Develop Reference

Force TFS to use CredSSP when accessing network resources

I am using TFS 2017 Update 2 Release processing. I have a functioning deploy process that works within a domain (it runs successfully against 10 different deployment environments)... and now I need to deploy into a different environment, which lives in a different A/D domain.
Unfortunately, the domain trust is one way between the domains - and the destination domain ("Production") does not trust the domain I am installing from ("Dev")
The problem I'm seeing seems to be the infamous "double hop" credential problem.
My TFS app tier can see (and trigger activity on) the release server running TFS vNext Agent 2.117.2 Futher, I can execute inline PowerShell, and locally hosted PowerShell scripts on the release server just fine.
Howerver, as soon as I try to access a PowerShell script not on the release server (be it in the Production domain with the release server, or in the Dev domain) I get an error:
2018-02-13T19:03:32.6611149Z ##[error]. : AuthorizationManager check failed.
At line:1 char:3
+ . '\\unc\path\to\share\TFSScripts\Emit-Variables2. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
The account running the TFS release service has been confirmed to have access to the script file when running from the desktop of the release server, so access should not be an issue.
Further testing of the issue has identified that if we manually create a PSSession using -Authorization CredSSP and pass a credentials object we can successfully access the off server resources.
However, I can see no way to configure TFS to use CredSSP as the authorization mechanism.
The servers involved are W2K8R2 - so we cant use the constrained delegation functionality that W2K12 introduced. We have also tried SPNs with similar unsuccessful results. Kerberos has been forced to use TCP by setting the max packet size to 0 (thus also preventing fragmented UDP packets and related problems). Our max Kerberos packet size is set to 48000.
In the ultimate end state, The TFS App server, and all the TFS artifacts and release scripts will sit in the "dev" domain on one side of a firewall... and the production release server, and a set of servers to release to will exist in the "production" domain, on the other side of a firewall
CredSSP seems to be the only way to make this work - but I see no way for TFS to be configured for it.
This can't be a unique problem. Can someone provide some insight on how to get around this?

Sorry it's not able to force TFS to use CredSSP when accessing network resources. And on configuration of TFS to use CredSSP as the authorization mechanism
You must manually enable CredSSP in powershell.
Another way take a look at this solution, which may do the trick: TFS2015 Release Management: Deploying to an untrusted domain by having the deployment agent run under a shadow account.

Visual Studio 2017 - Giving remote users access to website in IIS Express

Been looking through and trying all guides i found on this topic but no luck. I am running and MVC project with HTTPS and want to access the debug site with some remote mobile devices to test out the website. I followed a guide that almost work and i think I am pretty close to getting it to work. Here are the steps I have done:
Turn off Firewall
Open projectfolder of website go to \vs\config\ and open applicationhost.config
Find your site and line that contains your mapped port like this:
-edit it to get this result:
Tried to run Visual Studio as Admin at this point, Got regular error 400: Bad Request - Invalid Hostname when trying to access site from other computer
Opened CMD as Admin and ran the following command:
netsh http add urlacl url=http://*:44363/ user=everyone
- URL reservation successfully added
-Tried to start Visual studio as admin and non admin. Gets the following error message
"Unable to launch the IIS Express Web Server.
Failed to reister URL "https://localhost:44363" for site "x" Application. Error description: Cannot create file when that file already exists"
-I then have to run cmd again and remove the url with the command:
netsh http delete urlacl url=http://*:44363/
How do i get this to work with Visual Studio 2017 ? I cant be many steps from getting it to work. I have read many guides but none of them works

Amazing how such a simple common need can be so painful to fulfill out of the box in 2017!
Anyway https://github.com/icflorescu/iisexpress-proxy worked nicely for me.
Install it with node:
npm install -g iisexpress-proxy
Then its just something like:
iisexpress-proxy 51123 to 3000
Under 2 mins to get running.

