Scenario:
The TFS build/release agent is configured to use the built in account Network Service (or a domain account that is not a member of the local admin group) when running as service. A file permission error occurs when the release is attempting to update files in the IIS for the website using Web Deploy and the TFS agent is configured as a service to run under the security context of Network Service.
This example uses the following syntax for the update:
msdeploy -verb:sync -source:Package=C:_AgentLatestDeploymentsFarmDemoLatestPackageDemoWebFormsApp.zip -dest:Auto
Problem Encountered:
Upon execution of the batch file, the following error occurs:
- Skipping backup because it failed due to the following error 'System.UnauthorizedAccessException: Filename: redirection.config
- Error: Cannot read configuration file due to insufficient permissions
- Info: Adding sitemanifest (sitemanifest).
- Info: Creating application (Default Web site/FarmDemo)
- Error: An error occurred when reading the IIS Configuration File 'MACHINE/REDIRECTION'. The identity performing the operation was 'NT AUTHORITYNETWORK SERVICE'.
- Error: Filename: \?C:Windowssystem32inetsrvconfigredirection.config
- Error: Cannot read configuration file due to insufficient permissions
Resolution:
The account conducting the deployment lacks read permissions on the redirection file:
- Change the identity of the account the agent is using to a local account with membership in the Local Admin group on the server
- Change the identity of the account the agent is using to a Domain account with membership in the Local Admin group on the server
- Add the NT AUTHORITYNETWORK SERVICE account to the WindowsSystem32InetsrvConfig directory with Read and List folder contents permissions