如何使用 MSDeploy 和 TeamCity 以及集成 Windows 身份验证进行部署?
当我传入用户凭据时,我的 MSDeploy 部署与 TeamCity 完美配合。命令行参数(使用环境变量作为某些值)是:
MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:用户名=%env.AdminUser%
/P:密码=%env.AdminPassword%
效果很好。但现在我想使用集成身份验证。我尝试按照 Troy 的建议 Can MSBuild 部署使用集成身份验证或只是基本的?但这并没有达到目的。我尝试过传入空白用户名并指定的各种组合
/p:AuthType=NTLM
我得到的最接近的是指定 /p:AuthType=NTLM 并传入空白用户名。但这仍然会导致此错误:
使用 Web 管理服务连接到目标计算机(“[我的目标服务器名称]”),但无法授权。确保您使用正确的用户名和密码、您要连接的站点存在,并且凭据代表有权访问该站点的用户。远程服务器返回错误:(401) 未经授权
我在本地和远程服务器上都运行了 Web 管理服务。我将这两个实例更改为以我知道有权访问该站点的用户身份运行 - 如果我手动传递凭据,则该用户可以工作。
我还尝试手动向该用户授予目标站点上的 IIS 管理器权限(尽管不确定为什么需要这样做,因为用户可以在手动传递凭据时发布到该站点)。
我注意到的一件事是,在 WMsvc 日志中,它没有记录任何使用 NTLM 身份验证尝试的用户名。
知道这里发生了什么吗?我真的不想将用户凭据存储在我的 TeamCity 配置中。
谢谢。
I had a MSDeploy deployment working beautifully with TeamCity when I passed in the user credentials. The command line parameters (using env. variables for some values) were:
MSBuild.exe Web.csproj
/P:Configuration=%env.Configuration%
/P:DeployOnBuild=True
/P:DeployTarget=MSDeployPublish
/P:MsDeployServiceUrl=https://%env.TargetServer%/MsDeploy.axd
/P:AllowUntrustedCertificate=True
/P:MSDeployPublishMethod=WMsvc
/P:CreatePackageOnPublish=True
/P:UserName=%env.AdminUser%
/P:Password=%env.AdminPassword%
Worked great. But now I want to use integrated auth. I tried following Troy's suggestions over from Can MSBuild deploy using integrated authentication or only basic? but it's not doing the trick. I've tried various combinations of passing in a blank username and specifying
/p:AuthType=NTLM
The closest I get is by specifying /p:AuthType=NTLM and passing in a blank username. But that still results in this error:
Connected to the destination computer ("[my destination server name]") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. The remote server returned an error: (401) Unauthorized
I have the Web Management Service running on both the local and remote servers. I changed both instances to run as a user I know has proper access to the site - the same user that works if I manually pass in credentials.
I also tried manually giving that user IIS Manager Permissions on the destination site (though not sure why that would be necessary since the user can publish to the site when their credentials are manually passed).
One thing I am noticing is that in the WMsvc log it's not logging any username for the attempts made with NTLM auth.
Any idea what's going on here. I really don't want to have to store user credentials in my TeamCity configuration.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我假设部署是使用 TeamCity-Agent 的帐户执行的。这可以解释你的错误。确保此帐户具有适当的部署权限。
I assume that the deployment is executed with the account of the TeamCity-Agent. This would explain your error. Make sure that this account has the appropriate rights for the deployment.
构建代理服务是否在您要使用的帐户下运行?您提到了 Web 管理服务,但请记住它实际上是在执行工作并需要权限的构建代理。
Is the build agent service running under the account you want to use? You mention the web management service, but remember it's the build agent which is actually doing the work and needs the rights.
我知道我提交和回答这个问题有点晚了,但为了其他追寻此类问题的人的利益,我刚刚设法让这个工作正常进行。
与OP类似,我试图让Windows Server 2008R2上的TeamCity使用WMsvc在远程IIS 7.5服务器上发布网站。
我一直在努力解决 401 错误,直到完成所有这些步骤:
确保 AuthType=NTLM 参数集。
确保提供了用户名参数,但设置为空白值。
确保在远程 Web 服务器上启用 NTLM 身份验证,这涉及添加注册表项:
确保构建代理在构建服务器上运行的用户上下文可以成功执行 Windows 集成身份验证连接WMsvc。实际上,我必须以该用户身份登录到构建服务器,然后打开 IE,并将目标网站添加到本地 Intranet 区域。基本上,我不断点击这个 URL 并更改 IE 中的设置,直到我可以直接访问它,而不会出现身份验证提示或 401 错误:
顺便说一句,当我让身份验证工作时,远程 WMSvc 开始在 Brownser 中给我 404 错误,这变成了这是一个好兆头。在此过程中,我还在远程 WMsvc 上设置了一个 SSL 证书,该证书受到构建服务器的信任 - 可能不是必需的,但它有助于我的测试。
完成上述操作后,TeamCity 部署开始报告此错误:
我在事件日志中找不到任何有用的内容,但此处的修复只是为了确保经过身份验证的用户对目标文件夹拥有必要的文件系统权限。您可能想要更有选择性,但我只是给了他们对 Inetpub 的完全控制权。
I know I'm a little late submitting and answer on this, but for the benefit of anyone else chasing this type of problem, I've just managed to get this working.
Similar to the OP, I was trying to get TeamCity on Windows Server 2008R2 to publish a web site on a remote IIS 7.5 server using WMsvc.
I was struggling with the 401 error until I completed all of these steps:
Ensure AuthType=NTLM parameter set.
Ensure Username parameter supplied, but set to a blank value.
Ensure NTLM authentication enabled on the remote web server, this involved adding a registry entry:
Ensure user context under which the build agent runs on the build server can successfully do a windows integrated auth connection to the WMsvc. I actually had to logon to the build server as this user, then open up IE, and add the target website to the Local Intranet Zone. Basically, I kept hitting this URL and altering settings in IE until I could get straight to it without authentication prompts or 401 errors:
Incidentally, when I got the auth working, the remote WMSvc started giving me 404 errors in the brownser instead, which turned out to be a good sign. During this process, I also set up an SSL cert on the remote WMsvc which was trusted by the build server - possibly not a necessity but it helped my testing.
Once I got completed the above, TeamCity deployments started reporting this error:
I couldn't find anything useful in the Event Log, but the fix here was just to ensure that the authenticated user had the necessary filesystem permissions on the target folder. You may want to be more selective, but I just gave them Full Control over Inetpub.