如何使用带有集成 Windows 身份验证的 MSDeploy 和 TeamCity 进行部署? [英] How do I deploy using MSDeploy and TeamCity with Integrated Windows Authentication?

问题描述

当我传入用户凭据时，我的 MSDeploy 部署与 TeamCity 完美配合.命令行参数(对某些值使用环境变量)是:

I had a MSDeploy deployment working beautifully with TeamCity when I passed in the user credentials. The command line parameters (using env. variables for some values) were:

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%

MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%

工作得很好.但现在我想使用集成身份验证.我尝试从 MSBuild 部署使用集成身份验证或只有基本的? 但它没有起到作用.我已经尝试了各种组合传入一个空白用户名并指定

Worked great. But now I want to use integrated auth. I tried following Troy's suggestions over from Can MSBuild deploy using integrated authentication or only basic? but it's not doing the trick. I've tried various combinations of passing in a blank username and specifying

/p:AuthType=NTLM

/p:AuthType=NTLM

我得到的最接近的方法是指定/p:AuthType=NTLM 并传入一个空白用户名.但这仍然会导致此错误:

The closest I get is by specifying /p:AuthType=NTLM and passing in a blank username. But that still results in this error:

使用 Web 管理服务连接到目标计算机([我的目标服务器名称]")，但无法授权.确保您使用正确的用户名和密码，您要连接的站点存在，并且凭据代表有权访问该站点的用户.远程服务器返回错误:(401) Unauthorized

Connected to the destination computer ("[my destination server name]") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. The remote server returned an error: (401) Unauthorized

我在本地和远程服务器上都运行了 Web 管理服务.我将两个实例都更改为以我知道对站点具有适当访问权限的用户身份运行 - 如果我手动传递凭据，则该用户可以工作.

I have the Web Management Service running on both the local and remote servers. I changed both instances to run as a user I know has proper access to the site - the same user that works if I manually pass in credentials.

我还尝试在目标站点上手动授予该用户 IIS 管理器权限(尽管不确定为什么需要这样做，因为当手动传递其凭据时用户可以发布到该站点).

I also tried manually giving that user IIS Manager Permissions on the destination site (though not sure why that would be necessary since the user can publish to the site when their credentials are manually passed).

我注意到的一件事是，在 WMsvc 日志中，它没有为使用 NTLM 身份验证所做的尝试记录任何用户名.

One thing I am noticing is that in the WMsvc log it's not logging any username for the attempts made with NTLM auth.

知道这里发生了什么.我真的不想在我的 TeamCity 配置中存储用户凭据.

Any idea what's going on here. I really don't want to have to store user credentials in my TeamCity configuration.

谢谢.

推荐答案

我知道我提交和回答这个问题有点晚了，但是为了其他人的利益，我刚刚设法解决了这个问题让这个工作.

I know I'm a little late submitting and answer on this, but for the benefit of anyone else chasing this type of problem, I've just managed to get this working.

与 OP 类似，我试图让 Windows Server 2008R2 上的 TeamCity 使用 WMsvc 在远程 IIS 7.5 服务器上发布网站.

Similar to the OP, I was trying to get TeamCity on Windows Server 2008R2 to publish a web site on a remote IIS 7.5 server using WMsvc.

在完成所有这些步骤之前，我一直在处理 401 错误:

I was struggling with the 401 error until I completed all of these steps:

• 确保 AuthType=NTLM 参数集.

• Ensure AuthType=NTLM parameter set.

确保提供了用户名参数，但设置为空白值.

Ensure Username parameter supplied, but set to a blank value.

确保在远程 Web 服务器上启用 NTLM 身份验证，这涉及添加注册表项:

Ensure NTLM authentication enabled on the remote web server, this involved adding a registry entry:

HKLMSoftwareMicrosoftWebManagementServer
DWORD WindowsAuthenticationEnabled = 1

确保构建代理在构建服务器上运行的用户上下文可以成功地与 WMsvc 建立 Windows 集成身份验证连接.我实际上必须以该用户身份登录到构建服务器，然后打开 IE，并将目标网站添加到本地 Intranet 区域.基本上，我一直在点击这个 URL 并更改 IE 中的设置，直到我可以直接访问它而不会出现身份验证提示或 401 错误:

Ensure user context under which the build agent runs on the build server can successfully do a windows integrated auth connection to the WMsvc. I actually had to logon to the build server as this user, then open up IE, and add the target website to the Local Intranet Zone. Basically, I kept hitting this URL and altering settings in IE until I could get straight to it without authentication prompts or 401 errors:

https://[the server]:8172/MsDeploy.axd?site=[the site]

顺便说一句，当我让身份验证工作时，远程 WMSvc 开始在browser 中给我 404 错误，结果证明这是一个好兆头.在此过程中，我还在构建服务器信任的远程 WMsvc 上设置了 SSL 证书 - 可能不是必需品，但它有助于我的测试.

Incidentally, when I got the auth working, the remote WMSvc started giving me 404 errors in the brownser instead, which turned out to be a good sign. During this process, I also set up an SSL cert on the remote WMsvc which was trusted by the build server - possibly not a necessity but it helped my testing.

完成上述操作后，TeamCity 部署开始报告此错误:

Once I got completed the above, TeamCity deployments started reporting this error:

An error occurred when the request was processed on the remote computer.
The server experienced an issue processing the request. Contact the server administrator for more information.

我在事件日志中找不到任何有用的东西，但这里的修复只是为了确保经过身份验证的用户对目标文件夹具有必要的文件系统权限.您可能想要更有选择性，但我只是让他们完全控制 Inetpub.

I couldn't find anything useful in the Event Log, but the fix here was just to ensure that the authenticated user had the necessary filesystem permissions on the target folder. You may want to be more selective, but I just gave them Full Control over Inetpub.

这篇关于如何使用带有集成 Windows 身份验证的 MSDeploy 和 TeamCity 进行部署?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！