Issue with Accessing IIS Redirection.config file during Deployment
Scenario:
The TFS build/release agent is configured to use the built in account Network Service (or a domain account that is not a member of the local admin group) when running as service. A file permission error occurs when the release is attempting to update files in the IIS for the website using Web Deploy and the TFS agent is configured as a service to run under the security context of Network Service.
This example uses the following syntax for the update:
msdeploy -verb:sync -source:Package=C:\_Agent\LatestDeployments\FarmDemo\LatestPackage\DemoWebFormsApp.zip -dest:Auto
Problem Encountered:
Upon execution of the batch file, the following error occurs:
- Skipping backup because it failed due to the following error 'System.UnauthorizedAccessException: Filename: redirection.config
- Error: Cannot read configuration file due to insufficient permissions
- Info: Adding sitemanifest (sitemanifest).
- Info: Creating application (Default Web site/FarmDemo)
- Error: An error occurred when reading the IIS Configuration File 'MACHINE/REDIRECTION'. The identity performing the operation was 'NT AUTHORITY\NETWORK SERVICE'.
- Error: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
- Error: Cannot read configuration file due to insufficient permissions
Resolution:
The account conducting the deployment lacks read permissions on the redirection file:
- Change the identity of the account the agent is using to a local account with membership in the Local Admin group on the server
- Change the identity of the account the agent is using to a Domain account with membership in the Local Admin group on the server
- Add the NT AUTHORITY\NETWORK SERVICE account to the Windows\System32\Inetsrv\Config directory with Read and List folder contents permissions