How do I deploy using MSDeploy and TeamCity with Integrated Windows Authentication?

Question

I had a MSDeploy deployment working beautifully with TeamCity when I passed in the user credentials. The command line parameters (using env. variables for some values) were:

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%

Worked great. But now I want to use integrated auth. I tried following Troy's suggestions over from Can MSBuild deploy using integrated authentication or only basic? but it's not doing the trick. I've tried various combinations of passing in a blank username and specifying

/p:AuthType=NTLM

The closest I get is by specifying /p:AuthType=NTLM and passing in a blank username. But that still results in this error:

Connected to the destination computer ("[my destination server name]") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. The remote server returned an error: (401) Unauthorized

I have the Web Management Service running on both the local and remote servers. I changed both instances to run as a user I know has proper access to the site - the same user that works if I manually pass in credentials.

I also tried manually giving that user IIS Manager Permissions on the destination site (though not sure why that would be necessary since the user can publish to the site when their credentials are manually passed).

One thing I am noticing is that in the WMsvc log it's not logging any username for the attempts made with NTLM auth.

Any idea what's going on here. I really don't want to have to store user credentials in my TeamCity configuration.

Thanks.

Answer 1

I assume that the deployment is executed with the account of the TeamCity-Agent. This would explain your error. Make sure that this account has the appropriate rights for the deployment.

Answer 2

Is the build agent service running under the account you want to use? You mention the web management service, but remember it's the build agent which is actually doing the work and needs the rights.

Answer 3

I know I'm a little late submitting and answer on this, but for the benefit of anyone else chasing this type of problem, I've just managed to get this working.

Similar to the OP, I was trying to get TeamCity on Windows Server 2008R2 to publish a web site on a remote IIS 7.5 server using WMsvc.

I was struggling with the 401 error until I completed all of these steps:

• Ensure AuthType=NTLM parameter set.

• Ensure Username parameter supplied, but set to a blank value.

• Ensure NTLM authentication enabled on the remote web server, this involved adding a registry entry:

  HKLM\Software\Microsoft\WebManagement\Server
  DWORD WindowsAuthenticationEnabled = 1
  

• Ensure user context under which the build agent runs on the build server can successfully do a windows integrated auth connection to the WMsvc. I actually had to logon to the build server as this user, then open up IE, and add the target website to the Local Intranet Zone. Basically, I kept hitting this URL and altering settings in IE until I could get straight to it without authentication prompts or 401 errors:

  https://[the server]:8172/MsDeploy.axd?site=[the site]
  

Incidentally, when I got the auth working, the remote WMSvc started giving me 404 errors in the brownser instead, which turned out to be a good sign. During this process, I also set up an SSL cert on the remote WMsvc which was trusted by the build server - possibly not a necessity but it helped my testing.

Once I got completed the above, TeamCity deployments started reporting this error:

An error occurred when the request was processed on the remote computer.
The server experienced an issue processing the request. Contact the server administrator for more information.

I couldn't find anything useful in the Event Log, but the fix here was just to ensure that the authenticated user had the necessary filesystem permissions on the target folder. You may want to be more selective, but I just gave them Full Control over Inetpub.