Configuring the Web Deployment Handler
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2
This topic shows you how to configure the Web Deployment handler on a hosting server and confirm that you can use the handler to deploy an application to a Web site. You will install the Web Deployment Tool onto a new server, configure recommended settings, and validate the rules created.
Prerequisites
The following components are required before you can configure the Web Deployment handler.
.NET Framework 2.0 SP1 or later. For information about installing .NET Framework 2.0 SP1, see Requirements and Limitations.
IIS 7. For information about installing Web Server (IIS) on Windows Server® 2008, see Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2.
The Web Management Service (WMSvc). In Windows Server® 2008 Server Manager, expand Roles and select the Web Server (IIS) node. Look on the pane on the right for the Role Services section. Under Management Tools, WMSvc will appear as Management Service. If the status is Not Installed, click Add Role Services at the top of the Role Services section and follow the wizard to add Management Service.
Warning
You can configure the Web Management Service only in Windows Server 2008 or Windows Server 2008 R2. The IIS Manager Management Service and Management Service Delegation features are not present in Windows Vista® or Windows® 7.
- The Web Deployment Tool (Web Deploy). For more information about installing the Web Deployment Tool, see Web Deployment Tool Installation.
Configure and test the Web Deployment Handler
In order to configure and test the Web Deployment Handler, perform the following steps.
Create an IIS Manager user account for the customer.
Give the WMSvc account access to the customer’s directory.
Configure delegation for the customer.
Add delegation rules for the customer.
Create a specific user account and grant it permissions to configuration. This identity will create applications on the customer’s behalf.
Optionally enable Web Management Service tracing.
Optionally enable NTLM authentication.
Restart the Web Management Service.
Test the Web Deployment Handler.
Each of these steps is described in the following sections.
1. Create an IIS Manager User account for the customer.
In IIS Manager, at the server level, use the IIS Manager Users feature to create an IIS Manager user account for the customer. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
Note
If you had IIS Manager open when you installed the WMSvc by following the information in the Prerequisites section, the IIS Manager Users feature might not be visible until you close and reopen IIS Manager. After you have installed WMSvc, if you have Group by set to Area, IIS Manager Users and Management Service will appear at the server level under Management. If you have Group by set to Category, they will appear under Security.
For information about creating IIS Manager users, see the "Add an IIS Manager User" section in Configuring Remote Administration and Feature Delegation in IIS 7.
2. Give the WMSvc account access to the customer’s directory.
Give the account under which WMSvc is running (for example, Local Service) access permissions to the customer's directory. For more information about this step, see Using IIS Manager Accounts for Web Deployment Tool Delegation.
Warning
If WMSvc does not have access to the customer directory, the customer will not be able to access his or her content even if you have created a delegation rule for the customer.
3. Configure delegation for the customer.
In IIS Manager, at the level of the customer’s site or application, use the IIS Manager Permissions feature to give the customer’s IIS Manager user account access to the site or application.
Note
This setting is called the user scope and can be referenced in the Administration.config file by using the {userScope} variable.
Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
In the Connections pane, expand the Sites node and select the site or application for which you want to grant permission to an IIS Manager user.
In Features View, double-click IIS Manager Permissions.
On the IIS Manager Permissions page, in the Actions pane, click Allow User.
In the Allow User dialog box, select IIS Manager to select a user account that is valid within IIS Manager but that is not a Windows account. Then click Select to open the Users dialog box.
Note
If the IIS Manager option is disabled, the management service is not configured to accept connections from IIS Manager users. For more information, see Enable Remote Management (IIS 7).
On the Users dialog box, select a user and then click OK.
Click OK to dismiss the Allow User dialog box.
4. Add delegation rules for the customer.
To allow customers to deploy content, applications and databases, you can create delegation rules either by using the Management Service Delegation feature in IIS Manager, or by adding a set of rules directly to the Administration.config file.
To add rules by using IIS Manager
Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
In IIS Manager, at the server level, use the Management Service Delegation feature to give the customer contentPath access to the customer’s path.
In the Connections pane, select the name of the server for which you want to create delegation rules.
