Web Deploy to IIS 7 with Pass-through authentication

After much trial and error configuration, I'm currently able to script msdeploy.exe to deploy a package built in Visual Studio 2010 to a remote server running IIS 7.5 with a command line like:

Basic authentication command:

msdeploy -source:package="project.zip" -dest:auto,computerName='https://webserver:8172/MsDeploy.axd',authtype='Basic',username='DOMAIN\myuser',password='xxx',includeAcls='False' -verb:sync -setParamFile:"SetParameters.xml" -allowUntrusted

Can I eliminate the need to provide a password in the command line by enabling pass-through authentication? The Web Deploy docs mention the authType parameter that can specify 'NTLM', instead of Basic. However, whenever I try this (see example below), I get an error indicating a 401. The WMSvc web log shows a 401.2 and no userid is populated in that log entry, unlike previous attempts using Basic authentication do actually show the DOMAIN\myuser in the web log. No other useful information is found in event viewer of either client or server.

Note: The target webserver is on another domain, so I do a net use \\webserver /u:DOMAIN\myuser to establish a token.

Pass-through authentication command attempt:

msdeploy -source:package="project.zip" -dest:auto,computerName='https://webserver:8172/MsDeploy.axd',authtype='NTLM',includeAcls='False' -verb:sync -setParamFile:"SetParameters.xml" -allowUntrusted

It seems msdeploy.exe is not properly authenticating with IIS at the HTTP level. What could be wrong?

Client is Windows XP, Server is Win2008R2. Both are running msdeploy.exe version 7.1.618.0. Both have .NET 2.0, 3.5, and 4.0 installed.


I guess we can't use pass-through authentication if the client computer does not stay with same domain. If you use web deploy 1.1, you can try storeCredentials and getCredentials for avoiding put a username and password directly in a command line.


This is clearly a late answer and I'm sure you've solved this or worked around it, but in case this helps someone else:

You can definitely use MSDeploy to deploy a package using NTLM authentication even when the target webserver is on another domain. This is roughly the commandline we use:

msdeploy.exe -source:package='MyPackage.csproj.zip' -dest:auto,computerName='https://www.myserver.com:8172/MsDeploy.axd?site=mysitename',authtype='NTLM',includeAcls='False' -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"MyPackage.csproj.SetParameters.xml"

For this to work, we run this command from the source machine in the security context of a username + password that identically matches a username + password on the target domain.

The param file probably has no bearing on authentication but I was just including it for completeness. This is the method we use to apply differing connectionstrings for the application depending on where it is deployed.

We don't use the "net use" approach to establish a token, I'm not sure that this translates easily into NTLM authentication via HTTP.