Question: How do I properly setup the database connection when using the File System method to publish an ASP .NET Core 3.1 Web-Api to IIS running on Windows 10? I believe I have added all of the correct Windows features for IIS because it runs and I am running VS 2019 Community in Admin mode.
This is my first time deploying a .NET Core 3.1 Web-API to IIS via the Publish method. I am able to successfully publish the web application to IIS. But it appears that something is wrong with the database configuration because when I try submit a login POST via Postman, I am getting an error message from the API error handling middleware that the credentials are invalid, which effectively means that the Web-API cannot connect to the database. As a test, when I try running in debug with IIS Express and change the connection string, I get the same error. Note: the IIS server logs do not contain any relevant output to confirm this, but I am pretty sure this is the problem.
In searching online, I am struggling to find a simple and direct walk through on how to publish a Web-API with a database connection. I suspect the problem is in the Connected Services section of the publish profile. I had to battle through some build errors that related to missing packages, and this item:
https://obscureproblemsandgotchas.com/development/c/dotnet-core-ef-migration-not-working/
Once I applied this change, the database data context strings could be read from the Publish Settings section of the publish profile, which reads the connection strings from the appsettings.json file. Though, I had to modify that string to remove an escape '' from the actual json value so that the test connection would succeed.
Any help is greatly appreciated.
You could set the connection string at the time of deploy from the visual studio as shown below :
Make sure you installed the .NET Core Hosting Bundle and .NET Core Runtime.
after doing all these things set the application pool identity to the administrator:
Open iis manager, select your application pool.
Click on advance setting from the action pane.
Under Process Model, click on the “Identity” value and select “Custom account”.
enter your domain user name and password which user has to access to the database and click ok to apply the changes.
after applying changes select the application pool and click on the “Recycle”.
restart your site.
Please refer below link for more detail:
https://forums.iis.net/post/2159167.aspx
I created a simple ASP.Net Core application with user authentication (so all the Entity Framework has been preloaded into the web app template). It is connecting to my database with the connectionString that is located in my appsettings.json file, with "data source = {computerName}\\{serverName}" setup.
The database instance and Visual Studio are located on the same machine. This works fine in returning data to the web api while within development and debugging mode. When I publish it and try to go to the site from a domain name it does allow me to view the webpages that are not needing database connection but the rest that need data from the database returns pages like this:
Error.
An error occurred while processing your request.
Development Mode
Swapping to Development environment will display more detailed information about the error that occurred.
Development environment should not be enabled in deployed
applications, as it can result in sensitive information from
exceptions being displayed to end users. For local debugging,
development environment can be enabled by setting the
ASPNETCORE_ENVIRONMENT environment variable to Development, and
restarting the application.
I have tried to change the Environment Variables for ASPNETCORE_ENVIRONMENT from Development to Production to no success.
I have tried adding appsettings.Production.json to publishOptions in my project.json file, even though there is no file appsettings.Production.json, and this did not help. dotnet publish
Adding the evironment variable in the web.config file did not work Deployment
I need help getting the published web api to connect to my SQL Server database from outside the development Visual Studio setup.
The last thing I can think of is that maybe I am incorrect in how I understand the connection string. If the web api uses the connection string to connect to the database from the server-side then it should work just fine like it does when in development calling to http://localhost:port# since it's all on the same machine. But, if the database string needs to be based on a client-side call then it would have to be with domain names and IP addresses.
Can someone tell me which one it is?
The only thing else that comes to mind is that there is something I am not doing, and need to do, inside of IIS Manager. I see connect string there as well but unsure what that is for our does since the connection string is inside the application. Also maybe I am suppose to give the app some kind of authorization to communicate with the database server even though they are on the same machine???
After much research, finally googling "how to deploy a web api in iis" I was able to learn from Host ASP.NET Web API in IIS using Visual Studio Publish that I needed to add the security entity BUILTIN\IIS_IUSRS. Then placing a mapping to my database tables and giving db_datareader (and possibly db_datawriter) for the database to the IUSER to allow access from my self hosted IIS web api. This from the above mentioned link with the part stating
Accessing Database under IIS APPPOOL\ASP.NET v4.0
As we are using ASP.NET v4.0 App Pool make sure IIS APPPOOL\ASP.NET v4.0 is added to your Database Server -> Security -> Logins.
I am using TFS to Build and Deploy using MSBuild Arguments. I have the following arguments
/P:AllowUntrustedCertificate=True
/p:DeployOnBuild=True
/p:DeployTarget=MsDeployPublish
/p:CreatePackageOnPublish=True
/p:MSDeployPublishMethod=WMSVC
/p:MSDeployServiceUrl=https://myserver.com
/p:DeployIisAppPath="Site1"
/p:UserName=domain\username
/p:Password=password
This works fine when I use my domain account (which is an Admin on the Destination Server), but I want to use a Service Account that has the barebones permissions to get this to work.
