This quick guide provides a basic overview of the steps to configure the Web Deployment handler on your hosted server and test that you can deploy to a Web site. This setup will be using the information in this document to install the Web Deployment Tool onto a new server, configure recommended settings and validate the rules created.

Prerequisites

This guide requires the following prerequisites:

• .NET Framework 2.0 SP1 or greater
• Web Deployment Tool 1.0
• IIS 7.0 with the Web Management Service installed

Note: If you have not already installed the Web Deployment Tool, see Installing the Web Deployment Tool. 

Understanding the Web Deployment Handler

Part 1 - Configuring the Web Management Service (WMSVC)

1. Install IIS 7.0 and the Web Management Service on your Windows Server 2008 server.
2. Configure WMSVC so that remote connections are allowed.
   a. Open IIS Manager.
   b. Select the Server node.
   c. In Features View of the Server, double-click the Management Service icon.
   d. Ensure that the Allow remote connections checkbox is selected.
   e. On the right-hand Actions pane, click Start.
3. After provisioning a Website, allow a user access to their Website.
   a. Open IIS Manager.
   b. Select the Website that will allow remote management.
   c. In Features View of the Website, double-click IIS Manager Permissions icon.
   d. On the IIS Manager Permissions page, in the Actions pane, click Allow User.
   e. In the Allow User dialog box, choose a user account to grant access.
   f. Click OK to dismiss the Allow User dialog box.

For additional info: http://technet.microsoft.com/en-us/library/cc770968.aspx 
  

Part 2 – Enabling Deployment Rules and Tracing

1. Download and install Web Deploy on the Web server.
2. Enable delegation rules for the providers that you want to allow.
   NOTE: If you want to perform admin-only synchronization, you can go into Feature Settings and enable "Allow administrators to bypass rules".
   
3. Allow a user to deploy applications and content to their Website:
   a. Open IIS Manager.
   b. Select the Server node.
   c. In Features View of the Server, double-click the Management Service Delegation icon.
    
   d. In the right-hand Actions pane, click Select Rule Template… 
    
   e. Select the Deploy Applications with Content rule template. This template allows any WMSVC authorized users to deploy applications to their userScope (as shown in the diagram).
    
   f. Click OK to open the template.
   g. Click OK to create the rule.
4. Allow a user to create an application within their Website:
   a. Click Select Rule Template…
   b. Select the Mark Folders as Applications rule template. This template allows any WMSVC authorixed users to create applications within their userScope. The applications inherit all settings from the parent including application pool.
   c. Click OK to open the template.
   d. Under the RunAs section, click the Set… button to set a specific user to perform this operation. In order for this rule to work, the rule must run as a user that has access to write to applicationHost.config. It is recommended that you create an account that is not in the Administrators group and only grant it the minimum required permissions. To do this:
• Create a user account.
• Grant read permission to %windir%\system32\inetsrv\config.
• Grant modify permission to %windir%\system32\inetsrv\config\applicationHost.config.
  
5. Allow a user to deploy databases to their Website:
   a. Click Select Rule Template…
   b. Select the Deploy Databases rule template. This template allows any WMSVC authorized users (as set in Part 1) to deploy databases to SQL database servers.
   c. Click OK to open the template.
   d. Add a path to authorize, such as Server=Server1 to allow anyone to deploy to this server using their SQL credentials, or Server=Server1;Database={username}_db1 to restrict to specific databases matching their username.
   e. Click OK to create the rule.
6. Allow a user to deploy applications and content to their Website:
   a. Click Select Rule Template…
   b. Select the Set Permissions rule template. This template allows any WMSVC authorized users to set ACLs on the file system.
   c. Click OK to open the template.
   d. Click OK to create the rule.

Tracing logs are stored in %systemdrive%\inetpub\logs\wmsvc\tracinglogfiles\w3svc1

Part 3 - Testing the Server using IIS Manager

1. Download and install the Web Deployment Tool on a client machine that has IIS Remote Manager installed, or use the local server. It is recommended that you test the local server first to isolate any issues that may be caused by networking, firewall or proxy settings.
2. Connect to the website:
   a. Open IIS Manager.
   b. Right-click on the Start Page node.
   c. Select Connect to a Site…
   d. In the Server name text box, enter localhost.
   e. In the Site name text box, enter the name of the website you enabled for remote management.
   f. Click Next.
   g. In the User name text box, enter the user you authorized for the website.
   h. In the Password text box, enter the password.
   i. Click Next to complete the connection. You may be prompted to trust the certificate if you’re using an untrusted or self-signed certificate.
3. Create a quick application package to verify that the authorization rules are working:
   a. On the right-hand Actions pane, click Export Application…
   b. This will launch the Export Application wizard, click Next through all of the screens to accept the defaults and create a package.
4. Now that you have created a package, verify that you can install it:
   a. On the right-hand Actions pane, click Import Application…
   b. Click Next.
   c. On the Parameters page, change the application name to something that doesn’t already exist in the website to verify creating applications.
   d. Complete the wizard.
5. Finally, you should download an application package or using the Web Platform Installer to install an application to this website to verify database and another options are working.
   

Troubleshooting

There are some common issues that can occur during deployments:

User receives 401 unauthorized error while trying to connect to a website.
o Cause(s): This error comes from WMSVC and is usually an error with username/password, or because the user does not have access to the website.
o Resolution(s): Verify the username/password and that the user has access to the website.

User receives a server error while trying to import or export an application.
o Cause(s): This error comes from the Web Deployment Handler and is usually a problem with the deployment rules. Since the user has connected successfully, it is not an issue with WMSVC. A deployment rule may have a typo, the user performing deployment may not be authorized or the runAs identity may not have access.
o Resolution(s): Open the tracing logs at %systemdrive%\inetpub\logs\wmsvc\tracinglogfiles\w3svc1 and see what rule is failing to authorize.

• Look for logs that contain failures, such as “Details: No rule was found that could authorize user 'server1\siteowner', provider 'appPoolConfig', operation 'Read', path 'DefaultAppPool'”. In this case, the provider appPoolConfig is not authorized and the user tried to add a provider they are not allowed to add.
• Another common error is if the RunAs user that is being used to create apps does not have proper access to configuration. In this case, Procmon is a useful tool for determining where an access denied error may be coming from.
  

Summary

In this guide, we covered how to configure the WMSVC and the deployment handler to enable common applications to be installed, as well as verify creating and installing a package using IIS Manager.

Comments

This deployment handler was written based on iis7 server. Can I use it for iis 6 instead?

Apr 02 2009 by EdHsiao

This deployment delegation is only available for IIS7. You can use the Web Deployment tool to deploy content on IIS6, but the delegation is not as rich.

Dave

Nov 24 2009 by davcox

You must Log In to comment.