How do I deploy using MSDeploy in Team Build 2010 using the WMSVC service and NTLM authentication?

30
votes

I am trying to deploy using Team Build 2010 to a Windows Server 2008 R2 web server. My build server agent is setup to run under a Windows domain account. I have successfully given this domain account permissions on my web server for the deployment using the IIS Manager permissions. This account is not an Administrator on the web server. I can get the build deploying just fine using the following parameters:

/p:DeployOnBuild=True 
/p:DeployTarget=MsDeployPublish 
/p:CreatePackageOnPublish=False 
/p:MSDeployPublishMethod=WMSVC 
/p:AllowUntrustedCertificate=True 
/p:MSDeployServiceUrl=webservername
/p:DeployIisAppPath="Web Site Name"
/p:UserName=DOMAIN\BUILDID
/p:Password=buildidpassword

Because other developers are going to be setting up their builds, and I would rather not publish the password for the domain account, I need to use NTLM authentication to deploy. I would like to continue using the Web Management service method (WMSVC) for deployment so the BUILDID doesn't have to be an administrator.

I have dug deep into the "Microsoft.Web.Publishing.targets" and it appears that I should be able to pass an AuthType parameter to control the authorization type, but it appears to not have any effect. I have tried:

/p:DeployOnBuild=True 
/p:DeployTarget=MsDeployPublish 
/p:CreatePackageOnPublish=False 
/p:MSDeployPublishMethod=WMSVC 
/p:AllowUntrustedCertificate=True 
/p:MSDeployServiceUrl=webservername
/p:DeployIisAppPath="Web Site Name"
/p:AuthType=NTLM

And I have also tried putting a blank username (as seen elsewhere on StackOverflow), to no avail. I continue to get the error:

C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.0\Web\Microsoft.Web.Publishing.targets(3847,5): error : Web deployment task failed.(Connected to the destination computer ("webservername") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site.)

I have also tried the UseMsdeployexe parameter as mentioned in the previous link, but I then get other errors related to the web.config transformation. It looks like the issue is already on Microsoft Connect and is listed as being fixed in the next issue.

2
tfsmsbuildmsdeploytfsbuild
Hey @Michael McGuire - Did you ever get this issue solved? I'm in the same boat as you right now! :-( Trying to use Atlassian Bamboo to use msdeploy to release to IIS 7 on Windows Server 2008 R2, can't seem to get it to work using NTLM. Both machines are on the domain.Pandincus
I would look in the event logs on the target computer, especially the Security logs. I would also try the MSDEPLOY command from the command line, first on your own workstation, then, if at all possible, from the build machine.John Saunders
Sorry, I have yet to get this working. For now, I have the password for our build ID in my builds.Michael McGuire
Seems no one wants to address this at all... that's a bummer. Even with a modest bounty, its received 6 new Ups and no answers.one.beat.consumer
Can you use a tool like Wireshark or Fiddler to verify your requests look OK? We don't use Team Build, but on our build server it does use MSDeploy (through our own custom code in .NET) to deploy to our web servers.kamranicus

2 Answers

10
votes

There is an additional step, which I never picked up on:

Source

You can optionally enable users to authenticate with the Web Management Service using NTLM. To do this, update the registry on the server by adding a DWORD key named "WindowsAuthenticationEnabled" under HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server, and set it to 1. If the Web Management Service is already started, the setting will take effect after the service is restarted.

5
votes

If it is failing using NTLM then the team build service agent needs to be given permission to your site to allow non-administrators to connect to the site or application deployment server access. You can configure this under Management Service .

You might want to also take a look at configuring the web deployment provider settings. Web Deploy Provider Settings

If the wmsvc provider setting is specified, the default authentication type is Basic; otherwise, the default authentication type is NTLM.

You could also encrypted your password using the encryptPassword parameter and configuring the setup on the hosted server if you are wanted to use basic authentication type.

Hope this helps.

This error code can surface because of a number of different reasons. It typically indicates an authentication or authorization problem, and can happen because of any of hte following reasons:

If connecting using the Web Management Service:

  • Verify that the username and password are correct
  • Verify that the site exists
  • Verify that the user has IIS Manager Permissions to the site's scope

If connecting using the Remote Agent Service:

  • Verify that the username and password are correct
  • Verify that the user account you specified is a member of the Administrators group on the remote computer. NOTE: Because of a bug in Web Deploy 2.0, the user must be either the built-in Administrator or a member of the Domain Administrators security group. Attempts to sync with any other user account, even if it is an administrator, will see this error code. Verify that the site exists