I've verified that Web Deploy works (using NTLM authorization) when I fire it from Visual Studio on my local machine. Now I want my build server to auto-deploy (if appropriate) every night. I'm using Jenkins on the build server, and I've granted the account access in IIS on the remote machine. My parameters to MSBuild are as follows:
/p:DeployOnBuild=true
/p:Configuration=Debug
/p:Platform=x86
/p:PublishProfile=DEV
/p:AuthType=NTLM
/p:AllowUntrustedCertificate=True
/p:Username=
The DEV publish profile specifies my DEV server which uses a self-signed certificate thus necessitating an untrusted certificate. The NTLM and blank username should use the current user/account to connect.
However, the Jenkins' job's MSBuild step fails with this error
msdeploy error ERROR_USER_UNAUTHORIZED: Web deployment task failed. (Connected to the remote computer ("DEV-SERVER") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
When I look at the IIS logs on DEV-SERVER, I see the following:
2016-01-06 23:55:10 159.212.19.186 HEAD /msdeploy.axd site=MySite 8172 - 159.212.19.123 - 401 2 5 0
2016-01-06 23:55:10 159.212.19.186 HEAD /msdeploy.axd site=MySite 8172 CO\BUILD-SERVER$ 159.212.19.123 - 401 2 64 78
I was expecting to see CO\jenkins, the account Jenkins is running under, instead of CO\BUILD-SERVER$. (And what's with the $ on the end?) Am I correct in thinking the wrong account is being used? What do I need to do to get this working?
CO\BUILD-SERVER$ is the machine account of your build server.
If you have a slave running on that machine, is it running as a windows service? If so it's probably running as "System"
Also re Selenium tests, if the tests are running on the build server then the service may need to set to run interactively so that the tests can run against a UI.
Related
I am using TFS 2017 Update 2 Release processing. I have a functioning deploy process that works within a domain (it runs successfully against 10 different deployment environments)... and now I need to deploy into a different environment, which lives in a different A/D domain.
Unfortunately, the domain trust is one way between the domains - and the destination domain ("Production") does not trust the domain I am installing from ("Dev")
The problem I'm seeing seems to be the infamous "double hop" credential problem.
My TFS app tier can see (and trigger activity on) the release server running TFS vNext Agent 2.117.2 Futher, I can execute inline PowerShell, and locally hosted PowerShell scripts on the release server just fine.
Howerver, as soon as I try to access a PowerShell script not on the release server (be it in the Production domain with the release server, or in the Dev domain) I get an error:
2018-02-13T19:03:32.6611149Z ##[error]. : AuthorizationManager check failed.
At line:1 char:3
+ . '\\unc\path\to\share\TFSScripts\Emit-Variables2. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
The account running the TFS release service has been confirmed to have access to the script file when running from the desktop of the release server, so access should not be an issue.
Further testing of the issue has identified that if we manually create a PSSession using -Authorization CredSSP and pass a credentials object we can successfully access the off server resources.
However, I can see no way to configure TFS to use CredSSP as the authorization mechanism.
The servers involved are W2K8R2 - so we cant use the constrained delegation functionality that W2K12 introduced. We have also tried SPNs with similar unsuccessful results. Kerberos has been forced to use TCP by setting the max packet size to 0 (thus also preventing fragmented UDP packets and related problems). Our max Kerberos packet size is set to 48000.
In the ultimate end state, The TFS App server, and all the TFS artifacts and release scripts will sit in the "dev" domain on one side of a firewall... and the production release server, and a set of servers to release to will exist in the "production" domain, on the other side of a firewall
CredSSP seems to be the only way to make this work - but I see no way for TFS to be configured for it.
This can't be a unique problem. Can someone provide some insight on how to get around this?
Sorry it's not able to force TFS to use CredSSP when accessing network resources. And on configuration of TFS to use CredSSP as the authorization mechanism
You must manually enable CredSSP in powershell.
Another way take a look at this solution, which may do the trick: TFS2015 Release Management: Deploying to an untrusted domain by having the deployment agent run under a shadow account.
I'm having issues deploying an asp.net mvc 4 project from the buildserver to Azure.
We have one azure web site (strictly with nothing deployed to it directly), with a number of Apps deployed in virtual directories underneath. It is with these apps / virtual directories I'm having problems deploying to.
I can deploy direct to Azure from within VS using publish profiles, and also from a batch file which uses publish profiles locally, but it sounds like you cannot use publish profiles on a build server, so I'm using the same settings to fire MSBuild with parameters instead.
The error being returned is:
error : Web deployment task failed.(Could not complete the request to remote agent URL 'http://[site].scm.azurewebsites.net:443/MSDEPLOYAGENTSERVICE'.)
