out.. -
binarydreams over 11 yearsApologies, I meant
msdeploy.axd
. I'm not sure how the handler is designed to act when accessed from a browser, so I don't know if that's the expected behavior or not. -
Mike Christensen over 11 yearsI'm actually just re-paving this machine and starting from scratch. I must have messed stuff up royally somewhere, but I can't figure out what's going on. Hopefully everything will work better this time around.
-
Mike Christensen over 11 yearsWith a completely new setup, I'm still running into the same problems as last time. I updated the question with more information. I'm pretty close to just giving up on this.
-
Mike Christensen over 11 yearsThis is 95% the answer. Keep in mind, HTTP won't work (at least, by default - there's probably some way to change that) and you must refer to the computerName using HTTPS. If you're using a self-signed certificate, you'll have to add the -allowUnsigned command line parameter too. Thanks for all your help! Hopefully this will save someone else the hours I spent on this. Yeesh!
-
binarydreams over 11 yearsBah, sorry about that! Not sure why I typed
http
. -
Luke Puplett over 11 yearsThanks for your updates etc. Getting suicidal over a 404 from msdeploy.exe, remote IIS which uses 8172 works.
-
Mike Christensen over 11 years@LukePuplett - Yea it's usually an evening of frustration getting this to work, however it's pretty slick when it does! Way better than FTP'ing files around. I eventually wrapped it all up in PowerShell scripts so I can just say publish stage or publish prod
-
Luke Puplett over 11 yearsI can't understand why this isn't a bunch of PowerShell CmdLets anyway - there's a load of new CmdLets for Web Management so I might even skip MsDeploy in future. It's always a PITA. I've got my own question running on my 404 stackoverflow.com/questions/13870561/…
-
Mike Christensen over 11 years@LukePuplett - I actually wrote a blog post about getting this all working on my site. Maybe it'll help you..
-
jkoreska about 11 years+1 Thank you! I almost gave up on web deploy.. again. Works great with https and that switch tho! Funny, I was inspired to give it (yet) another shot after reading your blog post which, hours and hours later, landed me here. I owe you 2 beers now.
-
Luke Puplett over 10 yearsHi Mike - me again, if you get a mo, can you clarify what fixed your original problem with the rights? I get an unauthorized error using an account I added to the Administrators group, which should work.
-
Mike Christensen over 10 years@LukePuplett - Are you using
https://
to connect? I think I had to use that, as well as the-allowUntrusted
option before it worked.. -
Luke Puplett over 10 years@MikeChristensen Thanks Mike, yes to all of that. I think I'm going to just add my deploy account specifically as a remote manager to the sites in IIS and be done with it.
-
Mike Christensen over 10 years@LukePuplett - Yea, I'm also not an expert. I just tinkered around with things until they happened to work. Now I don't touch anything!
-
fejese over 9 yearsThis does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post.
-
Siva Vaddadi over 9 yearsI do not know why you would say that. I answered this because that was the exact action that resolved the issue for me. I was having the same issue as mentioned in this post and none of the answers here helped me but the one I posted. And my intention is to help anyone who might face similar issue in future