Can MSBuild deploy using integrated authentication or only basic?

Question

I'm deploying a web app package from the MSBuild command line to MSDepSvc on IIS6 which is working fine with the following command using basic authentication:

MSBuild.exe Web.csproj
  /p:Configuration=Debug
  /p:DeployOnBuild=True
  /p:DeployTarget=MSDeployPublish
  /p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
  /p:DeployIisAppPath=DeploymentTestProject
  /p:MSDeployPublishMethod=RemoteAgent
  /p:CreatePackageOnPublish=True
  /p:username=***
  /p:password=***

However, what I'd really like to do is drop the username and password parameters and fall back to integrated auth under the identity of the current user. This command is going into a build server and I'd prefer not to have the plain text credentials of an account with admin rights on the target environment (required for MsDepSvc) visible. I can't locate any documentation on how to do this and dropping off the credentials returns 401 unauthorised when I attempt to publish.

What makes it particularly frustrating is that I can happily run the deploy command in the package with integrated auth (just don't include credentials), I just can't seem to run it from the MSBuild command line. I'm trying to encapsulate the package and deploy processes into a single command without editing build files and this is the only thing in the way at present.

Any ideas out there?

Edit After some discussions with Sayed and looking a bit deeper into the command line output, after executing the MSBuild command above (without username and password parameters), the following MSDeploy command is being invoked:

msdeploy.exe
  -source:package='[project path]\Web\obj\Debug\Package\Web.zip' 
  -dest:auto,ComputerName='http://[server]/MsDeployAgentService',UserName='***',IncludeAcls='False',AuthType='NTLM'
  -verb:sync
  -disableLink:AppPoolExtension
  -disableLink:ContentExtension
  -disableLink:CertificateExtension
  -retryAttempts=2

You can see the UserName attribute is being set and the value is the username of the current logged on user. If I take this out and run the above command directly, the deployment goes through just fine.

So on that basis, why is the original MSBuild command inserting a UserName attribute when it calls MSDeploy? This appears to be the only barrier now.

Answer 1

And the answer is...

Following my edit above about the current identity's username persisting to the MSDeploy command even when not passed in the original MSBuild call, I tried reconstructing the parameters to pass an empty username as follows:

MSBuild.exe Web.csproj
  /p:Configuration=Debug
  /p:DeployOnBuild=True
  /p:DeployTarget=MSDeployPublish
  /p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
  /p:DeployIisAppPath=DeploymentTestProject
  /p:MSDeployPublishMethod=RemoteAgent
  /p:CreatePackageOnPublish=True
  /p:username=

Which then generates the following MSDeploy command:

msdeploy.exe 
  -source:package='[project path]\obj\Debug\Package\Web.zip' 
  -dest:auto,ComputerName='http://[server name]/MsDeployAgentService',IncludeAcls='False',AuthType='NTLM' 
  -verb:sync 
  -disableLink:AppPoolExtension 
  -disableLink:ContentExtension 
  -disableLink:CertificateExtension 
  -retryAttempts=2

This call no longer includes the UserName attribute. So in short, if you do not add a username parameter to the MSBuild call it will insert the current identity anyway and defer to basic auth which will fail because there's no password. If you include the username parameter but don't give it a value, it doesn't include it at all in the MSDeploy command.

Answer 2

I looked in the Microsoft.Web.Publishing.targets and saw this:

<PropertyGroup>
  <NormalizePublishSettings ...>
  <AuthType Condition="'$(AuthType)'==''" >Basic</AuthType>
  <!--Supported value for $(MSDeployPublishMethod): WMSVC, RemoteAgent, InProc-->
  <MSDeployPublishMethod ... >WMSVC</MSDeployPublishMethod>
  ...
</PropertyGroup>

So, it looks like the default is Basic authentication when running from MSBuild. Then I found this http://technet.microsoft.com/de-de/library/dd569001(WS.10).aspx

authenticationType specifies the type of authentication to be used. The possible values are NTLM and Basic. If the wmsvc provider setting is specified, the default authentication type is Basic; otherwise, the default authentication type is NTLM.

I haven't tried it yet, but maybe it's something like /p:AuthType=NTLM

Answer 3

I was able to get NTLM working as follows where the service is running under an account with admin privs on [server name].

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" app\Test.Web\Test.Web.csproj /T:Clean /T:Package /P:Configuration=Release

C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.deploy.cmd /Y "/M:http://[server name]/MSDEPLOYAGENTSERVICE" /A:ntlm -allowUntrusted

which generates:

"C:\Program Files\IIS\Microsoft Web Deploy\msdeploy.exe" -source:package='C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.zip' -dest:auto,computerName='http://[server name]/MSDEPLOYAGENTSERVICE',authtype='ntlm',includeAcls='False' -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\RapidPrototypeRequestSystem.Web.SetParameters.xml" -allowUntrusted

Answer 4

This worked, I initially was distracted by the targets file but realised my error was in the connection string, i.e. was trying to use https instead of http.

MSBuild.exe Web.csproj /p:Configuration=Debug /p:DeployOnBuild=True /p:DeployTarget=MSDeployPublish /p:MsDeployServiceUrl=http://[serverName]/MsDeployAgentService /p:DeployIisAppPath=DeploymentTestProject /p:MSDeployPublishMethod=RemoteAgent /p:CreatePackageOnPublish=True /p:username=