In Features View, select Management Service Delegation.
In the Actions pane, click Open Feature.
In the Actions pane, click Add Rule….
Use the Add Rule dialog to select a template and create a delegation rule. For further assistance, press F1 or click the question mark at the top right of the Add Rule dialog box.
To add rules to the Administration.config file
Using Notepad.exe, open the Administration.config file located in the %windir%\system32\inetsrv\config folder.
Navigate to the <management> section located under the <system.webServer> section.
Add rules as in the following example to the **<management>**section. Change the password as appropriate.
<!-- Web Deploy rules for delegation. Do not allow administrators to bypass these rules. --> <delegation allowAdministrators="false"> <!-- Allow a special account to create applications. --> <rule providers="createapp" actions="*" path="{userScope}"> <permissions> <user name="*" isRole="false" accessType="Allow" /> </permissions> <runAs identityType="SpecificUser" userName="iisAppUser" password=" /> </rule> <!-- Allow the connecting user to synchronize an application and set acls on the file system. --> <rule providers="iisapp,contentpath,setAcl" actions="*" path="{userScope}"> <permissions> <user name="*" isRole="false" accessType="Allow" /> </permissions> </rule> <!-- Allow databases on the current computer or on other computers to be synchronized. --> <rule providers="dbMySql,dbFullSql" actions="*" path="" pathType="ConnectionString"> <permissions> <user name="*" isRole="false" accessType="Allow" /> </permissions> </rule> </delegation>
Tip
To simplify delegation rule entries when you have multiple users, it is often convenient to specify {userScope} for the path and then add the specific users under <permissions>. This will allow each specified user to have access to his or her user scope (that is, path). To make the rule even more generic (as in the previous example), specify user name="*" in the <permissions> section. This will allow all users access to their delegated user scopes.
5. Create a special account and grant it permissions to configuration.
The createApp rule that you added in the previous step allows a folder to be marked as an application. The application will inherit all the properties of its parent Web site. In order to enable the createApp rule, you must create a special account that will run on behalf of the user and give the special account permissions to configuration.
Create a special user account (such as the "iisAppUser" in the previous step).
Grant the account Read permission to the %windir%\system32\inetsrv\config folder.
Grant the account Modify permission to the %windir%\system32\inetsrv\config\Applicationhost.config file.
6. Optionally enable Web Management Service logging and tracing.
You can optionally enable and tracing for the Web Management Service. For information about this step, see Configuring Web Management Service Logging and Tracing.
7. Optionally enable NTLM authentication.
You can optionally enable users to authenticate with the Web Management Service using NTLM. To do this, update the registry on the server by adding a DWORD key named "WindowsAuthenticationEnabled" under HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server, and set it to 1. If the Web Management Service is already started, the setting will take effect after the service is restarted.
8. Start or restart the Web Management Service.
To enable the changes you have made, start or restart the Web Management Service. You can do this in the Services Management console or at an elevated command prompt.
Start or Restart WMSvc in Services
Click Start, Control Panel, Administrative Tools, and then Services.
Find the Web Management Service.
Right-click Web Management Service and select Start or Restart.
Start or Restart WMSvc at an elevated command prompt
Open an elevated command prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Type cmd.
Type the following lines at the command prompt to stop and start the Web Management Service. If the service is already stopped, only the second command is needed.
net stop wmsvc
net start wmsvc
9. Test the Web Deployment Handler.
You can test the Web Deployment Handler by using the package export and import features of IIS Manager.
In IIS Manager, in the Connections pane, navigate to the Web site that contains the application that you want to deploy, and select the application.
Follow the instructions in Export a Package through IIS Manager to export the application to a .zip file.
Use the local server, or download and install the Web Deployment Tool on the client.
In IIS Manager, in the Connections pane, click the connection to the remote Web site, or click the Create New Connection icon and follow the wizard to create a new connection.
Follow the instructions in Import a Package through IIS Manager to deploy the package.
See Also
Other Resources
IIS 7.0: Allow an IIS Manager User Account to Connect to a Site or an Application