Let me share my experience with Visual Studio and IIS Express that should help you. I am not using HTTPS and my project type is Web site with WCF but you should be able to accomplish your goal.
Here are prerequisites:
IIS Express installed
Visual Studio installed
Added url reservation for public port (netsh http add url=http://*:50001/ User=Everyone) from elevated command prompt.
Added firewall inbound rule for 50001 TCP port (Control Panel-->Windows Firewall-->Advances Settings-->Inbound Rules-->New Rule...)
Now let us setup a project in VS. I am using one of predefined templates with C#. Compile it and try to run it from VS. At that moment VS is starting developer instance of IISExpress that helps your site to run.
You should be able to see IIS Express icon in Notification area. With right click you will see that your site is running and a port (we will call it VSPORT) that is assigned by VS. This port must be different than reserved port (50001).
If you managed to accomplish this without problems then you have almost everything ready for running your site without VS.
Go to your project folder
Go to .vs folder
Go to config folder
Open applicationhost.config
Locate sites/your_site section
Copy everything between your_site and /your_site
Now we need to add this info in "global" IIS Express config.
Go to IIS Express folder (something like c:\Users\USERNAME\Documents\IISExpress)
Go to config folder
Open applicationhost.config
Locate sites section.
Paste information about your site.
Change binding from
binding protocol="http" bindingInformation="*:VSPORT:localhost"
to
binding protocol="http" bindingInformation=":50001:"
Save changes
With this change you may start IISExpress.exe directly and you can continue to use VS to work on you project at the same time.
If you want to access it from other computers do it as http://YOURIP:50001/.
Do have in mind that you need to ensure that your javascript code is NOT using address and port number directly.

You can solve the problem by downloading the 'conveyor' library from extensions and update in Visual Studio.
You can access it from other devices.
Open Visual Studio
Tools > Extensions and Updates
Online > Visual Studio Marketplace
Search 'Conveyor'
Download and install this extension
When you launch the API, you can access it from other devices. This plugin creates a link from your own ip address.
Example:
https://youripadress:5000/api/values

Deploy to Azure Virtual Directory - Web deployment task failed.(Could not complete the request to remote agent URL

I'm having issues deploying an asp.net mvc 4 project from the buildserver to Azure.
We have one azure web site (strictly with nothing deployed to it directly), with a number of Apps deployed in virtual directories underneath. It is with these apps / virtual directories I'm having problems deploying to.
I can deploy direct to Azure from within VS using publish profiles, and also from a batch file which uses publish profiles locally, but it sounds like you cannot use publish profiles on a build server, so I'm using the same settings to fire MSBuild with parameters instead.
The error being returned is:
error : Web deployment task failed.(Could not complete the request to remote agent URL 'http://[site].scm.azurewebsites.net:443/MSDEPLOYAGENTSERVICE'.)
Note this first error lists the main site, not the virtual directory, though this is the value from the .pubxml file that works through VS.
Other errors listed after the first (above) are..
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets(3847,5): error : This error indicates that you cannot connect to the server. Make sure the service URL is correct, firewall and network settings on this computer and on the server computer are configured properly, and the appropriate services have been started on the server.
error : Could not complete the request to remote agent URL 'http://[site].scm.azurewebsites.net:443/MSDEPLOYAGENTSERVICE'.
error : The underlying connection was closed: An unexpected error occurred on a receive.
error : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
..and the batch file including the msbuild commands & paramaters is..
msbuild projectname.csproj
/P:Configuration=DevDeployMyApp
/p:DeployTarget=MSDeployPublish
/p:DeployOnBuild=True
/p:MsDeployServiceUrl=[Site].scm.azurewebsites.net:443
/p:AllowUntrustedCertificate=True
/p:VisualStudioVersion=11.0
/P:CreatePackageOnPublish=True
/p:username=[user]
/p:Password=[password]
/p:DeployIisAppPath=[site]/[VirtualDirectoryName]
/p:MSDeployPublishMethod=RemoteAgent
/p:IgnoreDeployManagedRuntimeVersion=True
Any ideas?

Is your service is already running, try going into the Azure portal and stopping it before publishing. That sometimes helps get it unstuck.