I have already setup IIS Manager Permissions for the site, gave Full Control to the folder that the application sits in, and created setAcl, createApp, and contentPath and iisApp Delegation rules for the user.
I have granted read rights to the inetsrv/config folder, and full control to the applicationHost.config file.
I am able to publish my site using the Visual Studio publish process with that user, but am unable to get the deployment to occur using a TFS Build. When I run the build, I get the following error.
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets (4193): Web deployment task failed. (Connected to the remote computer ("myservercom") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
I have looked online and followed all the steps I have seen, but still have the issue. Please let me know if you have any questions.
Thank you in advance
Try changing your MsDeployServiceUrl to:
https://myserver.com:8172/msdeploy.axd
Failing that, take a look at the Microsoft Web Deploy event log (in Applications and Services Logs)
I'm integrating MSDeploy into my build process, and having problems authenticating. The following command works fine:
msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=Administrator,password=secret -dest:package=c:\DeployTest\KPC.zip
However, this does NOT work:
msdeploy -verb:sync -source:appHostConfig="KitchenPC",computerName=192.168.0.3,userName=kpcpublish,password=secret -dest:package=c:\DeployTest\KPC.zip
And yields the error:
Error Code: ERROR_USER_NOT_ADMIN
More Information: Connected to '192.168.0.11' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administ
rator on '192.168.0.11'. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_NOT_ADMIN.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.
I've followed the instructions in the link above, and any other docs I could find, which pretty much all say the same thing:
I created an account called kpcpublish
I added this account to a group called MSDepSvcUsers - Heck, I even added the account to Administrators
I right clicked on the site and selected Deploy->Configure Web Deploy Publishing and added kpcpublish to the list. It says the following:
.
Publish enabled for 'SERVER\kpcpublish' Granted 'SERVER\kpcpublish'
full control on 'C:\Website' Successfully created settings file
'C:\Users\Administrator\Desktop\SERVER_kpcpublish_KitchenPC.PublishSettings'
There must be some step I'm missing, but I just can't figure out what could be.
UPDATE:
Using the full HTTP path for the computerName property, I get the error:
Error Code: ERROR_DESTINATION_NOT_REACHABLE More Information: Could
not connect to the remote computer ("192.168.0.3"). On the remote
computer, make sure that Web Deploy is installed and that the required
process ("Web Management Service") is started. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_DES
TINATION_NOT_REACHABLE. Error: Unable to connect to the remote server
Error: A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection fa
iled because connected host has failed to respond 192.168.0.3:8192
Error count: 1.
I've checked and the Web Management Service is indeed running.
Another Update:
I've completely paved the system and set it up again from scratch. I've done nothing out of the ordinary, just installed the IIS role and made sure to check "Management Service" under Management Tools, which is required for WMSVC to run. I then installed Web PI, and installed "Recommended Configuration for Hosting Providers", which will install Web Deploy 3.0. However, I did notice there was an error while installing this (I believe I got this error the last time as well). It looks like:
I've also attached the log files here.
I then tried to install Web Deploy 3.0 manually, however it says it's already installed. Next, I downloaded the MSI directly from http://www.iis.net/download/webdeploy and ran it in "Repair" mode. That seems to have worked. I also noticed that the WMSVC service is up and running. So this looks good.
Still, MSDeploy will not connect. I thought it might be some sort of firewall issue, so I ran it locally. I've tried using both HTTPS and HTTP to connect. HTTPS gives me an error, HTTP just times out after 2-3 minutes.
HTTPS:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'f3a54096-adc4-4f54-9e4f-ad8fde12edb6' for connections to the remote server.
Error Code: ERROR_CERTIFICATE_VALIDATION_FAILED
More Information: Connected to the remote computer ("staging") using the specified process ("Web Management Service"), but could not verify the server's certifi
cate. If you trust the server, connect again and allow untrusted certificates.
Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_CERTIFICATE_VALIDATION_FAILED.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Error: The remote certificate is invalid according to the validation procedure.
Error count: 1.
HTTP:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=http://STAGING:8172/msdeploy.axd,userName=Administrator,password=Khorf123 -dest:package=c:\DeleteMe.zip
Info: Using ID 'ebee66f0-08e5-4d9d-98ea-0c2e59784895' for connections to the remote server.
