Web Deploy dump dirPath not working with delegation and a non-Admin user

Question

I'm trying to run the following Web Deploy command:

msdeploy.exe -verb:dump -source:dirPath="C:\Deploy",wmsvc=localhost,username=<user>,password=<pass>

I have tried to run this with two users, John and Mary. John is a member of the Administrator group on the box, Mary isn't; the command works for John, but fails with a 401 for Mary.

I have the following set up:

• Mary has full access to C:\Deploy via the ACLs (as does the Administrators group)
• Both John and Mary have been granted access to the C:\Deploy dirPath in IIS using the delegation functionality (see below)

My administration.config entry:

<rule enabled="true" providers="dirPath" actions="*" path=".*" pathType="RegularExpression">
    <runAs identityType="SpecificUser" userName="AnAdministrator" password="..." />
    <permissions>
        <user name="PC\John" isRole="false" accessType="Allow" />
        <user name="PC\Mary" isRole="false" accessType="Allow" />
    </permissions>
</rule>

When I add Mary to the Administrators group, the command works. But the whole point of delegation is to be able to run deployment commands as non-administrators. I'm able to run other commands (e.g. -verb:dump -source:appHostConfig="Default Web Site") fine for Mary - it's just dirPath that's not working.

WMSvc.log doesn't seem to contain any errors for the failing command - I can see the successful ones fine though. I do see the 401 for the HEAD request in the failed requests trace, but no indication as to why it's occurring...

Any pointers appreciated.

Answer 1

zcrar70, you are right: delegation only kicks in once a user has access to a site's scope. In your example, if you had given PC\Mary access to the site (via IIS Manager Permissions), then this would just work.

Can you explain your scenario a bit further? Are you trying to give a non-admin user permission to run specific providers on ALL sites?