msdeploy via jenkins & service account: connected but "could not authorize"?

Background / Goal

The moving parts:

  • I have a service account, let's call it MyDomain\svcMyService.
  • I have a remote server, let's call it MyDomain\MyServer.
  • I have a Jenkins server, let's call it MyDomain\MyJenkins.

In Jenkins, I have a deployment task. It grabs some artifacts and then calls msdeploy to push them to MyServer.

This deployment step fails, and I'd like to figure out why.

The MSDeploy command I'm using

The command is auto-generated by Jenkins and ends up being the following (sensitive data omitted):

 "C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:iisApp="E:\Jenkins\jobs\NotARealJobName\workspace" -dest:iisApp="MyWebSite/MyWebApp",ComputerName="https://MyServer:8172/MsDeploy.axd",UserName=MyDomain\svcMyService,Password="NotARealPassword" -allowUntrusted 

The Error

The error message I see from msdeploy output is:

Error Code: ERROR_USER_UNAUTHORIZED More Information: Connected to the remote computer ("MyServer") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.

Error: The remote server returned an error: (401) Unauthorized.

My Understanding of What I have to Do

This may be an incomplete or incorrect list. Please tell me if this is where the problem could be.

I think I have to:

  • Install WebDeploy on IIS (3.6 is the latest in this case).
  • Enable the management service in IIS.
  • Create an application pool that runs as MyDomain\svcMyService.
  • Yeah, the same username that deploys is running it too. Not the best, I know. Out of my hands at the moment.
  • Create the directory for my IIS Web application.
  • Grant permissions on this directory.
    • Full permissions to svcMyService
    • Full permissions to WDeployAdmin
    • Full permissions to NetworkService (since that's what WMSvc runs as)
  • Create the Web Site with the appropriate port
    • The web site should be run under the application pool of the service account
    • The web site should connect to the folder using the svcMyService account.
  • Create a web application under the web site.
    • The web site should connect to the folder using the svcMyService account.
    • Add the svcMyService account as a deployment manager at both the site and the application level.
  • Ensure that the local WDeployConfigWriter and WDeployAdmin accounts aren't expired and that their passwords cannot be changed.
  • Ensure that IIS management delegation is using WDeployConfigWriter and WDeployAdmin accounts and update those credentials for each delegation if you changed the password for those local accounts.

Troubleshooting so far

I'll keep this list updated as I try to troubleshoot.

Check WMSvc IIS Logs -- looks like my user doesn't have the rights to publish

  • Sample of the log is below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2015-09-14 17:10:06 [Server IP] HEAD /MsDeploy.axd - 8172 - [Jenkins IP] - - 401 2 5 15

I see that all the statuses are 401.2 with a win32 code of 5.

According to this troubleshooting link, "If the user is authenticated, but does not have the rights needed to publish, the log entry will look like" that (401 2 5).

Articles Referenced

  • http://www.iis.net/learn/publish/troubleshooting-web-deploy/troubleshooting-common-problems-with-web-deploy
  • http://www.iis.net/learn/publish/using-web-deploy/configure-the-web-deployment-handler

Solution 1:

I found the answer on this old forum post from 2011 -- it seems really obscure.

The solution found on that forum post was to:

  • Open Regedit
  • Open the path HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server
  • add a DWORD named WindowsAuthenticationEnabled with a value of 1
  • Restart WMsvc and IIS

After performing those steps, it appears to have worked for me the first time.