Note this first error lists the main site, not the virtual directory, though this is the value from the .pubxml file that works through VS.
Other errors listed after the first (above) are..
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets(3847,5): error : This error indicates that you cannot connect to the server. Make sure the service URL is correct, firewall and network settings on this computer and on the server computer are configured properly, and the appropriate services have been started on the server.
error : Could not complete the request to remote agent URL 'http://[site].scm.azurewebsites.net:443/MSDEPLOYAGENTSERVICE'.
error : The underlying connection was closed: An unexpected error occurred on a receive.
error : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
..and the batch file including the msbuild commands & paramaters is..
msbuild projectname.csproj
/P:Configuration=DevDeployMyApp
/p:DeployTarget=MSDeployPublish
/p:DeployOnBuild=True
/p:MsDeployServiceUrl=[Site].scm.azurewebsites.net:443
/p:AllowUntrustedCertificate=True
/p:VisualStudioVersion=11.0
/P:CreatePackageOnPublish=True
/p:username=[user]
/p:Password=[password]
/p:DeployIisAppPath=[site]/[VirtualDirectoryName]
/p:MSDeployPublishMethod=RemoteAgent
/p:IgnoreDeployManagedRuntimeVersion=True
Any ideas?
Is your service is already running, try going into the Azure portal and stopping it before publishing. That sometimes helps get it unstuck.
I have a build/test server which is currently running Jenkins for my continuous integration and it also is acting as my test server where code will be deployed to once built (i hope to rectify this and seperate these at a later date when budget allows)
I have a .NET web solution (nothing complex just Umbraco essentially) that i have in SVN and Jenkins is now building correctly. I now want to deploy it onto the same server using MSDeploy. After the build completes the package is generated but the deploy fails with the error
ERROR_DESTINATION_NOT_REACHABLE: Web deployment task failed. (Could not connect to the remote computer ("xxxxx.xxxxxxx.xxx.xxxx"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started
Here is my msbuild parameters that Jenkins uses
/P:Configuration=Release
/P:DeployOnBuild=True
/P:MSDeployPublishMethod=WMSVC
/P:DeployTarget=MSDeployPublish
/P:PublishProfile=GetSomePixels
/P:MsDeployServiceUrl=https://build.########
/P:AllowUntrustedCertificate=True
/P:CreatePackageOnPublish=True
/P:UserName=#######
/P:Password=########
I've checked the server and the Web Management Service is running and is starting up manually
I've also gone into IIS 8 manager (server 2012) and checked the "Allow Remote Connections" box under "Management Service". Restarted IIS and the WMSVC and still not working.
If i go to https://myserver.co.uk:8172/MsDeploy.axd in a browser it resolves (gives you the warning about an untrusted cert) and then displays a blank page.
Anyone got any ideas as to what i can do? I thought that it may be firewall related and even though it had added an exception to windows firewall for 8172 i have turned the entire firewall off to completely rulle that out and still no luck.
Have run this on the server to check its listening on the correct port
C:\Users\Administrator>netstat -a | findstr 8172
TCP 0.0.0.0:8172 GSP-BUILD:0 LISTENING
TCP [::]:8172 GSP-BUILD:0 LISTENING
Ok i've resolved this. It appears you have to activate the web management service first and then install web deploy and i'd done it the other way round. I uninstalled WebDeploy and re-installed it, restarted the server and its working
Agree with comment.
We had a similar issue. Initial installation even post Web Management Service activation appeared to be incomplete. In our case, even though the service said it was started we couldn't achieve the "green tick" when testing the connection from the Publish dialog when defining a profile.
Reinstalling WebDeploy 3.6 made it function properly.
I have a Jenkins installation on a machine running Windows Server 2008. The Jenkins installation is secured using Jenkins own user database with matrix-based security authorization. Anonymous users don't have any access, except to register an account. I have set up an account and gave this account full access.
Now I'd like to trigger a build remotely from a different machine that hosts the repository. I believe this should be possible by accessing the following URL:
https://[username]:[user_api_token]#[address.of.jenkins]:8080/job/[project]/build?token=[project_api_token]
However, this does not seem to be working for me. When I access this site in a browser, Jenkins forwards to the login-page, and does not start the build.
What am I doing wrong? It seems to be an authentication problem, as I'm not logged in after opening the URL above. Furthermore, if I give anonymous users full access, the URL works.
Try invoking the build from a command-line program like curl:
curl http://[userid]:[user_token]#localhost:8080/job/[project]/build?token=[proj_token]
or
curl --user [userid]:[user_token] http://localhost:8080/job/[project]/build?token=[proj_token]
I think your issue could be browser related, embedding credentials within the URL (Firefox pops up a warning in my case telling me I'm about to login to Jenkins)
Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!
Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/