Every time I need to set up a new server with Web Deploy/MSDeploy, I end up having to do a bunch of googling and tweaking and it never ends up being simple. The error messages are so arcane it's hard to know what the issue is when it doesn't work. There are several different ways to set up Web Deploy as well, from the IIS management service to a separate web deploy service. It’s fairly straightforward once you’ve got a good procedure to follow, but there are so many moving parts and the docs are horrible – fragmented blogs strewn everywhere each with a piece of the puzzle.

This most recent time I put together a comprehensive guide while I was working through the configuration.

First, set up IIS remote management services. You can do this through the UI:

  • Open role manager
    • Web Server -> Add Role Services
    • Management Tools -> Management Service
  • Open IIS Manager
    • <servername> -> Management Service
      • Check "Enable Remote Connections"
      • Check "Windows or IIS Manager"

Or batch file commands:

dism /online /enable-feature /featurename:IIS-WebServerRole
dism /online /enable-feature /featurename:IIS-WebServerManagementTools
dism /online /enable-feature /featurename:IIS-ManagementService

reg Add HKLM\Software\Microsoft\WebManagement\Server /V EnableRemoteManagement /T REG_DWORD /D 1

net start wmsvc
sc config wmsvc start= auto

Then, set up the Web Deploy service and connect it to IIS Manager:

  • Install web deploy from http://www.iis.net/downloads/microsoft/web-deploy
    • Make sure to install the deployment handler with delegation and non admin
  • Open IIS Manager
  • In the server configuration, add an IIS Manager user
  • Go to each website, IIS Manager Permissions and give user permissions
  • Add Web Management Service (wmsvc) permissions for each physical location where the site files will be located (Local Service, or whatever user wmsvc is running under)
  • Set WmSvc to start auto
  • (re)Start wmsvc
  • Open port 8172 on all relevant firewalls. If you're using Windows Firewall, you can use this:
    netsh firewall add portopening TCP 8172 WdeployAgent

Finally, set up a delegation rule to allow users to create applications. This is called a "Mark Folders as Applications" rule, using the createApp provider. If your applications are already existing and won't be created during deploy, you still need this because the rule is used required to verify that the application exists. You can skip the modify grant permission on applicationHost.config if you'll never be actually creating an application during deploy.

  • Create a user account (I call it "CreateAppUser")
  • Grant read permission to %windir%\system32\inetsrv\config.
  • Grant modify permission to %windir%\system32\inetsrv\config\applicationHost.config. Skip this step if you won't be creating any applications during deploy
  • Open Management Service Delegation in IIS Manager
  • Add a Mark Folders as Applications Rule
  • Set the CreateAppUser as the Run As user, using a Specific User type
  • Click OK and a Add User To Rule dialog will come up
  • Enter * in the Name and click OK. This will allow all users to create applications.

And… done!

The first time you open VS and try to publish, go through the whole wizard to make sure settings are correct. You'll likely get a popup about the untrusted certificate used by IIS Manager -- accept the certificate.

You also may need to add the following rules (templates are included in the Add Rule box) to do a full publish:

  • Deploy Applications with Content
  • Set Permissions for Applications
When you set those up, use the defaults, and * for the Name in the Add User To Rule dialog.