Home / server / Questions / 888632
In Process
Florian
Asked: 2017-12-19 02:08:10 +0800 CST

Impossible to deploy a website using Web IIS Deploy Task with a non-admin account

  • 772

I want to deploy a website using the TFS Release Manager and the Web IIS deployt Task. It works perfectly when the account used is a local admin account. But with another non-admin account, I encountered this error :

##[error]Microsoft.PowerShell.Commands.WriteErrorException: System.AggregateException: Failed to install 'VisualStudioRemoteDeployer1fed642b-3699-404d-be6c-f8edb0a59e0a' from service executable path VisualStudioRemoteDeployer.exe . Consult the logs below:
Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"
 CategoryInfo :NotSpecified: (:) [], MethodInvocationException
 FullyQualifiedErrorId :Exception
 ---> System.Management.Automation.RemoteException: Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"
   --- End of inner exception stack trace ---
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.Invoke(String errorContextMessage, Boolean writeResultToLog, Boolean isCancellable)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.InstallServiceInternal(String serviceSourcePath, String serviceName, String destinationFileName)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.InstallService(String serviceSourcePath, String serviceName, String destinationFileName)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.<RunAsync>d__24.MoveNext()
---> (Inner Exception #0) System.Management.Automation.RemoteException: Exception calling "SetRight" with "2" argument(s): "OpenPolicy failed: 5"<---

I want to know why / which permission this account needs. Browsing the web, I find this post :

https://social.msdn.microsoft.com/Forums/vstudio/en-US/1fecfb5b-8fe5-4e66-80ac-d908a43c8984/winrm-iis-web-app-deployment-privileges-to-target-server?forum=tfsbuild

But the answer is not sufficient. What is the technical reason/needs that this task should be runned with a local admin account.

Thank you very much for your help.

iis

2 Answers

  1. I think I figured it out. I followed the tutorial here https://technet.microsoft.com/en-us/library/ff700227.aspx

    I think most importantly, this command fixed the problem winrm quickconfig.

    PS C:\Windows\system32> winrm quickconfig
WinRM service is already running on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.
    • 1

  2. That Task, , uses WinRM to communicate with the target machine and WinRM is restricted to Administrators.

    If you want to use pure MSDeploy, talking to IIS Management Service through the HTTPS protocol, you can use a different task like MSDeployAllTheThings.

    • 0