Windows Azure Web Sites: Reset your deployment credentials v/s Reset your Publish Profile Credentials.

You might have seen this links on the DASHBOARD management page of the website hosted on WAWS, under the quick glance section:

• Reset your publish profile credentials
• Reset your deployment credentials

There is both similarity and difference in what these 2 options provide and can be confusing at times. The similarity is that both operate on the deployment credentials. But before we understand the difference lets download the publish profile for a website hosted on WAWS.

Once you download the file (.publishsettings file), open it in a notepad and review the section. The file contains the configuration needed to deploy a web application on to WAWS. It contains 2 sections, one for Web Deploy and another for FTP. Both the sections make use of the same deployment credentials (username and password). The format of specifying the username differs while the password remains the same.

The userPWD keyword contains the hash of the password of the deployment account. Make a note of the this keyword called userPWD.

I created a test site and downloaded the publish profile for it. Here is how it looks like:

<publishData> <publishProfile profileName="testkaushalp - Web Deploy" publishMethod="MSDeploy" publishUrl="***************.publish.azurewebsites.windows.net:443" msdeploySite="testkaushalp" userName="$testkaushalp" userPWD="ENc4CTp6auXrk5bZrfQn8a9EavClE1vPLNeJAj51t9aQGzk8uCk07nh0F0zk" destinationAppUrl="https://testkaushalp.azurewebsites.net" SQLServerDBConnectionString="" mySQLDBConnectionString="" hostingProviderForumLink="" controlPanelLink=""> <databases/> </publishProfile> <publishProfile profileName="testkaushalp - FTP" publishMethod="FTP" publishUrl=“ftp://*****************.azurewebsites.windows.net/site/wwwroot” ftpPassiveMode="True" userName="testkaushalp\$testkaushalp" userPWD="ENc4CTp6auXrk5bZrfQn8a9EavClE1vPLNeJAj51t9aQGzk8uCk07nh0F0zk" destinationAppUrl="https://testkaushalp.azurewebsites.net" SQLServerDBConnectionString="" mySQLDBConnectionString="" hostingProviderForumLink="" controlPanelLink=""> <databases/> </publishProfile> < /publishData>

 

NOTE: The original publish profile for the website is not formatted. For the simplicity of the reader, I formatted the .publishsettings file and indented as required to explain the topic better. Please refrain from formatting the files.

 

Reset your publish profile credentials:

Now lets click on the option “Reset your publish profile credentials”. This will prompt you with the following warning:

The above message implies that when we chose the above option, it will invalidate all the previously downloaded publish profiles for this site. Now what causes the file to be invalidated is discussed next.

Click on YES when the warning message is prompted and the below message is displayed upon successful reset of the publish profile credentials as shown below:

Here is what happens; clicking the above option changes the hash of the password for account used for the deployment for this site. As the hash of the password has been changed, the previous file contains a different hash altogether and when the user tries to use that file for deployment, it is bound to fail due to password hash mismatch. Below is a snapshot of the userPWD section after resetting of the password.

<publishData> < publishProfile profileName="testkaushalp - Web Deploy" publishMethod="MSDeploy" publishUrl="*****************.publish.azurewebsites.windows.net:443" msdeploySite="testkaushalp" userName="$testkaushalp" userPWD="ubJ4P7qd984mgmLrkxLcwLxu41QsZi6qnJds1mg4lei734BmBRB4dj3oHhpe" destinationAppUrl="https://testkaushalp.azurewebsites.net" SQLServerDBConnectionString="" mySQLDBConnectionString="" hostingProviderForumLink="" controlPanelLink="https://windows.azure.com"> <databases/> </publishProfile> < publishProfile profileName="testkaushalp - FTP" publishMethod="FTP" publishUrl=“ftp://****************.ftp.azurewebsites.windows.net/site/wwwroot” ftpPassiveMode="True" userName="testkaushalp\$testkaushalp" userPWD="ubJ4P7qd984mgmLrkxLcwLxu41QsZi6qnJds1mg4lei734BmBRB4dj3oHhpe" destinationAppUrl="https://testkaushalp.azurewebsites.net" SQLServerDBConnectionString="" mySQLDBConnectionString="" hostingProviderForumLink="" controlPanelLink="https://windows.azure.com"> <databases/> </publishProfile> < /publishData>

The deployment credentials are website specific and will affect only the current website on which the action has been performed.

NOTE: Reset your publish profile credentials option doesn’t change the password. It only changes the hash which is created using the same password. If you were to compare the files before and after selecting the option, you would notice that the value of userPWD is the only thing that changed.

Reset your deployment credentials:

Now lets click on the option “Reset your deployment credentials”. This will prompt the user with the following pop-up:

Now, this option is self explanatory. It allows the user to change the deployment credentials i.e., the username and password. However this option is not specific to a website, as the user is changing the password for the deployment account, it will affect all the web sites. These credentials are directly tied to the Microsoft account (Outlook.com or Live.com). So changing these credentials will be changing it for all the subscriptions tied to the Microsoft account. Thanks to one of my peers in the escalation team (Jim Cheshire) for clarifying this out to me. He is one of the most active members on the Windows Azure Web Sites Forum.

David Ebbo has explained it here: https://github.com/projectkudu/kudu/wiki/Deployment-credentials

This will in turn change the hash of the password, which makes it similar to the previous option. But with a major difference that the user changes the actual deployment credentials (username or password or both) which affects all the sites and invalidates the publish profile for all the sites.

Hopefully, this should clear the confusion on this topic.