How to Configure Windows Server 2008 R2 to support Web Deploy (for Web Matrix)

January 8, 2011 at 12:21 PM

Following guide will guide you through the step to configure your Windows Server 2008 R2 to support web deploy by Web Matrix.

Summary of the following step.

  • Start Web Management Service (wmsvc) and Enable Remote Connections
  • Give User Permission to Site’s Scope
  • Create Delegation Rules
    • Allow Users to Deploy Applications
    • Allow Users to Mark Folders as Applications
    • Allow Users to Set ACLs in Application Path
    • Allow Users to Deploy Microsoft SQL Server / MySQL databases
    • Allow Users to Change Application Pool .NET version and pipeline mode
    • Allow Users to Recycle the Application Pool

Start Web Management Service (wmsvc) and Enable Remote Connections

The Web Management Service (wmsvc) is an IIS7 feature which allows for authentication, authorization and remoting for IIS. Web Deploy uses wmsvc for authentication and authorization as well.

Before you start, you will need to configure WMSVC if your server haven't been configure.

Start your IIS Manager and navigate to Manage Service as shown below.

Double click it and configure the setting as shown below.

- Enable remote connections and tell the Management Service to accept Windows credentials/and/or IIS Manager Credential.
- Microsoft recommend leaving the default port for wmsvc to 8172, but you can change it here if you wish. If you change the wmsvc port, be sure to specify the correct port in the Publish Profile.
- Enable logging by clicking the 'Log requests to' checkbox
- Assigning a signed SSL certificate at this point is highly recommended. Otherwise, WebMatrix users will see a warning when they try to publish to your server.
- Since the default startup type of WMSVC is not set to Automatic, you should also change the startup type of wmsvc so that service auto-starts even after you reboot your server. To do it,  Click Start and type "services.msc". In the Services Snap-in, change the startup type of wmsvc to 'Automatic' which shown below.

Give User (FTP User) Permission to Site’s Scope

Assuming you already create the FTP account for your user, in this stage, you will add the permission for the FTP user under IIS Manager Permissions.

Navigate to IIS Manager Permissions -> Allow User ->  Windows (Click Select) -> Type in the FTP Username and click Check Name -> OK

The following screen will shown after you manage to create the user permission.

Create Delegation Rules

Before we continue with the following step, you already done with the neccessary permission for the user to access to IIS, now, you need to set the rules for the mention user.

Navigate to Management Service Delegation as show below;

Click on Add Rules

Allow Users to Deploy Applications

Explanation:

  • Providers: a comma-separate list of Web Deploy providers, in this case, contentPath and iisApp. Between these two providers, the user can deploy files and folders.
  • Actions: almost always *, so let’s leave it like that.
  • Path Type: set it to Path Prefix. In some cases, we want to allow Connection String or regular expression paths.
  • Path: set it to {userScope}. This is shorthand for saying that this delegation rule only allows the providers to operate over a path that is in the user’s scope, in this case the site Demo Site.
  • Identity type is Current User.

After you click OK, following screen will appear, just set the rules to apply to all users which represent by *

Allow Users to Mark Folders as Applications

Since this provider requires touching applicationHost.config, it needs to run with the identity of a Windows user account that has permissions to write to applicationHost.config (typically located in %windir%\system32\inetsrv\config). This account should not be the same as the end user’s account, so we will create a new account solely for this purpose. This account should have Write access to %windir%\system32\inetsrv\config\applicationHost.config

To do this, open an elevated command prompt (Start > All Programs > Accessories > Right-click Command Prompt > Run as Administrator) and run these commands:

net user <new_username_here> <new_password_here> /add

icacls %windir%\system32\inetsrv\config\applicationHost.config /grant <new_username_here>:(RX,W)

***Please REMEMBER the username and password you set as you will need it in the next stage.***

Once you create the above mention user, go back to your Management Service Delegation as show below.

Set the Run As "Identity Type" as SpecifyUser and click on Set to key in the user detail you just created in above step.

