3

I'm doing a spike to test out msdeploy to run a remote command as part of our custom installer process, but no matter how I configure it, I cant get it to allow me to use runCommand with a normal user.

The call I'm using is (wrapped for clarity):

"C:\program Files\IIS\Microsoft Web Deploy\msdeploy.exe" 
    -verb:sync 
    -source:runCommand="testcommand.bat" 
    -dest:auto,wmsvc="https://server:8172/msdeploy.axd?site=Default Web Site",authType=basic,userName=server\username,password=xxxxxx 
    -allowUntrusted

The user is a local user on the server, and has been added to "IIS Manager Permissions" for "Default Web Site". The testcommand.bat is just a normal batch file that contains "dir".

I've setup the runCommand provider under Management Service Delegation (Actions = "*", Path Type = "Path Prefix", Path = "{userScope}", Identity Type = "Specific User")

If I add the user to the local administrators group, it works fine.

Due to some of the logging that has been enabled, I'm getting the following in the event log:

Tracing deployment agent exception. Request ID '97beb70b-33da-4445-b3be-d3cf3e6db8b7'. 
Request Timestamp: '08/31/2012 18:05:25'. 
Error Details:
    Microsoft.Web.Deployment.DeploymentUnauthorizedAccessException: Attempted to perform an unauthorized operation. runCommand http://go.microsoft.com/fwlink/?LinkId=178034
    at Microsoft.Web.Deployment.DelegationHelper.ImpersonateForOperation(String deploymentAction, String deploymentProvider, String deploymentPath, DelegationContextCache cache)
    at Microsoft.Web.Deployment.DelegationHelper.ImpersonateForOperation(String deploymentAction, DeploymentObject deploymentObject)/>
    at Microsoft.Web.Deployment.DeploymentAgent.HandleRequest(DeploymentAgentAsyncData asyncData)

I've had a go at the two permissions based fixes in http://technet.microsoft.com/en-us/library/ee619740(WS.10).aspx, but they haven't made any difference.

Would really appreciate any suggestions - I'm pretty close to tearing my hair out here!

Improve this question
2
  • 1
    I'm REALLY struggling with this. I can get it to work if I use userName and password of an admin, but not with a IIS Manager user. The answer below just doesn't work for me! Please can you help? In your command above where is testcommand.bat located? Also, I know this was posted months ago, but anything you can remember would be a massive help. Thanks! Commented May 31, 2013 at 12:07
  • Hey @WheretheresaWill - open a new question with as much detail as you can, and I'll take a look. Commented Jun 3, 2013 at 16:21

1 Answer 1

Reset to default
7

Spent two days on the same thing. If you will enable 'Web Management Service Failed Request Tracing', you will see messages like that:

Uri="/msdeploy.axd", eventData="Not authorized. Details: No rule was found that could authorize user 'WebDeploy', provider 'runCommand', operation 'Read', path 'echo HI!'."

As you can see, msdeploy uses command as path to match rules, so you just need to replace Path = "{userScope}" in delegation rule to Path = "testcommand.bat"

Not sure, why this is not specified in any articles on the web, maybe this is something new for WebDeployV3.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.