401 Unauthorized error with WebDeploy using non-administrator user

Julian picture Julian · Mar 26, 2014 · Viewed 8.5k times · Source

<TLDR>
Is it at all possible to use ms web deploy to deploy a web application to a remote host from the command line with a non-administrator user?
</TLDR>

I have followed every point in Microsoft's guide for Installing and Configuring Web Deploy. My goal is to be able to do a remote web deploy with an IIS user/non-administrator user.

After doing all the steps as described under Install and configure web deploy for non-administrator deployments, I get the following log messages (indicating that everything is OK):

Publish enabled for 'deploy_user'
Granted 'deploy_user' full control on 'C:\inetpub\wwwroot'
Successfully created settings file 'C:\Users\...\Desktop\deploy_user_Default Web Site.PublishSettings'

Next, when I from my local machine try to run the following command:

.\my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd -allowUntrusted /U:deploy_user /P:deploy_password /A:Basic /T

I get an error message saying: Error: The remote server returned an error: (401) Unauthorized.

If I on the target machine go into the Event Viewer > Custom Views > Administratove Events, I see a "matching" error with this message:

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

Only Windows Administrators are allowed to connect using a server connection. Other users should use the 'Connect To Site or Application' task to be able to connect.

Process:WMSvc User=deploy_user

This error is the exact same as described in this question. And the accepted answer suggests that what I've already done is the correct approach.

I have tried several workarounds suggested, like this, but nothing seems to be helping. Management Service is set to allow remote connections (both Windows and IIS Manager), and I have run the configuration for both a build-in windows user (non-administrator) and an IIS Manager User, and still the same error. As soon as I run the deploy command with an administrator user however, it succeeds.

I am allowed to connect remotely through the IIS gui with my non-administrator deploy_user user (in IIS: Connect to Site > [server url]/[site name] > deploy_user/deploy_password), indicating that the necessary rights and rules are configured. It is however when I try to run the deploy script command line - with the same user - that it fails.

And if it actually is as the error message indicates, that any non-admin user can only use Connect To Site or Application through IIS Manager, what is then the recommended way to do deploys like this from the command line/a build server? I don't really wan't to enter the username/password of an admin user in clear-text in the config at the build server...

One option I've found that's working, is that if your build server and the machine you try to deploy to have a common Active Directory (or other means of sharing users), you can skip the /A:Basic flag and leave out the username and password altogether. You must only make sure that the user running the deploy also have administrator rights on the deploy target. However, in one case for us the build server and deploy target doesn't have a common user base, so this isn't an option and we're back to username/password in clear-text - which isn't desirable at all.

Answer

Elad Lachmi picture Elad Lachmi · Apr 29, 2014

Since the user has Admin right only on the site level and not the IIS root level, you need to add the site name.

Instead of https://machine_name:8172/msdeploy.axd you need to have https://machine_name:8172/msdeploy.axd?site=[MySiteName].

When this is not added, msdeploy tries to access the site through the root of IIS. With the added parameter the site is accessed directly, and admin rights on the specific website are sufficient.