Msdeploy失败:帐户"xxx"似乎无效 [英] Msdeploy failed: The account 'xxx' does not appear to be valid
问题描述
我正在尝试从TeamCity进行自动化部署,以用于我们的新API端点之一.我已经正确设置了一切,包括TeamCity调用MSDeploy将程序包发送到我们的服务器的最后一步(我们在这里谈论我们的集成/测试服务器).
I am trying to get automated deployment from TeamCity working for one of our new API endpoints. I have everything set up correctly, including the final step where TeamCity calls MSDeploy to send the package over to our server (we're talking our Integration / test server here).
一切正常,但是,当在IIS中创建新站点时,我们已经从另一个网站借用了一个服务用户,以使应用程序池以该身份运行.
Everything was working fine but, when creating the new site in IIS, we had borrowed a service user from another website for the app pool to run as.
当我们创建新的域用户并切换应用程序池时,我们的部署开始失败.MSDeploy给出的错误是:
When we created a new domain user and switched the app pool over our deployments started failing. The error MSDeploy gives is:
错误:(30/10/2014 15:00:56)在远程计算机上处理请求时发生错误.[15:00:56] [步骤1/1]错误:帐户"XXX"似乎无效.该帐户是从以下位置获得的:"system.applicationHost/applicationPools/******.com".[15:00:56] [步骤1/1]错误:某些或所有身份参考均无法翻译.[15:00:56] [步骤1/1]位于System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts,类型targetType,布尔值forceSuccess)[15:00:56] [步骤1/1]位于System.Security.Principal.NTAccount.Translate(Type targetType)[15:00:56] [Step 1/1] at Microsoft.Web.Deployment.Impersonator.GetNTAccount(String userName,String source)
Error: (30/10/2014 15:00:56) An error occurred when the request was processed on the remote computer. [15:00:56][Step 1/1] Error: The account 'XXX' does not appear to be valid. The account was obtained from this location: 'system.applicationHost/applicationPools/******.com'. [15:00:56][Step 1/1] Error: Some or all identity references could not be translated. [15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) [15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(Type targetType) [15:00:56][Step 1/1] at Microsoft.Web.Deployment.Impersonator.GetNTAccount(String userName, String source)
其中XXX是我们创建的新域用户.我们将借用的旧域用户称为"YYY".我们正在使用第三个帐户"ZZZ"来连接Web部署.因此,应用程序池以YYY运行时,一切都很好,但是当我们切换到XXX时,会发生此错误.
Where XXX is the new domain user we created. Let's call the old domain user that we borrowed 'YYY'. We are using a third account, 'ZZZ' to connect with web deploy. So, everything was fine with the app pool running as YYY, but when we switched to XXX this error occurs.
我们已经看过了,但是我们找不到XXX和YYY之间的任何区别.它们都在相同的AD组中,并且似乎都对服务器具有相同的权限.使用帐户XXX通过RDP登录服务器使我们能够打开IIS GUI并浏览/管理站点.
We have looked and looked, but we can't find any differences between XXX and YYY. They're both in the same AD groups and both seem to have the same permissions on the server. Logging in to the server through RDP using account XXX allows us to open the IIS GUI and browse / administer the sites.
我一直找不到其他谈论此问题的网站,但这使我们完全陷入困境.
I've been unable to find many other sites talking about this problem, but it's got us completely stumped.
仅供参考,我们已经重新启动了有问题的Web服务器,以查看是否有帮助.没有.
FYI, we have already restarted the web server in question, to see if that helped. It didn't.
推荐答案
此处返回的错误只是一般的身份验证失败错误.在这种特定情况下,身份验证失败是由用户主体名称和运行应用程序池的用户的SAM帐户名称之间的差异引起的.
The error being returned here is just a general authentication failure error. In this particular scenario the authentication failure was being caused by a discrepancy between the User Principle Name and the SAM Account name of the user the application pool was running as.
有关验证Active Directory用户时使用哪个名称的说明,请参见以下问题-
See the following question for an explanation of which name is used when authenticating an Active Directory user - https://serverfault.com/questions/371150/any-difference-between-domain-username-and-usernamedomain-local
在我们的特定示例中,应用程序池的活动目录用户名超过20个字符.SAM帐户名的字符数限制为20个,这意味着不包括超过20个字符的所有字符.
In our particular example, the active directory user name of the application pool was longer than 20 characters. The SAM account name has a 20 character limit which means all characters over 20 were not included.
如链接答案中所述,指定域和用户名时使用的格式将确定使用哪个名称版本进行身份验证.因此,以示例用户名"username_longer_than_20_characters"为例,以下格式将起作用:
As explained in the linked answer, the format you use when specifying the domain and user name will determine which version of the name is used for authentication. Therefore with an example user name of "username_longer_than_20_characters" the following formats would work:
domain \ username_longer_than-使用SAM帐户名进行身份验证或者username_longer_than_20_characters @ domain-使用用户主体名称进行身份验证
domain\username_longer_than - authenticates using SAM account name or username_longer_than_20_characters@domain - authenticates using User Principle name
链接文章中的答案还说明了如何检查Active Directory用户的SAM帐户名.
The answer in the linked post also explains how to check the SAM account name for an Active Directory user.
这篇关于Msdeploy失败:帐户"xxx"似乎无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
