MSDeploy.exe can connect as Administrator, but not any other Windows account

I'm integrating MSDeploy into my build process, and having problems authenticating. The following command works fine:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=Administrator,password=secret -dest:package=c:\DeployTest\KPC.zip

However, this does NOT work:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=kpcpublish,password=secret -dest:package=c:\DeployTest\KPC.zip

And yields the error:

Error Code: ERROR_USER_NOT_ADMIN
More Information: Connected to '192.168.0.11' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administ
rator on '192.168.0.11'.  Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.

I've followed the instructions in the link above, and any other docs I could find, which pretty much all say the same thing:

1. I created an account called kpcpublish
2. I added this account to a group called MSDepSvcUsers - Heck, I even added the account to Administrators
3. I right clicked on the site and selected Deploy->Configure Web Deploy Publishing and added kpcpublish to the list. It says the following:

.

Publish enabled for 'SERVER\kpcpublish' Granted 'SERVER\kpcpublish'
full control on 'C:\Website' Successfully created settings file
'C:\Users\Administrator\Desktop\SERVER_kpcpublish_KitchenPC.PublishSettings'

There must be some step I'm missing, but I just can't figure out what could be.

UPDATE:

Using the full HTTP path for the computerName property, I get the error:

Error Code: ERROR_DESTINATION_NOT_REACHABLE More Information: Could not connect to the remote computer ("192.168.0.3"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DES TINATION_NOT_REACHABLE. Error: Unable to connect to the remote server Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection fa iled because connected host has failed to respond 192.168.0.3:8192 Error count: 1.

I've checked and the Web Management Service is indeed running.

Another Update:

I've completely paved the system and set it up again from scratch. I've done nothing out of the ordinary, just installed the IIS role and made sure to check "Management Service" under Management Tools, which is required for WMSVC to run. I then installed Web PI, and installed "Recommended Configuration for Hosting Providers", which will install Web Deploy 3.0. However, I did notice there was an error while installing this (I believe I got this error the last time as well). It looks like:

I've also attached the log files here.

I then tried to install Web Deploy 3.0 manually, however it says it's already installed. Next, I downloaded the MSI directly from http://www.iis.net/download/webdeploy and ran it in "Repair" mode. That seems to have worked. I also noticed that the WMSVC service is up and running. So this looks good.

Still, MSDeploy will not connect. I thought it might be some sort of firewall issue, so I ran it locally. I've tried using both HTTPS and HTTP to connect. HTTPS gives me an error, HTTP just times out after 2-3 minutes.

HTTPS:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'f3a54096-adc4-4f54-9e4f-ad8fde12edb6' for connections to the remote server.
Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED
More Information: Connected to the remote computer ("staging") using the specified process ("Web Management Service"), but could not verify the server's certifi
cate. If you trust the server, connect again and allow untrusted certificates.
Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Error: The remote certificate is invalid according to the validation procedure.
Error count: 1.

HTTP:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=http://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'ebee66f0-08e5-4d9d-98ea-0c2e59784895' for connections to the remote server.
Error: Could not complete the request to remote agent URL 'http://staging:8172/msdeploy.axd'.
Error: The operation has timed out
Error count: 1.

Same error with setting the authType. By machine name, you mean the DNS name? Same error with that. And remember, it does connect and it works with the admin credentials.

Hrm, is MSDeploy v3 installed on both the client and server?

Yes. As I said, it works perfectly if I use the Administrator username and password.

I believe you :) I'd take a look at the MSDeploy event log (in Applications and Services Logs) and see what information that yields. And I wouldn't rule out configuring deployments for the user in IIS again, either.

Absolutely nothing in the event log.. I just deleted kpcpublish, created a brand new account called Publish with a new password, added that to the Administrators group, and configured it in IIS Mgr. Still, same error. I'm starting to think WebDeploy doesn't actually support this.

Yea, something must not be setup right on this server (or I broke it messing with all the settings, though it still works with the Administrator account).. I've tried every combination and just no go..

@MikeChristensen - Even with the full /msdeploy.exe path as your computer name? You're right, something must be messed up. Non-admin deployments definitely work, though (I use them on a daily basis)

What do you mean full /msdeploy.exe path? Also, the URL http://192.168.0.3:8172/msdeploy.axd doesn't appear to even load in a browser. It justs sits there for several minutes and times out..

Apologies, I meant msdeploy.axd. I'm not sure how the handler is designed to act when accessed from a browser, so I don't know if that's the expected behavior or not.

I'm actually just re-paving this machine and starting from scratch. I must have messed stuff up royally somewhere, but I can't figure out what's going on. Hopefully everything will work better this time around.

With a completely new setup, I'm still running into the same problems as last time. I updated the question with more information. I'm pretty close to just giving up on this.

This is 95% the answer. Keep in mind, HTTP won't work (at least, by default - there's probably some way to change that) and you must refer to the computerName using HTTPS. If you're using a self-signed certificate, you'll have to add the -allowUnsigned command line parameter too. Thanks for all your help! Hopefully this will save someone else the hours I spent on this. Yeesh!

Bah, sorry about that! Not sure why I typed http.

Thanks for your updates etc. Getting suicidal over a 404 from msdeploy.exe, remote IIS which uses 8172 works.

@LukePuplett - Yea it's usually an evening of frustration getting this to work, however it's pretty slick when it does! Way better than FTP'ing files around. I eventually wrapped it all up in PowerShell scripts so I can just say publish stage or publish prod

I can't understand why this isn't a bunch of PowerShell CmdLets anyway - there's a load of new CmdLets for Web Management so I might even skip MsDeploy in future. It's always a PITA. I've got my own question running on my 404 stackoverflow.com/questions/13870561/…

@LukePuplett - I actually wrote a blog post about getting this all working on my site. Maybe it'll help you..

+1 Thank you! I almost gave up on web deploy.. again. Works great with https and that switch tho! Funny, I was inspired to give it (yet) another shot after reading your blog post which, hours and hours later, landed me here. I owe you 2 beers now.

Hi Mike - me again, if you get a mo, can you clarify what fixed your original problem with the rights? I get an unauthorized error using an account I added to the Administrators group, which should work.

@LukePuplett - Are you using https:// to connect? I think I had to use that, as well as the -allowUntrusted option before it worked..

@MikeChristensen Thanks Mike, yes to all of that. I think I'm going to just add my deploy account specifically as a remote manager to the sites in IIS and be done with it.

@LukePuplett - Yea, I'm also not an expert. I just tinkered around with things until they happened to work. Now I don't touch anything!

This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post.

I do not know why you would say that. I answered this because that was the exact action that resolved the issue for me. I was having the same issue as mentioned in this post and none of the answers here helped me but the one I posted. And my intention is to help anyone who might face similar issue in future