When using msdeploy and the msdeploy.axd handler any attempts to deploy to my remote server is met with a 401 not authorized error and the server logs
IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED
Only Windows Administrators are allowed to connect using a server
connection. Other users should use the 'Connect To Site or
Application' task to be able to connect.
Process:WMSvc
What is the correct way to target the axd for the site level?
This might depend on how you're specifying the connection on the client side as well - if you're using msdeploy.exe you would specify the computername argument including a "?site=" query so that you connect at that site level rather than the server level, for example:
msdeploy.exe -verb:dump -source:iisapp="siteName",computername=https://servername:8172/msdeploy.axd?site=siteName,username=user,password=pass,authType=basic [-allowUntrusted]
If you use Web Deploy Tool 2.0 you can use IIS Manager UI to enable non-admin users to deploy website:
Start IIS Manager
Right-click the site you want to publish to, click Deploy and then click “Configure Web Deploy Publishing...”
When you click Setup button Web Deploy grants necessary permissions to selected user. You can discard generated file.
See Announcing Web Deploy 2.0 Refresh!
If you're using WMSvc, I'm assuming this is IIS7 ...
If so, then you can deploy with a normal account but you have to make sure these 3 criteria are met:
Your account needs to have:
1 IIS Manager permission for the site/app you are trying to connect with.
2 A delegation rule for msdeploy, that states that you are allowed to do ContentPath operations.
3 Actual filesystem/ACL access to the files.
Related
Deploying an asp.net project on local IIS server as a release version. Getting 401 unauthorized error on API call (allow anonymous enabled). Server runs with administrator user principal. This principal has all the permissions. And the project declared as application with correct .net library. The only thing I can't change is read only flag on the project directory. Anyone can help? Nothing in google resources worked...
Update: After a lot of searching and digging, I found a solution:
IIS Application basic settings - The default settings is to run application with Application pool user, which is usually limited with it's files access permissions. So the idea is to run application with administrator user.
Run as - enter administrator user name and password
Application pool type - The default application pool type is 2 and sometimes new .NET libraries are not accessible. So you have to add all the missing ASP.NET types to IIS.
Usually ASP.Net version suppose to be classic, in this case application works fast. Otherwise application refresh time may take long period.
Local folder permission - add local administrator, that you defined on IIS settings, and grand him all permissions to the folder recursively
SQL Server Management- the default server authentication is Windows Authentication, make it SQL Server and Windows Authentication mode
Add new user to the server and grand him all the permission to the database
Add this user to database Users and change the SQL connection string at the project accordingly. This way you prevent application pull trying to connect with database with it's user
Just posting this here as I went around in circles trying to diagnose an intermittent 401 error.
I had a virtual sub directory within the web application that referenced an external folder which was out of the directory tree so had different folder permissions.
Any scripts that referenced this folder failed - while others ran completely fine.
We have a web farm environment running IIS 7.5 on Windows 2008R2. We use shared configuration and web storage replication.
We tried to install Web Deploy (v3.5) on one of the servers but receive an error message saying that Web Deploy is not supported with Shared Configuration.
Is it possible to run Web Deploy in a shared configuration environment? If so how?
NOTE: We have figured this out so I am posting the answer here. There is little to no documentation that we could find on this topic so I thought it best to host the info here so the rest of the world can easily find it.
Yes Web Deploy can be installed on an IIS server using Shared Configuration. Here are the step we used to get it to work. Any comments, improvements or considerations are welcome.
Open IIS and select the server node in the tree.
Open the Shared Configuration in the Management section.
Uncheck Shared Configuration select Yes to copy the configuration to the local storage.
Do this to ALL servers that have been sharing configuration as you need to rebuild the configuration once Web Deploy is installed and reattach each server.
Install Web Deploy 3.5 (or newer) via the Web Platform Installer found here:
http://www.microsoft.com/web/gallery/install.aspx?appid=WDeploy
Installing Web Deploy will modify the authentication rules which will cause issues in a Shared Configuration environment so these rules need to be manually updated.
Open IIS and select the server node in the tree.
Open the Management Service Delegation module in the Management section (this module appears once Web Deploy is installed).
Edit the following rules and set the credentials to the a user that has access to the Shared Configuration. Typically a new account can be made that can be granted access to the Shared Configuration storage or use IIS service account. This will enable the web deployment agent to access the shared configuration with a domain account instead of the default local account.
createApp
recycleAPP
appPoolPipeline,appPoolNetFx
backupSettings
Restart the Web Deployment Agent service.
Restart the Web Management service.
Restart the IIS service.
Make sure you have disabled shared configuration on all servers.
Now to re-enable shared configuration, open IIS and select the server node in the tree.
Open the Shared Configuration in the Management section.
If this is the first server you need to export the configuration using the following steps (if not skip to next step):
Click Export Configuration...
Set the Physical Path to the shared configuration location and enter the appropriate encryption key.
You should see a success dialog if the export was successful.
Check Enable shared configuration.
Set the Physical Path to the shared configuration location and click Apply.
Enter the appropriate encryption key and click Ok.
Restart the IIS service.
You will then need to perform these steps again for each server using the shared configuration except you can skip step #14.
Every time the ASP.NET application in question throws an error the Global.asax writes to an error file: logs\error.log. The ASP.NET applications works using Windows authentication.
I am able to write to the log file when debugging using Visual Studio, however it does not work when the application is deployed in the live environment. How do I find out what user account I need to give access to: logs/error.log?
The application is deployed on a Windows 2003 Server with IIS6. Microsoft.NET 3.5.
You would have to give the required permissions to the network service account. This link might be able to help you out.
Windows Server 2003 defaults to the "Network Service" account.
This can be verified by opening IIS (expand the computer if needed), expand the "Application Pools" folder, right click on the pool used by your web app, and go to the Identity tab.
FYI: Windows Server 2008 uses the IIS_IUSER instead of Network Services.
I hope that logs folder is a virtual directory setup outside the web site directory.
Otherwise every time you deploy the entire solution you will overwrite the logs folder and its content.
Microsoft has a tool for monitoring file access that can be useful for troubleshooting permission issues.
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645
You will also want to check if your application is using windows authentication & identity impersonation since that can change the identity the application is executing with when enabled.
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.
Hi: I'm reading up on ASP.NET, and just came to a chapter that explains how to upload a file to your website. It says that in order to save a file to your file system, in the case of every OS except Win Server '03, an ASP.NET page executes in the security context of the ASPNET account. I don't have an ASPNET account running on my machine (win xp pro sp3; .NET 3.5). The program runs fine, by the way, I'm just trying to understand what an ASPNET account is exactly, and why it doesn't seem to show up on my list of user accounts. Thanks.
ASPNET is only used if use IIS. This was the norm in ASP.Net 1.1
However in new versions of Visual Studio IIS is not needed, so it uses an internal web server.
If ASPNET exists in a command window ( Start -> Run cmd Clikc OK) type and press enter
net user ASPNET
you should see the details of the account and in Task Manager you will see a process asp_wp.exe
File Access
The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.
http://msdn.microsoft.com/en-us/library/ff647402.aspx