I am trying to get automated deployment from TeamCity working for one of our new API endpoints. I have everything set up correctly, including the final step where TeamCity calls MSDeploy to send the package over to our server (we're talking our Integration / test server here).
Everything was working fine but, when creating the new site in IIS, we had borrowed a service user from another website for the app pool to run as.
When we created a new domain user and switched the app pool over our deployments started failing. The error MSDeploy gives is:
Error: (30/10/2014 15:00:56) An error occurred when the request was processed on the remote computer. [15:00:56][Step 1/1] Error: The account 'XXX' does not appear to be valid. The account was obtained from this location: 'system.applicationHost/applicationPools/******.com'. [15:00:56][Step 1/1] Error: Some or all identity references could not be translated. [15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) [15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(Type targetType) [15:00:56][Step 1/1] at Microsoft.Web.Deployment.Impersonator.GetNTAccount(String userName, String source)
Where XXX is the new domain user we created. Let's call the old domain user that we borrowed 'YYY'. We are using a third account, 'ZZZ' to connect with web deploy. So, everything was fine with the app pool running as YYY, but when we switched to XXX this error occurs.
We have looked and looked, but we can't find any differences between XXX and YYY. They're both in the same AD groups and both seem to have the same permissions on the server. Logging in to the server through RDP using account XXX allows us to open the IIS GUI and browse / administer the sites.
I've been unable to find many other sites talking about this problem, but it's got us completely stumped.
FYI, we have already restarted the web server in question, to see if that helped. It didn't.
The error being returned here is just a general authentication failure error. In this particular scenario the authentication failure was being caused by a discrepancy between the User Principle Name and the SAM Account name of the user the application pool was running as.
See the following question for an explanation of which name is used when authenticating an Active Directory user - https://serverfault.com/questions/371150/any-difference-between-domain-username-and-usernamedomain-local
In our particular example, the active directory user name of the application pool was longer than 20 characters. The SAM account name has a 20 character limit which means all characters over 20 were not included.
As explained in the linked answer, the format you use when specifying the domain and user name will determine which version of the name is used for authentication. Therefore with an example user name of "username_longer_than_20_characters" the following formats would work:
domain\username_longer_than - authenticates using SAM account name or username_longer_than_20_characters@domain - authenticates using User Principle name
The answer in the linked post also explains how to check the SAM account name for an Active Directory user.