Background / Goal
The moving parts:
- I have a service account, let's call it
MyDomain\svcMyService
. - I have a remote server, let's call it
MyDomain\MyServer
. - I have a Jenkins server, let's call it
MyDomain\MyJenkins
.
In Jenkins, I have a deployment task. It grabs some artifacts and then calls msdeploy
to push them to MyServer.
This deployment step fails, and I'd like to figure out why.
The MSDeploy command I'm using
The command is auto-generated by Jenkins and ends up being the following (sensitive data omitted):
"C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:iisApp="E:\Jenkins\jobs\NotARealJobName\workspace" -dest:iisApp="MyWebSite/MyWebApp",ComputerName="https://MyServer:8172/MsDeploy.axd",UserName=MyDomain\svcMyService,Password="NotARealPassword" -allowUntrusted
The Error
The error message I see from msdeploy output is:
Error Code: ERROR_USER_UNAUTHORIZED More Information: Connected to the remote computer ("MyServer") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
Error: The remote server returned an error: (401) Unauthorized.
My Understanding of What I have to Do
This may be an incomplete or incorrect list. Please tell me if this is where the problem could be.
I think I have to:
- Install WebDeploy on IIS (3.6 is the latest in this case).
- Enable the management service in IIS.
- Create an application pool that runs as
MyDomain\svcMyService
. - Yeah, the same username that deploys is running it too. Not the best, I know. Out of my hands at the moment.
- Create the directory for my IIS Web application.
- Grant permissions on this directory.
- Full permissions to
svcMyService
- Full permissions to
WDeployAdmin
- Full permissions to
NetworkService
(since that's what WMSvc runs as)
- Full permissions to
- Create the Web Site with the appropriate port
- The web site should be run under the application pool of the service account
- The web site should connect to the folder using the
svcMyService
account.
- Create a web application under the web site.
- The web site should connect to the folder using the
svcMyService
account. - Add the
svcMyService
account as a deployment manager at both the site and the application level.
- The web site should connect to the folder using the
- Ensure that the local
WDeployConfigWriter
andWDeployAdmin
accounts aren't expired and that their passwords cannot be changed. - Ensure that IIS management delegation is using
WDeployConfigWriter
andWDeployAdmin
accounts and update those credentials for each delegation if you changed the password for those local accounts.
Troubleshooting so far
I'll keep this list updated as I try to troubleshoot.
Check WMSvc IIS Logs -- looks like my user doesn't have the rights to publish
- Sample of the log is below:
#Fields
: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2015-09-14 17:10:06 [Server IP] HEAD /MsDeploy.axd - 8172 - [Jenkins IP] - - 401 2 5 15
I see that all the statuses are 401.2 with a win32 code of 5.
According to this troubleshooting link, "If the user is authenticated, but does not have the rights needed to publish, the log entry will look like" that (401 2 5
).
I found the answer on this old forum post from 2011 -- it seems really obscure.
The solution found on that forum post was to:
HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server
WindowsAuthenticationEnabled
with a value of1
After performing those steps, it appears to have worked for me the first time.