Allowing non-admin users to deploy web applications on IIS 7 using web deploy 2.0


One of the main features of web deploy is integration with the IIS 7.0 Web Management Service (WMSVC) for remote deployment by non-administrators. Lets see how to do that.

1. Installing Web Management Service (WMSVC)

Click Server Manager in the Start menu, select the Roles node in the left-hand tree view, and scan down to find the Web Server (IIS) role.  Click Add Role Services and select the Management Service component.

2. Installing WebDeploy 2.0.

Following link lists down steps to install web Deploy: http://learn.iis.net/page.aspx/421/installing-web-deploy/

3. Configure WMSvc Settings

  • Open IIS Manager.
  • In the Connections pane, click the server node in the tree.
  • In Features View, double-click Management Service.
  • On the Management Service page, in the Actions pane, click Stop to stop the service.
  • Select Enable remote connections. This enables server administrators to connect remotely to the server, sites, and applications.
  • Optionally, if you want to allow non-administrators to connect to sites and applications by using IIS Manager, configure the options under Identity Credentials:
  • Select Windows credentials only if you want to limit connections to users who have Windows credentials.
  • Select Windows credentials or IIS Manager credentials if you want to accept connections from users who have Windows credentials and users who have IIS Manager credentials.
  • In the Actions pane, click Apply and then click Start.

 

 

4. Configure Management Service Delegation rule

  • Open IIS Manager.
  • In the Connections pane, click the server node in the tree.
  • In Features View, double-click Management Service Delegation.
  • On the Management Service page, in the Actions pane, click  “Add rule”.
  • Select Blank Rule template.
  • Configure the rule as per below mentioned settings:
  • Providers: setAcl, createApp, contentPath, iisApp
  • Actions: *
  • Path Type: Path Prefix
  • Identity type: ProcessIdentity
  • Click ok.
  • Add the non-admin user to this rule.

 

 

 

 5. Adding permissions for non-admin user on the website. 

 

  • Open IIS Manager.
  • In the Connections pane, click the desired Website in Sites tree.
  • In Features View, double-click IIS Manager Permissions.
  • On the IIS Manager Permissions page, in the Actions pane, click  “Allow User”.
  • Add non-admin user here.

6. Verify if remote delegation has been set correctly for the user.

–  Open IIS Manager.

– In the Connections pane,  select Connect to Site.

  

–  Enter the Server and Site names and press next.

–  Enter the User Credentials and press next.

–  Enter a name for your Connection.

–  Right Click on Website connection, and you would get “Deploy Option”. 

 

 –  We will get options under Deploy Section based on the Providers added to management service delegation rule.

Try adding different providers and explore more options that are available with Web Deploy. 

Fig1.jpg

Comments (3)

  1. Amol Mehrotra says:

    Easier setup for non-administrator deployments on IIS7 released in Web Deploy 2.0 Refresh.

    blogs.iis.net/…/announcing-web-deploy-2-0-refresh.aspx

  2. mephi says:

    Thanks, this helped me!

  3. Romulo says:

    Hi friend, thanks a lot! I had much trouble to understand what happened "inside" IIS and WMSVC. One thing that you didn't say is that the WMSVC Service Account needs to have Full Control on your websites directory. I followed a best practice from Microsoft Workshop, to change the "Web Management Service" service to, instead of running as Network Service (less secure), to running as "NT ServiceWMSVC". (When a service is created, Windows create a "virtual service account" to it, under "NT Service". So you just need to put the Web Deploy to run as "NT ServiceWMSVC", and then, on your websites account, give Full Control to this account.

    One very important thing: To work with least permissions, you have to change "Run As: Identity Type" to ProcessIdentity, as you told inside the article, instead of "CurrentUser". With that, you can put any Domain, Local and/or IIS Accounts to manage the websites, and only need to set Full Control to NT ServiceWMSvc. Hope i can help someone as this article helped me to understand overall