Delegate Application Creation for Non-Admininistrator accounts

The Web Deployment Tool provides a way to delegate application creation to non-Administrator Windows users or IIS users. This blog covers how to configure this particular delegated setting. If you have not yet set up some users, or are not familiar with remote administration, I highly recommend going through this walkthrough: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/ before trying out these steps.

Server Admin Steps

1. Install the Web Deployment Tool (MSDeploy)

01_WebPI

NOTE: This might take a while if you are missing a lot of dependencies (particularly the Windows Installer 4.5 – as this may require a restart)

2. Launch Inetmgr

  • Click Start and type inetmgr. Press Enter.

3. Open Management Service Delegation feature UI

  • Select the server node and double-click the Management Service Delegation icon (in the Management group)

03_selectFeature

NOTE: if you see these warnings:

03.5_alerts 

This means you need to do 2 things (but they may be done after setting up rules, if you prefer):

  1. Start WMSvc with remote connections allowed
  2. Set up some IIS Manager Permissions.

There is information about doing this here: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/

4. Make a rule to allow marking folders as applications

  • Click the Add Rule… task in the Actions pane

04_AddRule 

  • Choose the Mark Folders as Applications template and click OK

05_pickTemplate 

  • Set the Run-As identity to an account that has write permission to applicationHost.config (such as an Administrator account)
  • Click Set button under Specify credentials:

06_clickSetButton

    • Enter user credentials

07_setCredentialsDialog

    • Click OK
  • Click OK to finish creation of the rule

5. Add a user to the rule

Note: this dialog will pop up automatically when you create the rule, but you can add users at any time by selecting the rule and clicking the “Add User to Rule…” task

08_addUser

  • Click OK

6. Add additional rules if you want to allow additional user actions (such as the ability to add content, set ACLs, or access databases) - see last section on this page.

Note – this rule ONLY allows the users to right-click an existing folder and mark it as an application – other rules are probably desired. See the bottom of this article for some common rules.

Client (non-Admin) steps

1. Launch inetmgr

Note: this may be done either from a remote computer or locally. If remote, the remote computer must also have MSDeploy installed in order to use the MSDeploy UI features.

2. Connect to the user’s site (or app)

  • Right-click on Start Page and choose the Connect to a Site… option

09.1_connectToSite

  • Type in the server name and site name – click Next

10_serverSiteNames

  • Type in user credentials and click Next

11_enterCredentials

  • You should get to a “Created a new connection successfully.” screen. Click Finish.

3. Expand the site node

4. Right-click a folder

13.1_rightClickOptions

Note: if you do NOT see the Deploy option, then most likely issues are:

  1. MSDeploy UI component is not installed on the computer
  2. There are no Management Service Delegation rules
  3. This user has not been added to any Management Service Delegation rules

5. Select the Deploy > Convert to Application option

14_convertToApp Note: other options would appear under Deploy if other rules were specified, such as Delete Folder and Content or Recycle. See the Common Rules section below for a few basic rules to try out.

6. Notice that the folder has now marked as an application (you can tell by the updated icon in the tree view)

15_nowAnApp

 

Some Common Rules to Get Started

This shows the values for some common rules as they would appear in the administration.config file (%windir%\System32\inetsrv\config\administration.config). The rule just created for createApp has been bolded:

<system.webServer>
            <management>
                <delegation>
                    <!--This is the "Deploy Applications with Content" rule, with all the template defaults. It allows users to add/delete files to locations they have IIS Manager Permissions for AND appropriate ACLs on the physical directories-->
                    <rule enabled="true" providers="contentPath, iisApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                    <!—This is the “Set Permissions for Applications” rule, with all the template defaults. It allows users to set ACLs to locations they have IIS Manager Permissions for AND appropriate ACLs on the parent physical directories-->
                    <rule enabled="true" providers="setAcl" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>           
                    <!—This is the “Mark Folders as Applications” rule, using the template defaults. The runAs identity was set to a local Administrator account to allow non-administrators to mark folders as applications if they are in a path the user has IIS Manager Permissions for. This rule was the focus of the walkthrough above. -->
                   <rule enabled="true" providers="createApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="SpecificUser" userName="Administrator" password="[enc:RsaProtectedConfigurationProvider:jAAAAAECAAADZgAAAKQAAKv+vnsskEdvc7c3Q2tcaJGVbvKW0urtCC8QayxZfYyGVjKrxQKQTob7T5z7ESM/3Zm0mPhIut033tWpyNJ+As4N8H5Wh/w31327eaxe+C6NLK2zmHY978A0aHpqcafcZ7K7YIaGGEem/Up0xa2Jf/LXJt77vLJUkumwGOlO3Dw9NGYGIyj8zk6lHsFQPoU0SHykWhrnMCp12uzFCUN4fYw=:enc]" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>            
                 </delegation>
            </management>
        </system.webServer>


 

Why do all these rules use {userScope} for the default path? 

This makes your job easier by automatically limiting the users to areas you’ve given them permission to using IIS Manager Permissions – which are stored in the same administration.config file. You can see in this sample administration.config section below that both a Windows user (A_Windows_User) and an IIS user (An_IIS_User) are authorized to access Default Web Site – so the {userScope} in the above rules would limit them to altering items under Default Web Site.  (Note that for reading/writing content under Default Web Site these accounts will also require you to grant ACLs on Default Web Site’s physical directory. There’s some more information on how to do this here: http://blogs.iis.net/krolson/archive/2009/11/04/using-iis-manager-accounts-for-web-deployment-tool-msdeploy-delegation.aspx - for Windows users just use the user name instead of Local Service)

<system.webServer>
        <management>

            <authorization defaultProvider="ConfigurationAuthorizationProvider">
                <authorizationRules>
                    <scope path="/Default Web Site">
                        <add name="IISSBA149\A_Windows_User" />
                        <add name="An_IIS_User" />
                    </scope>
                </authorizationRules>
            </authorization>
         </management>
    </system.webServer>

4 Comments

  • Kristina,

    You state that one must do the following as part of enabling non-administrators to create applications: "Set the Run-As identity to an account that has write permission to applicationHost.config (such as an Administrator account)"

    Must it run as an administrator account? If it can run as someone else, what other permissions are required? We'd like to keep permissions as minimal as possible and still let developers get their job done.

    Also, is there a more comprehensive source of info on all the capabilities of MS Deploy and what permissions are required to run various rules? As someone not very familiar with IIS 7, the rules seem a bit cryptic to me (function names?). Looking for a good reference to rule-building--e.g. what each rule option means in terms of what it allows, and what the least permissions one must grant to enable non-administrators to execute these functions.

    Thanks very much.

    Dana

  • Kristina,
    This is a great post and I am using it to design our deployment strategy to our new web farm. Your screen shot above shows the Management Service Delegation Feature at the server node. Am I missing something? I don't have this feature in IIS. We are on Windows Server 2008 R2. Do I need to install the IIS Management Scripts and Tools role feature for IIS?

    Thanks in advance,
    Alan Levine

  • Kristina,
    I found this on the forum. Got it now!
    https://forums.iis.net/p/1171432/1956059.aspx

    Alan Levine

  • Everything is working from this article.

    I have one question. The same user that use to connect on local machine IIS manager (as described under "Client (non-Admin) steps") is not able to publish when I try from Visual Studio 2010 -->Right click on the application in "Solution Explorer"-->"Publish Web" interface.

    Why this is the case? Am I missing anything else?

Comments have been disabled for this content.