After you click OK, following screen will appear, just set the rules to apply to all users which represent by *

 

Allow Users to Set ACLs in Application Path

Many applications try to set ACLs on folders (and sometimes files) within their path. For example, the App_Data folder in ASP.NET applications is typical secured with ACLs. The setAcl Web Deploy provider does exactly this, so we need to create a delegation rule for it. The identity for this delegation rule works just like it did for contentPath and iisApp:

After you click OK, following screen will appear, just set the rules to apply to all users which represent by *

Allow Users to Deploy Microsoft SQL Server / MySQL database

After you click OK, following screen will appear, just set the rules to apply to all users which represent by *

Note:

MSSQL Server

  • You must install SQL Shared Management Objects (SMO) on the computer that is hosting SQL Server. This is required for Web Deploy to be able to deploy Microsoft SQL databases. Click here to install SMO using WebPI.
  • Microsoft recommend that you set Path Type to "Connection String" and Path to "Initial Catalog={userName}_db". For a user connecting with Windows account some_user, wmsvc will only allow connections to the database for connection strings that contain "Initial Catalog = some_user_db". For environments that allow users to name their own databases, this may not be feasible. In that case, you can set Path to "Server=", which will allow all connectios to proceed to the database layer. This is less secure since wmsvc will let all requests proceed to the database server, which is then solely responsible for security.
  • Your users should be db_owner on the SQL database you create for them. This is required for several Web Application Gallery applications to publish and function correctly.

MySQL

  • Please read this associated article to make sure that MySQL is configured correctly

 

Allow Users to Change Application Pool .NET version and pipeline mode

Some applications that can be published from WebMatrix require specific settings on the application pool. For example, ASP.NET Web Pages applications require an application pool with a .NET 4.0 framework. WebMatrix is capable of setting the remote application pool's .NET framework version and pipeline mode. To enable this, you need to configure another delegation rule:

These providers require an IdentityType of "SpecificUser". The identity must have Write access to %windir%\system32\inetsrv\config\applicationHost.config, so you can re-use the identity we created for the createApp delegation rule above.

Warning: If your server enviroment allow multiple site sharing with 1 same application pool, pleasee Do NOT enable this delegation rule. Enable this rules in such enviroment could lead to one user changing properties for the app pool, which will affect other users’ sites.

Allow Users to Recycle the Application Pool 

 

After you click OK, following screen will appear, just set the rules to apply to all users which represent by *

Warning: Recycling an application pool can sometimes release locks on resources (such as a database file for an in-memory database), which would otherwise cause deployments to fail. Do NOT enable this delegation rule for an environment where multiple sites share the same application pool.

So, in summary, following rules has been created in above step.

Rule Providers Actions Path Type Path Identity Type Security Note
Deploy applications with content contentPath, iisApp * Path Prefix {userScope} Current User Identity needs read/write access to physical root folder of site
Deploy Databases dbFullSql, dbMySql * Connection String Server= Current User Username in connection string needs database-level permissions
Create Applications createApp * Path Prefix {userScope} Specific User Identity needs Write access to applicationHost.config
Set permissions on folders setAcl * Path Prefix {userScope} Current User Identity needs inherited Full Control access to physical root folder of site
Change app pool properties appPoolNetFx, appPoolPipeline * Path Prefix {userScope} Specific User Identity must have write access to applicationHost.config
Recycle app pool recycleApp * Path Prefix {userScope} Specific User Identity must be an administrator


Now, go back to your Web Matrix publish setting, set the FTP login details and click on Validate Connection. You should be able to get a Conneted Sucessfully message.

On the Server column, since on the 1st step on creating the WMSVC services, an SSL cert being used, that's the reason you need to put in HTTPS instead of HTTP

You can also use the Server Validation tools by Microsoft to check the setting.

Download a version that works with both x86 and x64 server architectures: ServerValidator

Another link : http://learn.iis.net/page.aspx/984/configure-web-deploy/

*Update, if you can't browse your webpages without the extension : Extensionless URLs do not find .cshtml/.vbhtml files on IIS 7 or IIS 7.5

Posted in: MVP | Technical Stuff

Tags: , , , ,