MSDeploy WMSVC is not working in .net environment

I have a build/test server which is currently running Jenkins for my continuous integration and it also is acting as my test server where code will be deployed to once built (i hope to rectify this and seperate these at a later date when budget allows)
I have a .NET web solution (nothing complex just Umbraco essentially) that i have in SVN and Jenkins is now building correctly. I now want to deploy it onto the same server using MSDeploy. After the build completes the package is generated but the deploy fails with the error
ERROR_DESTINATION_NOT_REACHABLE: Web deployment task failed. (Could not connect to the remote computer ("xxxxx.xxxxxxx.xxx.xxxx"). On the remote computer, make sure that Web Deploy is installed and that the required process ("Web Management Service") is started
Here is my msbuild parameters that Jenkins uses
/P:Configuration=Release
/P:DeployOnBuild=True
/P:MSDeployPublishMethod=WMSVC
/P:DeployTarget=MSDeployPublish
/P:PublishProfile=GetSomePixels
/P:MsDeployServiceUrl=https://build.########
/P:AllowUntrustedCertificate=True
/P:CreatePackageOnPublish=True
/P:UserName=#######
/P:Password=########
I've checked the server and the Web Management Service is running and is starting up manually
I've also gone into IIS 8 manager (server 2012) and checked the "Allow Remote Connections" box under "Management Service". Restarted IIS and the WMSVC and still not working.
If i go to https://myserver.co.uk:8172/MsDeploy.axd in a browser it resolves (gives you the warning about an untrusted cert) and then displays a blank page.
Anyone got any ideas as to what i can do? I thought that it may be firewall related and even though it had added an exception to windows firewall for 8172 i have turned the entire firewall off to completely rulle that out and still no luck.
Have run this on the server to check its listening on the correct port
C:\Users\Administrator>netstat -a | findstr 8172
TCP 0.0.0.0:8172 GSP-BUILD:0 LISTENING
TCP [::]:8172 GSP-BUILD:0 LISTENING

Ok i've resolved this. It appears you have to activate the web management service first and then install web deploy and i'd done it the other way round. I uninstalled WebDeploy and re-installed it, restarted the server and its working

Agree with comment.
We had a similar issue. Initial installation even post Web Management Service activation appeared to be incomplete. In our case, even though the service said it was started we couldn't achieve the "green tick" when testing the connection from the Publish dialog when defining a profile.
Reinstalling WebDeploy 3.6 made it function properly.

Using MsDeploy to deploy Windows Services with preSync command

Is anyone successfully using MsDeploy for deploying windows services with a preSync runCommand? I've got it working using an Administrator account, but can't for the life of me get it working on a standard user account. Unfortunately I can't use integrated authentication (we're deploying to an external box), and the thought of our Administrator password sitting in plaintext in logs on our build server doesn't exactly make me feel too comfortable. For that matter, neither does any user credentials - but I can't see a way around that.
The command I'm using is this:
"tools/deploy/msdeploy.exe" -verb:sync
-preSync:runCommand="tools\Deploy\PreSyncCommand.cmd",waitInterval=30000
-source:dirPath="C:\BuiltSourcePath"
-dest:computerName=https://server:8172/msdeploy.axd?site=dummysitename,userName=service-deploy,password=service-deploy-pass,authType=basic,dirPath="C:\DeployPath\"
-allowUntrusted
with rules set up in IIS for the dummy site to allow the authentication for the service-deploy windows account, with contentPath and runCommand permissions (for the moment set to C:\ as it's not entirely clear whether this needs to be set to the temporary path that MsDeploy streams to, or the deployment path?). The service-deploy account also has full control of the target directory. I get the following back:
Performing '-preSync'...
Info: Using ID '7a7d34a1-b5d8-49f1-960a-31c9cf825868' for connections to the remote server.
Info: Using ID '4d0b910c-aca4-4640-84bd-3597d22d99d1' for connections to the remote server.
Info: Updating runCommand (C:\TeamCity\buildAgent\work\aec989676b349656\tools\De
ploy\PreSyncCommand.cmd).
Warning: Access is denied.
Warning: The process 'C:\Windows\system32\cmd.exe' (command line '/c "C:\Windows
\ServiceProfiles\LocalService\AppData\Local\Temp\giz2t0kb.0ay.cmd"') exited with
code '0x1'.
This happens even if the contents of PreSyncCommand.cmd is blank. The same command runs fine if I pass in Administrator credentials. I've tried using ProcessMonitor to check if anything's being denied access but can't see any - so I'm guessing it's still a MsDeploy authentication rule. There's nothing in WmSvc.log (debugging is enabled), nor in the event log.
Any ideas? Thanks!

Since you're using Web Deploy via WmSvc, you need to setup appropriate delegation rules on the destination server:
Within IIS Manager, open the "Management Service Delegation" feature. Add a new rule which at least specifies the runCommand provider. In the Run As section, choose Specific User and provide credentials for a local administrator account on that machine. This is the identity under which your runCommand scripts will be executed. Finally, the user which you're specifying for the destination dirPath provider needs to be added to the delegation rule.
That allows you to invoke a deployment using a non-privileged account, and yet have it executed on the target machine under administrative credentials.
More information on IIS feature delegation: http://learn.iis.net/page.aspx/516/configure-the-web-deployment-handler/