You receive an error when you use the Web Deployment Tool (Web Deploy) as a non-administrative user

Article translations Article translations
Close Close
Article ID: 2023852 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you perform a Web Deploy operation that requires administrative permissions, you receive an error message similar to the following:

 

An error occurred when committing changes to the IIS Configuration System
The identity performing the operation was ‘<domain\username>’.
Error: Filename:
\\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Error: Cannot write configuration file due to insufficient permissions

 

Cause

The user executing the operation does not have sufficient rights to access the ApplicationHost.config file and perform changes. For example, the error may occur in a Hosted scenario when the person executing the command is not the Administrator of the target hosting machine. By default, IIS requires administrative privileges to make configuration changes to the ApplicationHost.config file.  

 

Resolution

To resolve this problem, use one of the following methods depending on how the Web Deploy operation is being run:

 

Scenario 1: Web Deploy operation run from a command line using Msdeploy.exe:

Verify that the account performing the operation has the following permissions: 

  • Read permission to %windir%\system32\inetsrv\config
  • Modify permission to %windir%\system32\inetsrv\config\applicationHost.config.

WarningGranting these permissions to a non-administrator user will allow the user to access any IIS setting. This may not be secure for some environments. Microsoft recommends using the Web Deployment handler and delegation for non-admin scenarios.

 

Scenario 2: Web Deploy operation performed using delegation via the Web Management Service (WMSVC):


Verify that the account configured in the delegation rule has the following permissions:

  • Read permission to %windir%\system32\inetsrv\config 
  • Modify permission to %windir%\system32\inetsrv\config\applicationHost.config.

 

NOTE: The identity of the account will depend on how the Delegation Rule was configured and will be one of the following: 

  • CurrentUser: The user account that was used to make the remote connection in IIS. 
  • ProcessIdentity: The configured identity of the WMSVC service on the target server. 
  • SpecificUser: User defined in the Specify Credentials dialog of the delegation rule.


More Information

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2023852 - Last Review: April 20, 2010 - Revision: 5.0
APPLIES TO
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
Keywords: 
KB2023852

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com