Error: Could not complete the request to remote agent URL 'http://staging:8172/msdeploy.axd'.
Error: The operation has timed out
Error count: 1.
(Updated 2016-03-07 - NOTE: non-Administrator deployments also require ?site=IIS_SITE_NAME after msdeploy.axd, otherwise the connection is treated as global and requires Administrator access)
Not sure how missed this originally, but your problem is the computerName parameter. Non-administrator deployments are only supported when using WMSVC, for which you need to specify the full URL.
Try the following
msdeploy -verb:sync ^
-source:appHostConfig="KitchenPC",computerName=https://192.168.0.3:8172/MsDeploy.axd,userName=kpcpublish,password=secret,authType=Basic ^
-dest:package=c:\DeployTest\KPC.zip
From the docs:
The computer name will be translated to the default Web Deploy URL. For example, computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote service is running with a custom port or URL, you must specify the full URL
And from the install instructions:
The MSI will not install the Web Management Service handler component if the Web Management Service is not installed; the handler component is necessary for non-administrator deployments
(I couldn't find a more explicit canonical source that describes WMSVC as a requirement for non-admin deployments)
Figured It Out!
So, it seems that (at least by default), WMSVC only listens on HTTPS, and HTTP will just time out. However, since my certificate was self-signed, I had to use the -allowUntrusted command line option.
That was almost enough. I also had to specify authType=Basic like Richard originally suggested. So, to put it all together, this is the MSDeploy command line that will actually work:
msdeploy -verb:sync -source:appHostConfig="Default Web Site",computerName=https://192.168.0.3:8172/msdeploy.axd,authType=Basic,userName=Publish,password=secret -dest:package=c:\DeployTest\KPC.zip -allowUntrusted
After configuring Web Deploy my server as follows. I continued to get HTTP 404 connection failures. In may what worked for me was the following additional efforts...
Uninstall all previous version of Web Deploy that existed. I was not even aware they existed; however, previous versions appear to conflict with completing a connection to the latest Web Deploy service. Newer version don't uninstall their predecessors. In the last part, I was getting HTTP 401.7 - File Extension Denied.
For good measure, performed a repair of the current version of Web Deploy, currently Microsoft Web Deploy 3.6
For good measure, recreate and import my Visual Studio 2013 deployment profile...
recreate the publish settings file using the Configure Web Deploy Publishing dialogue available from the Deploy context menu option of the target website in IIS Manager's Connections panel. (Note, the publish settings file will be recreated when you press Setup as the file whose full path is specified in the dialogue entry, Specify a location to save the publish settings file)
Copy or otherwise make the publish settings file available to Visual Studio and selecting Publish from your project's context menu, create a Visual Studio publish profile by importing the publish settings file.
Try restarting the wmsvc service on the target machine
As alluded to above, make sure that you are connecting over HTTPS. If you are attempting to connect as Admin, but not using SSL, you get the following error:
Error Code: ERROR_USER_NOT_ADMIN
More Information: Connected to 'host' using the Web Deployment Agent Service, but could not authorize. Make sure you are an administrator on 'host'.
(Where 'host' is your server name)
For me the problem was that my password expired... I've noticed it when loging out and then tried to login back trhough remote desktop.
When using msdeploy and the msdeploy.axd handler any attempts to deploy to my remote server is met with a 401 not authorized error and the server logs
IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED
Only Windows Administrators are allowed to connect using a server
connection. Other users should use the 'Connect To Site or
Application' task to be able to connect.
Process:WMSvc
What is the correct way to target the axd for the site level?
This might depend on how you're specifying the connection on the client side as well - if you're using msdeploy.exe you would specify the computername argument including a "?site=" query so that you connect at that site level rather than the server level, for example:
msdeploy.exe -verb:dump -source:iisapp="siteName",computername=https://servername:8172/msdeploy.axd?site=siteName,username=user,password=pass,authType=basic [-allowUntrusted]
If you use Web Deploy Tool 2.0 you can use IIS Manager UI to enable non-admin users to deploy website:
Start IIS Manager
Right-click the site you want to publish to, click Deploy and then click “Configure Web Deploy Publishing...”
When you click Setup button Web Deploy grants necessary permissions to selected user. You can discard generated file.
See Announcing Web Deploy 2.0 Refresh!
If you're using WMSvc, I'm assuming this is IIS7 ...
If so, then you can deploy with a normal account but you have to make sure these 3 criteria are met:
Your account needs to have:
1 IIS Manager permission for the site/app you are trying to connect with.
2 A delegation rule for msdeploy, that states that you are allowed to do ContentPath operations.
3 Actual filesystem/ACL access to the files.