使用非管理员用户的 WebDeploy 出现 401 未经授权的错误 [英] 401 Unauthorized error with WebDeploy using non-administrator user

查看:32
本文介绍了使用非管理员用户的 WebDeploy 出现 401 未经授权的错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述


是否有可能使用 ms web deploy 以 非管理员 用户从 命令行 将 Web 应用程序部署到 远程主机?
</TLDR>

<TLDR>
Is it at all possible to use ms web deploy to deploy a web application to a remote host from the command line with a non-administrator user?
</TLDR>

我已遵循 Microsoft 指南中的每一点 安装和配置 Web 部署.我的目标是能够使用 IIS 用户/非管理员用户进行远程 Web 部署.

I have followed every point in Microsoft's guide for Installing and Configuring Web Deploy. My goal is to be able to do a remote web deploy with an IIS user/non-administrator user.

按照为非管理员部署安装和配置 web 部署中所述的所有步骤完成后,我收到以下日志消息(表明一切正常):

After doing all the steps as described under Install and configure web deploy for non-administrator deployments, I get the following log messages (indicating that everything is OK):

Publish enabled for 'deploy_user'
Granted 'deploy_user' full control on 'C:inetpubwwwroot'
Successfully created settings file 'C:Users...Desktopdeploy_user_Default Web Site.PublishSettings'

接下来,当我从本地机器尝试运行以下命令时:

Next, when I from my local machine try to run the following command:

.my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd -allowUntrusted /U:deploy_user /P:deploy_password /A:Basic /T

我收到一条错误消息:错误:远程服务器返回错误:(401)未授权.

如果我在目标计算机上进入事件查看器 > 自定义视图 > 管理事件,我会看到此消息出现匹配"错误:

If I on the target machine go into the Event Viewer > Custom Views > Administratove Events, I see a "matching" error with this message:

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

仅允许 Windows 管理员使用服务器进行连接联系.其他用户应使用连接到站点或应用程序的任务才能连接.

Only Windows Administrators are allowed to connect using a server connection. Other users should use the 'Connect To Site or Application' task to be able to connect.

进程:WMSvc 用户=deploy_user

Process:WMSvc User=deploy_user

此错误与 this question 中的描述完全相同.接受的答案表明我已经做的是正确的方法.

This error is the exact same as described in this question. And the accepted answer suggests that what I've already done is the correct approach.

我尝试了几种建议的解决方法,例如 this,但似乎没有任何帮助.管理服务设置为允许远程连接(Windows 和 IIS 管理器),并且我已经为内置 Windows 用户(非管理员)和 IIS 管理器用户运行了配置,但仍然出现相同的错误.但是,只要我使用管理员用户运行部署命令,它就会成功.

I have tried several workarounds suggested, like this, but nothing seems to be helping. Management Service is set to allow remote connections (both Windows and IIS Manager), and I have run the configuration for both a build-in windows user (non-administrator) and an IIS Manager User, and still the same error. As soon as I run the deploy command with an administrator user however, it succeeds.

am 允许通过 IIS gui 与我的非管理员 deploy_user 用户远程连接(在 IIS 中:Connect to Site > [server url]/[site name] > deploy_user/deploy_password),表示配置了必要的权限和规则.但是,当我尝试使用同一用户运行部署脚本命令行时,它会失败.

I am allowed to connect remotely through the IIS gui with my non-administrator deploy_user user (in IIS: Connect to Site > [server url]/[site name] > deploy_user/deploy_password), indicating that the necessary rights and rules are configured. It is however when I try to run the deploy script command line - with the same user - that it fails.

如果它实际上 如错误消息所示,则任何非管理员用户都可以使用连接到站点或应用程序通过IIS 管理器,那么从命令行/构建服务器进行这样的部署的推荐方法是什么?我真的不想在构建服务器的配置中以明文形式输入管理员用户的用户名/密码...

And if it actually is as the error message indicates, that any non-admin user can only use Connect To Site or Application through IIS Manager, what is then the recommended way to do deploys like this from the command line/a build server? I don't really wan't to enter the username/password of an admin user in clear-text in the config at the build server...

我发现一个可行的选项是,如果您的构建服务器和您尝试部署的机器具有共同的 Active Directory(或其他共享用户的方式),您可以跳过 /A:Basic 标记并完全省略用户名和密码.您只需确保运行部署的用户也对部署目标具有管理员权限.然而,在我们的一种情况下,构建服务器和部署目标没有有一个共同的用户群,所以这不是一个选择,我们回到明文的用户名/密码 -这根本不可取.

One option I've found that's working, is that if your build server and the machine you try to deploy to have a common Active Directory (or other means of sharing users), you can skip the /A:Basic flag and leave out the username and password altogether. You must only make sure that the user running the deploy also have administrator rights on the deploy target. However, in one case for us the build server and deploy target doesn't have a common user base, so this isn't an option and we're back to username/password in clear-text - which isn't desirable at all.

推荐答案

由于用户只有站点级别的管理员权限,而不是 IIS 根级别,您需要添加站点名称.

Since the user has Admin right only on the site level and not the IIS root level, you need to add the site name.

您需要 https://machine_name:8172/msdeploy.axd?site=[MySiteName]https://machine_name:8172/msdeploy.axd>.

Instead of https://machine_name:8172/msdeploy.axd you need to have https://machine_name:8172/msdeploy.axd?site=[MySiteName].

如果不添加此项,msdeploy 会尝试通过 IIS 的根目录访问该站点.加了参数可以直接访问网站,特定网站的管理员权限就足够了.

When this is not added, msdeploy tries to access the site through the root of IIS. With the added parameter the site is accessed directly, and admin rights on the specific website are sufficient.

这篇关于使用非管理员用户的 WebDeploy 出现 401 未经授权的错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