MSDeploy.exe can connect as Administrator, but not any other Windows account

Mike Christensen picture Mike Christensen · Oct 20, 2012 · Viewed 22.6k times · Source

I'm integrating MSDeploy into my build process, and having problems authenticating. The following command works fine:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=Administrator,password=secret -dest:package=c:\DeployTest\KPC.zip

However, this does NOT work:

msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=kpcpublish,password=secret -dest:package=c:\DeployTest\KPC.zip

And yields the error:

Error Code: ERROR_USER_NOT_ADMIN
More Information: Connected to '192.168.0.11' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administ
rator on '192.168.0.11'.  Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.

I've followed the instructions in the link above, and any other docs I could find, which pretty much all say the same thing:

  1. I created an account called kpcpublish
  2. I added this account to a group called MSDepSvcUsers - Heck, I even added the account to Administrators
  3. I right clicked on the site and selected Deploy->Configure Web Deploy Publishing and added kpcpublish to the list. It says the following:

.

Publish enabled for 'SERVER\kpcpublish' Granted 'SERVER\kpcpublish'
full control on 'C:\Website' Successfully created settings file
'C:\Users\Administrator\Desktop\SERVER_kpcpublish_KitchenPC.PublishSettings'

There must be some step I'm missing, but I just can't figure out what could be.

UPDATE:

Using the full HTTP path for the computerName property, I get the error:

Error Code: ERROR_DESTINATION_NOT_REACHABLE More Information: Could not connect to the remote computer ("192.168.0.3"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DES TINATION_NOT_REACHABLE. Error: Unable to connect to the remote server Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection fa iled because connected host has failed to respond 192.168.0.3:8192 Error count: 1.

I've checked and the Web Management Service is indeed running.

Another Update:

I've completely paved the system and set it up again from scratch. I've done nothing out of the ordinary, just installed the IIS role and made sure to check "Management Service" under Management Tools, which is required for WMSVC to run. I then installed Web PI, and installed "Recommended Configuration for Hosting Providers", which will install Web Deploy 3.0. However, I did notice there was an error while installing this (I believe I got this error the last time as well). It looks like:

enter image description here

I've also attached the log files here.

I then tried to install Web Deploy 3.0 manually, however it says it's already installed. Next, I downloaded the MSI directly from http://www.iis.net/download/webdeploy and ran it in "Repair" mode. That seems to have worked. I also noticed that the WMSVC service is up and running. So this looks good.

Still, MSDeploy will not connect. I thought it might be some sort of firewall issue, so I ran it locally. I've tried using both HTTPS and HTTP to connect. HTTPS gives me an error, HTTP just times out after 2-3 minutes.

HTTPS:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'f3a54096-adc4-4f54-9e4f-ad8fde12edb6' for connections to the remote server.
Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED
More Information: Connected to the remote computer ("staging") using the specified process ("Web Management Service"), but could not verify the server's certifi
cate. If you trust the server, connect again and allow untrusted certificates.
Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Error: The remote certificate is invalid according to the validation procedure.
Error count: 1.

HTTP:

msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=http://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'ebee66f0-08e5-4d9d-98ea-0c2e59784895' for connections to the remote server.
Error: Could not complete the request to remote agent URL 'http://staging:8172/msdeploy.axd'.
Error: The operation has timed out
Error count: 1.

Answer

Richard Szalay picture Richard Szalay · Oct 20, 2012

(Updated 2016-03-07 - NOTE: non-Administrator deployments also require ?site=IIS_SITE_NAME after msdeploy.axd, otherwise the connection is treated as global and requires Administrator access)

Not sure how missed this originally, but your problem is the computerName parameter. Non-administrator deployments are only supported when using WMSVC, for which you need to specify the full URL.

Try the following

msdeploy -verb:sync ^
  -source:appHostConfig="KitchenPC",computerName=https://192.168.0.3:8172/MsDeploy.axd,userName=kpcpublish,password=secret,authType=Basic ^ 
  -dest:package=c:\DeployTest\KPC.zip 

From the docs:

The computer name will be translated to the default Web Deploy URL. For example, computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote service is running with a custom port or URL, you must specify the full URL

And from the install instructions:

The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments

(I couldn't find a more explicit canonical source that describes WMSVC as a requirement for non-admin deployments)