Can MSBuild deploy using integrated authentication or only basic?

I'm deploying a web app package from the MSBuild command line to MSDepSvc on IIS6 which is working fine with the following command using basic authentication:

MSBuild.exe Web.csproj
  /p:Configuration=Debug
  /p:DeployOnBuild=True
  /p:DeployTarget=MSDeployPublish
  /p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
  /p:DeployIisAppPath=DeploymentTestProject
  /p:MSDeployPublishMethod=RemoteAgent
  /p:CreatePackageOnPublish=True
  /p:username=***
  /p:password=***

However, what I'd really like to do is drop the username and password parameters and fall back to integrated auth under the identity of the current user. This command is going into a build server and I'd prefer not to have the plain text credentials of an account with admin rights on the target environment (required for MsDepSvc) visible. I can't locate any documentation on how to do this and dropping off the credentials returns 401 unauthorised when I attempt to publish.

What makes it particularly frustrating is that I can happily run the deploy command in the package with integrated auth (just don't include credentials), I just can't seem to run it from the MSBuild command line. I'm trying to encapsulate the package and deploy processes into a single command without editing build files and this is the only thing in the way at present.

Any ideas out there?

Edit After some discussions with Sayed and looking a bit deeper into the command line output, after executing the MSBuild command above (without username and password parameters), the following MSDeploy command is being invoked:

msdeploy.exe
  -source:package='[project path]\Web\obj\Debug\Package\Web.zip' 
  -dest:auto,ComputerName='http://[server]/MsDeployAgentService',UserName='***',IncludeAcls='False',AuthType='NTLM'
  -verb:sync
  -disableLink:AppPoolExtension
  -disableLink:ContentExtension
  -disableLink:CertificateExtension
  -retryAttempts=2

You can see the UserName attribute is being set and the value is the username of the current logged on user. If I take this out and run the above command directly, the deployment goes through just fine.

So on that basis, why is the original MSBuild command inserting a UserName attribute when it calls MSDeploy? This appears to be the only barrier now.

And the answer is...

Following my edit above about the current identity's username persisting to the MSDeploy command even when not passed in the original MSBuild call, I tried reconstructing the parameters to pass an empty username as follows:

MSBuild.exe Web.csproj
  /p:Configuration=Debug
  /p:DeployOnBuild=True
  /p:DeployTarget=MSDeployPublish
  /p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
  /p:DeployIisAppPath=DeploymentTestProject
  /p:MSDeployPublishMethod=RemoteAgent
  /p:CreatePackageOnPublish=True
  /p:username=

Which then generates the following MSDeploy command:

msdeploy.exe 
  -source:package='[project path]\obj\Debug\Package\Web.zip' 
  -dest:auto,ComputerName='http://[server name]/MsDeployAgentService',IncludeAcls='False',AuthType='NTLM' 
  -verb:sync 
  -disableLink:AppPoolExtension 
  -disableLink:ContentExtension 
  -disableLink:CertificateExtension 
  -retryAttempts=2

This call no longer includes the UserName attribute. So in short, if you do not add a username parameter to the MSBuild call it will insert the current identity anyway and defer to basic auth which will fail because there's no password. If you include the username parameter but don't give it a value, it doesn't include it at all in the MSDeploy command.

Still confused on WebDeploy and NTLM : The Official Microsoft IIS , I'm deploying a web app package from the MSBuild command line to MSDepSvc on IIS6 which is working fine with the following command using basic´┐Ż So in short, if you do not add a username parameter to the MSBuild call it will insert the current identity anyway and defer to basic auth which will fail because there's no password. If you include the username parameter but don't give it a value, it doesn't include it at all in the MSDeploy command.

I looked in the Microsoft.Web.Publishing.targets and saw this:

<PropertyGroup>
  <NormalizePublishSettings ...>
  <AuthType Condition="'$(AuthType)'==''" >Basic</AuthType>
  <!--Supported value for $(MSDeployPublishMethod): WMSVC, RemoteAgent, InProc-->
  <MSDeployPublishMethod ... >WMSVC</MSDeployPublishMethod>
  ...
</PropertyGroup>

So, it looks like the default is Basic authentication when running from MSBuild. Then I found this http://technet.microsoft.com/de-de/library/dd569001(WS.10).aspx

authenticationType specifies the type of authentication to be used. The possible values are NTLM and Basic. If the wmsvc provider setting is specified, the default authentication type is Basic; otherwise, the default authentication type is NTLM.

I haven't tried it yet, but maybe it's something like /p:AuthType=NTLM

TeamCity deployment using MSBuild and Web Deploy using , on stackoverflow about using WebDeploy in my TFS Build (msbuild): /can- msbuild-deploy-using-integrated-authentication-or-only-basic. I've created a Build Definition, and am using MSBuild arguments to do a "Deploy on Build" using my Publish Profile. If I include UserName and Password, the Build and Publish succeeds. I want to NOT hard-code the UserName and Password in the MSBuild arguments (I'm assuming I can somehow use/access what is set in the Publish Profile).

I was able to get NTLM working as follows where the service is running under an account with admin privs on [server name].

