Web Deploy dump dirPath not working with delegation and a non-Admin user

I'm trying to run the following Web Deploy command:

msdeploy.exe -verb:dump -source:dirPath="C:\Deploy",wmsvc=localhost,username=<user>,password=<pass>

I have tried to run this with two users, John and Mary. John is a member of the Administrator group on the box, Mary isn't; the command works for John, but fails with a 401 for Mary.

I have the following set up:

• Mary has full access to C:\Deploy via the ACLs (as does the Administrators group)
• Both John and Mary have been granted access to the C:\Deploy dirPath in IIS using th开发者_运维知识库e delegation functionality (see below)

My administration.config entry:

<rule enabled="true" providers="dirPath" actions="*" path=".*" pathType="RegularExpression">
    <runAs identityType="SpecificUser" userName="AnAdministrator" password="..." />
    <permissions>
        <user name="PC\John" isRole="false" accessType="Allow" />
        <user name="PC\Mary" isRole="false" accessType="Allow" />
    </permissions>
</rule>

When I add Mary to the Administrators group, the command works. But the whole point of delegation is to be able to run deployment commands as non-administrators. I'm able to run other commands (e.g. -verb:dump -source:appHostConfig="Default Web Site") fine for Mary - it's just dirPath that's not working.

WMSvc.log doesn't seem to contain any errors for the failing command - I can see the successful ones fine though. I do see the 401 for the HEAD request in the failed requests trace, but no indication as to why it's occurring...

Any pointers appreciated.

zcrar70, you are right: delegation only kicks in once a user has access to a site's scope. In your example, if you had given PC\Mary access to the site (via IIS Manager Permissions), then this would just work.

Can you explain your scenario a bit further? Are you trying to give a non-admin user permission to run specific providers on ALL sites?

Your RunAs identity "AnAdministrator" needs to have permissions to access c:\Deploy, since both Mary and John will be impersonated (if the original identity fails, which doesn't for John) as this user. ACL C:\Deploy for AnAdministrator user and try again.

You can also use ServerValidator tool to check whether your environment is ready for delegated deployment.