Issue with Accessing IIS Redirection.config file during Deployment


Scenario:

The TFS build/release agent is configured to use the built in account Network Service (or a domain account that is not a member of the local admin group) when running as service. A file permission error occurs when the release is attempting to update files in the IIS for the website using Web Deploy and the TFS agent is configured as a service to run under the security context of Network Service.

This example uses the following syntax for the update:

msdeploy -verb:sync -source:Package=C:\_Agent\LatestDeployments\FarmDemo\LatestPackage\DemoWebFormsApp.zip -dest:Auto

Problem Encountered:

Upon execution of the batch file, the following error occurs:

  • Skipping backup because it failed due to the following error 'System.UnauthorizedAccessException: Filename: redirection.config
  • Error: Cannot read configuration file due to insufficient permissions
  • Info: Adding sitemanifest (sitemanifest).
  • Info: Creating application (Default Web site/FarmDemo)
  • Error: An error occurred when reading the IIS Configuration File 'MACHINE/REDIRECTION'. The identity performing the operation was 'NT AUTHORITY\NETWORK SERVICE'.
  • Error: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
  • Error: Cannot read configuration file due to insufficient permissions

Resolution:

The account conducting the deployment lacks read permissions on the redirection file:

  1. Change the identity of the account the agent is using to a local account with membership in the Local Admin group on the server
  2. Change the identity of the account the agent is using to a Domain account with membership in the Local Admin group on the server
  3. Add the NT AUTHORITY\NETWORK SERVICE account to the Windows\System32\Inetsrv\Config directory with Read and List folder contents permissions

Comments (0)

Skip to main content