Web Deploy dump dirPath not working with delegation and a non-Admin user

StackOverflow https://stackoverflow.com/questions/4877995

  •  28-10-2019
  •  | 
  •  

Question

I'm trying to run the following Web Deploy command:

msdeploy.exe -verb:dump -source:dirPath="C:\Deploy",wmsvc=localhost,username=<user>,password=<pass>

I have tried to run this with two users, John and Mary. John is a member of the Administrator group on the box, Mary isn't; the command works for John, but fails with a 401 for Mary.

I have the following set up:

  • Mary has full access to C:\Deploy via the ACLs (as does the Administrators group)
  • Both John and Mary have been granted access to the C:\Deploy dirPath in IIS using the delegation functionality (see below)

My administration.config entry:

<rule enabled="true" providers="dirPath" actions="*" path=".*" pathType="RegularExpression">
    <runAs identityType="SpecificUser" userName="AnAdministrator" password="..." />
    <permissions>
        <user name="PC\John" isRole="false" accessType="Allow" />
        <user name="PC\Mary" isRole="false" accessType="Allow" />
    </permissions>
</rule>

When I add Mary to the Administrators group, the command works. But the whole point of delegation is to be able to run deployment commands as non-administrators. I'm able to run other commands (e.g. -verb:dump -source:appHostConfig="Default Web Site") fine for Mary - it's just dirPath that's not working.

WMSvc.log doesn't seem to contain any errors for the failing command - I can see the successful ones fine though. I do see the 401 for the HEAD request in the failed requests trace, but no indication as to why it's occurring...

Any pointers appreciated.

Was it helpful?

Solution

zcrar70, you are right: delegation only kicks in once a user has access to a site's scope. In your example, if you had given PC\Mary access to the site (via IIS Manager Permissions), then this would just work.

Can you explain your scenario a bit further? Are you trying to give a non-admin user permission to run specific providers on ALL sites?

OTHER TIPS

Your RunAs identity "AnAdministrator" needs to have permissions to access c:\Deploy, since both Mary and John will be impersonated (if the original identity fails, which doesn't for John) as this user. ACL C:\Deploy for AnAdministrator user and try again.

You can also use ServerValidator tool to check whether your environment is ready for delegated deployment.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top