3

Web deployment task failed. Error ERROR_USER_UNAUTHORIZED

We are using Tfs Build Automation and msdeploy for publishing an web application on remote machine.

On "Visual Studio Build" step we set this parameters on "MSBuild Arguments": /p:DeployOnBuild=true;PublishProfile=myProfile;AllowUntrustedCertificate=true;UserName=$(UserName);Password=$(Password)

After quing the build we get this error:

C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\Web\Microsoft.Web.Publishing.targets(4276,5): Error ERROR_USER_UNAUTHORIZED: Web deployment task failed. (Connected to the remote computer ("MySERVER") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)

I am sure that username and password is correct, and the user isAdministrator on the server (MySERVER).

I checked the Management Service log on IIS and found something important: the build agent's username(tfsadmin) sent for deploy on IIS instead of the user/pass that I set in build variables.

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2018-01-03 09:29:02 MYSERVERIP HEAD /msdeploy.axd site=MySiteName 8172 - MyBuildServerIP - - 401 2 5 1322 2018-01-03 09:29:02 MYSERVERIP HEAD /msdeploy.axd site=MySiteName 8172 tfsadmin MyBuildServerIP - - 401 1 1326 86

Update 1: I add more information, as you see below in build log, in msBuildArgs the password is empty (instead of ********)!

WebDeploy Version : 3.6 TFS Version : 2015.1 Target Machine (MySERVER) : Windows 2012 R2 IIS Version : 8.5 The "tfsadmin" user has local administrator of target server (MyServer) and IIS Manager Permission on the target IIS Site.

Build log : 

2018-01-06T06:37:19.9298797Z Starting task: Build solution $/MyProject/MySolution.sln
2018-01-06T06:37:20.0529203Z Executing the powershell script: D:\Agents\Agent-01\tasks\VSBuild\1.0.16\VSBuild.ps1
2018-01-06T06:37:20.3760645Z ##[debug]Entering script VSBuild.ps1
2018-01-06T06:37:20.3790648Z ##[debug]vsLocation = 
2018-01-06T06:37:20.3800653Z ##[debug]vsVersion = 14.0
2018-01-06T06:37:20.3810663Z ##[debug]msBuildLocation = 
2018-01-06T06:37:20.3820668Z ##[debug]msBuildVersion = 
2018-01-06T06:37:20.3830692Z ##[debug]msBuildArchitecture = x64
2018-01-06T06:37:20.3840679Z ##[debug]msBuildArgs = /p:DeployOnBuild=true;PublishProfile=myProfile;AllowUntrustedCertificate=true;UserName=tfsadmin;Password=;Pass2=********
2018-01-06T06:37:20.3840679Z ##[debug]solution = D:\Agents\Agent-01\_work\2\s\MyProject\MySolution.sln
2018-01-06T06:37:20.3860721Z ##[debug]platform = 
2018-01-06T06:37:20.3870700Z ##[debug]configuration = 
2018-01-06T06:37:20.3880727Z ##[debug]clean = true
2018-01-06T06:37:20.3890697Z ##[debug]restoreNugetPackages = true
2018-01-06T06:37:20.3890697Z ##[debug]logProjectEvents = true
2018-01-06T06:37:20.4010877Z ##[debug]Loading module from path 'D:\Agents\Agent-01\agent\worker\Modules\Microsoft.TeamFoundation.DistributedTask.Task.Internal\Microsoft.TeamFoundation.DistributedTask.Task.Internal.dll'.
...

Can anybody help me ?

Omid Shariati
  • 1,904
  • 5
  • 22
  • 44

3 Answers3

0

You are correct that the wrong username and password were ultimately used to authenticate the request. Running the command net helpmsg 1326 (1326 is the sc-win32-status value from the log entry you provided) yields "The user name or password is incorrect."

Also interesting is the request/response logged before that. The substatus value 2 for a 401 means "Access is denied due to server configuration favoring an alternate authentication method." according to TechNet. And net helpmsg 1322 yields "This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon."

  1. Review (or re-review) the instructions at https://learn.microsoft.com/en-us/iis/publish/using-web-deploy/configure-the-web-deployment-handler
  2. If your deployment is still not working, take a look at Microsoft's Troubleshooting Common Problems with Web Deploy.
weir
  • 4,521
  • 2
  • 29
  • 42
  • Thanks weir, I khnow what the error said, but my problem is why it use the username/password of build-agent-service instead of the one that I set on build variable – Omid Shariati Jan 04 '18 at 05:17
0

Deploy from VS with the command line will use the user name and password you provided. However deploy from TFS will use the build agent. So, the first thing is that the service account of the build process should has the correct permission to access the remote server.

Just try to give the build service account local administrator permissions and IIS Manager Permissionson to the site's scope on the remote server ("MySERVER"). Then set the username parameter to "" (empty quotes) and the password field omitted.

Reference: Build only works with username and password in msbuild arguments

This error code can surface because of a number of different reasons. It typically indicates an authentication or authorization problem, and can happen because of any of hte following reasons:

If connecting using the Web Management Service:

  • Verify that the username and password are correct
  • Verify that the site exists
  • Verify that the user has IIS Manager Permissions to the site's scope

If connecting using the Remote Agent Service:

  • Verify that the username and password are correct
  • Verify that the user account you specified is a member of the Administrators group on the remote computer. NOTE: Because of a bug
    in Web Deploy 2.0, the user must be either the built-in Administrator or a member of the Domain Administrators security group. Attempts to
    sync with any other user account, even if it is an administrator,
    will see this error code. Verify that the site exists

Reference : ERROR_USER_UNAUTHORIZED

UPDATE:

By default, Web Deploy will connect using HTTP Basic Authentication. When using HTTP Basic Authentication, specific credentials must be supplied, e.g.

msdeploy.exe -verb:dump -source:apphostconfig,wmsvc=demo-host,authType:basic,username=someuser,password=somepassword

In your scenario, you can try set the AuthType as NTLM, then try it again.

Just try adding the line <AuthType>NTLM</AuthType> to the publish .pubxml file.

Andy Li-MSFT
  • 28,712
  • 2
  • 33
  • 55
  • Thanks Andy, the service account (tfsadmin) has local administrator permission on remote machine (MyServer) and IIS Manage Permission on target Site. I set the Username parameter to "" and the problem exists but with new error : Web deployment task failed. (The specified credentials cannot be used with the authentication scheme 'Basic'.) The specified credentials cannot be used with the authentication scheme 'Basic'. Default credentials cannot be supplied for the Basic authentication scheme. Parameter name: authType – Omid Shariati Jan 06 '18 at 09:38
  • 1
    @OmidShariati Just try adding the following line to .pubxml file. `NTLM`. See the updated answer. – Andy Li-MSFT Jan 08 '18 at 01:51
  • @OmidShariati Have you resolved the issue? any update? – Andy Li-MSFT Jan 24 '18 at 08:58
  • Thanks @andy-li-msft our target environments has changed during this das and I can't test this issue again.The target environment was not on the same domain as our build/tfs server that has this issue. in a few weeks later we can test it again. – Omid Shariati Jan 31 '18 at 05:58
0

Try this:

  • On your server go to Computer Management
  • From the left pan select Local Users and Groups
  • Go to users find the tfsadmin user
  • Right click on it and click on Set Password
  • Give your existing password (whatever it is)

This seems unnecessary but worked for me. I hope someone can explain the "why".

Mahdi
  • 3,199
  • 2
  • 25
  • 35