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" app\Test.Web\Test.Web.csproj /T:Clean /T:Package /P:Configuration=Release

C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.deploy.cmd /Y "/M:http://[server name]/MSDEPLOYAGENTSERVICE" /A:ntlm -allowUntrusted

which generates:

"C:\Program Files\IIS\Microsoft Web Deploy\msdeploy.exe" -source:package='C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.zip' -dest:auto,computerName='http://[server name]/MSDEPLOYAGENTSERVICE',authtype='ntlm',includeAcls='False' -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\RapidPrototypeRequestSystem.Web.SetParameters.xml" -allowUntrusted

Configuring Deployment Properties for a Target Environment , Umbraco vs Orchard CMS: what content management system to choose for your website how to deploy web application using Web Deploy and MSBuild using basic In case if you want to use integrated authentication you need to change have it empty, if you do not provide UserName at all the deployment will fail). So, it looks like the default is Basic authentication when running from MSBuild. Then I found this http://technet.microsoft.com/de-de/library/dd569001(WS.10).aspx authenticationType specifies the type of authentication to be used.

Breaking the process into 2 steps worked for me -

  1. Build & Package

    msbuild.exe /p:DeployOnBuild=True /p:WebPublishMethod=Package /p:PackageAsASingleFile=true /p:AllowUntrustedCertificate=True /p:CreatePackageOnPublish=True /p:SkipExtraFilesOnServer=True /p:PublishProfile=DevProfile /p:Configuration=dev

  2. Deploy

    msdeploy.exe -source:package='C:\packagelocation\dev.zip' -dest:auto,ComputerName='http://destinationserver/MsDeployAgentService',IncludeAcls='False',AuthType='NTLM' -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -retryAttempts=2

How to build and deploy a web deployment package using MSBuild , NET MVC 3 application, a Windows Communication Foundation (WCF) service, This value is only used if you specify basic authentication. MSDeployPassword If you use basic authentication, Web Deploy will use this The database will be deployed using the credentials you used to invoke MSBuild. But I want to build in one step, move those artifacts to another location, then deploy. I could use msdeploy.exe to deploy, but I'd prefer to just do this with the msbuild command (which will locate and call msdepoy with the right args for me) the same way I do it now, but instead of DeployOnBuild I just want to Deploy.

This worked, I initially was distracted by the targets file but realised my error was in the connection string, i.e. was trying to use https instead of http.

MSBuild.exe Web.csproj /p:Configuration=Debug /p:DeployOnBuild=True /p:DeployTarget=MSDeployPublish /p:MsDeployServiceUrl=http://[serverName]/MsDeployAgentService /p:DeployIisAppPath=DeploymentTestProject /p:MSDeployPublishMethod=RemoteAgent /p:CreatePackageOnPublish=True /p:username=

Create a web deployment package with MSBuild script; 5. Run deployment from Visual Studio will create transformation files one per build setup. Read this post about How to prepare a Windows Server 2012 for web deployment. When deploy through https TCP 8172 use basic authentication /A:Basic Can MS Deploy do a package and transform, but not deploy? Can MSBuild deploy using integrated authentication or only basic? (MSDeploy) Deploying Contents of a Folder to a Remote IIS Server ; MSBuild deploy failing after upgrade to.NET 4.5

But I want to get the whole deployment running through msbuild using these arguments and not a separate call to msdeploy or running the package .cmd file. How can I do this? PS. Yes I do have the Web Deployment Agent Service running. I also have the management service running under IIS. I've tried using both.

MSBuild ReadLinesFromFile all text on one line (7) As far as I know, you can't. Visual Studio is not using 'real' MSBuild, it uses an internal build engine that behaves very similar to MSBuild.exe, but still have some subtle differences.

I hope someone can help me. I am having problem with deployment. So I have a solution which has two web projects and Unit tests project. I have marked WebProject1 to be as a startup project, then created a build definition with MsBuild argument to deploy to Web Server (IIS).

Comments
  • If you set UseMSDeployExe to true does the command not include AuthType=NTLM???
  • Actually, I get challenged when publishing from Visual Studio to another machine on the same domain. After entering the credentials I'm already logged on with, the publish goes through fine and the underlying MSBuild command DOES show AuthType='NTLM', but also includes my credentials. So I'm kind of back at the original command!
  • For Visual Studio 2012, you need to omit the /P:UserName property entirely.
  • Is there any way to get the Publish Web GUI dialog to do this? It seems adamant on prompting for credentials before even generating the msdeploy.exe command so it always sets AuthType to Basic.
  • There's a very easy way to solve that Yadyn - just hit "Enter" without typing any credentials when you get challenged. Easy :)
  • Hm, tried that, and when using UseMsDeployExe=true I can see that it is definitely leaving off the username/password parameters (finally!) but it's still setting AuthType to Basic. This is when using a WMSvc address (MsDeploy.axd)... Also, I gotta say clicking OK without entering anything is not intuitive at all.
  • This was part of the solution for us (on TFS2013,) we also had to modify the registry as described here
  • Good find, but what it explains is not consistent with what I'm observing. The way I read that statement is that deploying against MsDepSvc (i.e. not WMSvc), NTLM should occur by default. I've tried the AuthType switch with NTLM just to be sure, but no luck.
  • I was thinking the build target was overriding the default behavior of MSDeploy by specifying it's own default for AuthType. It was just a guess.