如何使用带有集成Windows身份验证的MSDeploy和TeamCity进行部署? [英] How do I deploy using MSDeploy and TeamCity with Integrated Windows Authentication?

问题描述

当我传递用户凭据时，我的MSDeploy部署与TeamCity配合良好.命令行参数(对某些值使用env.变量)为:

I had a MSDeploy deployment working beautifully with TeamCity when I passed in the user credentials. The command line parameters (using env. variables for some values) were:

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild = True
/P:DeployTarget = MSDeployPublish
/P:MsDeployServiceUrl = https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate = True
/P:MSDeployPublishMethod = WMsvc
/P:CreatePackageOnPublish = True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword％

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%

工作出色.但是现在我想使用集成身份验证.我尝试从按照Troy的建议进行操作，MSBuild是否可以使用集成身份验证或只是基本的?，但是并不能解决问题.我尝试了传递空白用户名和指定

Worked great. But now I want to use integrated auth. I tried following Troy's suggestions over from Can MSBuild deploy using integrated authentication or only basic? but it's not doing the trick. I've tried various combinations of passing in a blank username and specifying

/p:AuthType = NTLM

/p:AuthType=NTLM

我得到的最接近的是通过指定/p:AuthType = NTLM并传入一个空白的用户名.但这仍然会导致此错误:

The closest I get is by specifying /p:AuthType=NTLM and passing in a blank username. But that still results in this error:

使用Web管理服务连接到目标计算机("[我的目标服务器名称]")，但无法授权.确保您使用正确的用户名和密码，要连接的站点存在，并且凭据代表有权访问该站点的用户.远程服务器返回错误:(401)未经授权

Connected to the destination computer ("[my destination server name]") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. The remote server returned an error: (401) Unauthorized

我在本地和远程服务器上都运行了Web管理服务.我将两个实例都更改为以我知道对站点具有适当访问权限的用户身份运行-如果我手动传递凭据，则该用户可以正常工作.

I have the Web Management Service running on both the local and remote servers. I changed both instances to run as a user I know has proper access to the site - the same user that works if I manually pass in credentials.

我还尝试了在目标站点上手动授予该用户IIS管理器权限(尽管不确定为什么这样做是必要的，因为当用户手动传递其凭据时，该用户可以发布到该站点).

I also tried manually giving that user IIS Manager Permissions on the destination site (though not sure why that would be necessary since the user can publish to the site when their credentials are manually passed).

我要注意的一件事是，在WMsvc日志中，对于使用NTLM身份验证进行的尝试，它没有记录任何用户名.

One thing I am noticing is that in the WMsvc log it's not logging any username for the attempts made with NTLM auth.

任何想法，这是怎么回事.我真的不想在TeamCity配置中存储用户凭据.

Any idea what's going on here. I really don't want to have to store user credentials in my TeamCity configuration.

谢谢.

推荐答案

我知道我对此提交和回答有点晚了，但是为了其他人追求这种类型的问题，我设法进行这项工作.

I know I'm a little late submitting and answer on this, but for the benefit of anyone else chasing this type of problem, I've just managed to get this working.

类似于OP，我试图让Windows Server 2008R2上的TeamCity通过WMsvc在远程IIS 7.5服务器上发布网站.

Similar to the OP, I was trying to get TeamCity on Windows Server 2008R2 to publish a web site on a remote IIS 7.5 server using WMsvc.

在完成所有这些步骤之前，我一直在处理401错误:

I was struggling with the 401 error until I completed all of these steps:

• 确保AuthType = NTLM参数集.

• Ensure AuthType=NTLM parameter set.

确保提供了用户名"参数，但将其设置为空白值.

Ensure Username parameter supplied, but set to a blank value.

确保在远程Web服务器上启用NTLM身份验证，这涉及添加注册表项:

Ensure NTLM authentication enabled on the remote web server, this involved adding a registry entry:

HKLM\Software\Microsoft\WebManagement\Server
DWORD WindowsAuthenticationEnabled = 1

确保在构建服务器上运行构建代理的用户上下文可以成功地建立与WMsvc的Windows集成身份验证连接.实际上，我必须以该用户身份登录到构建服务器，然后打开IE，然后将目标网站添加到本地Intranet区域.基本上，我一直点击该URL并更改IE中的设置，直到我可以直接获得它而没有身份验证提示或401错误:

Ensure user context under which the build agent runs on the build server can successfully do a windows integrated auth connection to the WMsvc. I actually had to logon to the build server as this user, then open up IE, and add the target website to the Local Intranet Zone. Basically, I kept hitting this URL and altering settings in IE until I could get straight to it without authentication prompts or 401 errors:

https://[the server]:8172/MsDeploy.axd?site=[the site]

顺便说一句，当我开始进行身份验证时，远程WMSvc开始在Brownser中给我404错误，事实证明这是一个好兆头.在此过程中，我还在构建服务器信任的远程WMsvc上设置了SSL证书-可能不是必需的，但这对我的测试有所帮助.

Incidentally, when I got the auth working, the remote WMSvc started giving me 404 errors in the brownser instead, which turned out to be a good sign. During this process, I also set up an SSL cert on the remote WMsvc which was trusted by the build server - possibly not a necessity but it helped my testing.

完成上述操作后，TeamCity部署开始报告此错误:

Once I got completed the above, TeamCity deployments started reporting this error:

An error occurred when the request was processed on the remote computer.
The server experienced an issue processing the request. Contact the server administrator for more information.

我在事件日志中找不到任何有用的东西，但是这里的解决方法只是为了确保经过身份验证的用户对目标文件夹具有必要的文件系统权限.您可能希望更具选择性，但我只是让他们对Inetpub拥有完全控制权.

I couldn't find anything useful in the Event Log, but the fix here was just to ensure that the authenticated user had the necessary filesystem permissions on the target folder. You may want to be more selective, but I just gave them Full Control over Inetpub.

这篇关于如何使用带有集成Windows身份验证的MSDeploy和TeamCity进行部署?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！