401使用非管理员用户的WebDeploy未经授权的错误 [英] 401 Unauthorized error with WebDeploy using non-administrator user

问题描述

< TLDR>

是否可以使用ms web deploy从命令行将Web应用程序部署到远程主机 >使用非管理员用户？

< / TLDR>

<TLDR>
Is it at all possible to use ms web deploy to deploy a web application to a remote host from the command line with a non-administrator user?
</TLDR>

我已遵循Microsoft指南中的每一点for 安装和配置Web部署。我的目标是能够与IIS用户/非管理员用户进行远程Web部署。

I have followed every point in Microsoft's guide for Installing and Configuring Web Deploy. My goal is to be able to do a remote web deploy with an IIS user/non-administrator user.

执行安装和中所述的所有步骤后为非管理员部署配置Web部署，我收到以下日志消息（表示一切正常）：

After doing all the steps as described under Install and configure web deploy for non-administrator deployments, I get the following log messages (indicating that everything is OK):

Publish enabled for 'deploy_user'
Granted 'deploy_user' full control on 'C:\inetpub\wwwroot'
Successfully created settings file 'C:\Users\...\Desktop\deploy_user_Default Web Site.PublishSettings'

接下来，当我从本地机器尝试运行以下内容时命令：

Next, when I from my local machine try to run the following command:

.\my_deploy_package.cmd /M:https://machine_name:8172/msdeploy.axd -allowUntrusted /U:deploy_user /P:deploy_password /A:Basic /T

我收到一条错误消息：错误：远程服务器返回错误：（401）未经授权。

I get an error message saying: Error: The remote server returned an error: (401) Unauthorized.

如果我在目标计算机上进入事件查看器>自定义视图> Administratove事件，我看到此消息出现匹配错误：

If I on the target machine go into the Event Viewer > Custom Views > Administratove Events, I see a "matching" error with this message:

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED

只允许Windows管理员使用服务器
连接进行连接。其他用户应该使用连接到站点或
应用程序任务才能连接。

Only Windows Administrators are allowed to connect using a server connection. Other users should use the 'Connect To Site or Application' task to be able to connect.

进程：WMSvc User = deploy_user

Process:WMSvc User=deploy_user

此错误与这个问题。并且接受的答案表明我已经完成的是正确的方法。

This error is the exact same as described in this question. And the accepted answer suggests that what I've already done is the correct approach.

我尝试了几种解决方法，比如这个，但似乎没有帮助。管理服务设置为允许远程连接（Windows和IIS管理器），我已经为内置Windows用户（非管理员）和IIS管理员用户运行配置，但仍然是相同的错误。然后，只要我与管理员用户一起运行deploy命令，它就会成功。

I have tried several workarounds suggested, like this, but nothing seems to be helping. Management Service is set to allow remote connections (both Windows and IIS Manager), and I have run the configuration for both a build-in windows user (non-administrator) and an IIS Manager User, and still the same error. As soon as I run the deploy command with an administrator user however, it succeeds.

我 am 允许通过IIS gui远程连接我的非管理员deploy_user用户（在IIS中：连接到站点> [服务器URL] / [站点名称]> deploy_user / deploy_password ），表示已配置必要的权限和规则。但是，当我尝试运行部署脚本命令行时 - 使用相同的用户 - 它失败。

I am allowed to connect remotely through the IIS gui with my non-administrator deploy_user user (in IIS: Connect to Site > [server url]/[site name] > deploy_user/deploy_password), indicating that the necessary rights and rules are configured. It is however when I try to run the deploy script command line - with the same user - that it fails.

如果实际是如错误消息所示，任何非管理员用户只能通过IIS管理器 使用连接到站点或应用程序，那么建议的方法是从命令行/构建服务器？我真的不想在构建服务器的配置中以明文形式输入管理员用户的用户名/密码...

And if it actually is as the error message indicates, that any non-admin user can only use Connect To Site or Application through IIS Manager, what is then the recommended way to do deploys like this from the command line/a build server? I don't really wan't to enter the username/password of an admin user in clear-text in the config at the build server...

一个选项我已经发现，如果你的构建服务器和你尝试部署的机器有一个共同的Active Directory（或其他共享用户的方式），你可以跳过 / A：Basic 标记并完全省略用户名和密码。您必须确保运行部署的用户也具有部署目标的管理员权限。但是，在我们的一个案例中，构建服务器和部署目标没有具有共同的用户群，因此这不是一个选项，我们将以明文形式返回用户名/密码 - 完全不可取。

One option I've found that's working, is that if your build server and the machine you try to deploy to have a common Active Directory (or other means of sharing users), you can skip the /A:Basic flag and leave out the username and password altogether. You must only make sure that the user running the deploy also have administrator rights on the deploy target. However, in one case for us the build server and deploy target doesn't have a common user base, so this isn't an option and we're back to username/password in clear-text - which isn't desirable at all.

推荐答案

由于用户仅在站点级别而不是IIS根级别具有管理员权限，您需要添加网站名称。

Since the user has Admin right only on the site level and not the IIS root level, you need to add the site name.

而不是 https：// machine_name：8172 / msdeploy.axd 你需要 https：// machine_name：8172 / msdeploy.axd？site = [MySiteName] 。

如果未添加， msdeploy 将尝试通过IIS的根目录访问该站点。使用添加的参数，可以直接访问站点，并且特定网站上的管理员权限就足够了。

When this is not added, msdeploy tries to access the site through the root of IIS. With the added parameter the site is accessed directly, and admin rights on the specific website are sufficient.

这篇关于401使用非管理员用户的WebDeploy未经授权的错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！