Publishing to DMZ Server using Web Deploy Agent Service

 

There are several options to configure Web Deploy for deployments to servers located in a DMZ, or a non-trusted domain environment. The Web Deploy Agent service is the easiest to configure and troubleshoot and preferred method if you have login rights to the IIS server. Meaning, you can RDP into the server and open and configure IIS and other services on the server. If you do not have the rights to the server, work with your server admin to either configure the Web Deploy agent service or use the Web Deploy handler to complete deployments.

The Web Deploy Agent service method uses the direct synchronization between the IIS servers through the command line and bypasses the use of copying Web Deploy packages between servers. This method speeds the deployment process and also allows for the use of parameterization of the web.config and other elements for the deployment into the different environments.

The Web Deploy Agent service (MsDepSvc ) is not installed by default and is an option when running the installation. The MsDepSvc service reserves the following URL by default  https://+:80/MSDEPLOYAGENTSERVICE/ and the service MsDepSvc starts listening on it and is called the ListenURL. If a custom port and url are needed, use the msiexec.exe on a command line and pass it a custom ListenURL parameter. The service can be made to listen to a HTTPS request by modifying the ListenURL appropriately, and then binding a certificate to that port using netsh.

The remote service uses the part of the URL after "MSDEPLOYAGENTSERVICE" to execute provider related commands. When troubleshooting any service related issues, look into the log %SystemDrive%\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\msdepsvc.log. As is evident from the path above, the service runs as the NetworkService

Here are the configuration steps to enable publishing to a remote server using the Web Deploy remote agent:

• Create a local user group MSDepSvcUsers on the remote server
• Create an local account with the same name server pushing the web deploy command and the remote server. The key is to have the same name and password.
• Add the local account to the MSDepSvcUsers group on the remote server
• In the Web Deploy command, use the local account to authenticate to the remote server. For example, the following command will publish to a remote server using the local account (thedeployer) to authenticate:
  msdeploy -verb:sync -source:iisapp="Default Web Site/App1" -dest:iisapp="Default Web Site/App1",computername=10.0.0.1,username=.\thedeployer,password="P@ssword1" -verbose -whatif
• Add the Network Service account to C:\Windows\System32\Inetsrv\Config folder with read permissions
• Use the Configure Web Deploy Publishing utility to add MSDepSvcUsers local group on the remote server to allow publishing on the site. This essentially provides the group read and write access to the web site to allow for publishing

Issues Encountered:

When I first walked through the steps, I did not add Network Service to the appropriate locations and encountered several errors. At first, I had added the created local account to the IIS web site content directory and Inetsrv directory and encountered the ERROR_USER_NOT_ADMIN permission issue. The error message had stated there was a permission issue reading the redirection.config file during the publish operation.

 

Using Process Monitor to capture a trace file, I set the filter for the process MsDepSvc.exe and found the ACCESS DENIED result in the trace

After further review of the ProcMon trace, found Network Service required access to the Config folder.

Added Network Service to the C:\Windows\System32\Inetsrv\Config folder with Read attributes and the following message box appeared, selected the Continue button and the appropriate permissions were set for the Network Service account.

Once I attempted to publish, encountered the ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER error .

Based on the information from https://www.iis.net/learn/publish/troubleshooting-web-deploy/web-deploy-error-codes I followed the steps in the resolution section and added the MSDepSvcUsers local group through the Web Deploy Publishing utility from within IIS Manager and was able to Publish!