Deploy from a Team Foundation Server build to Web Site without specifying password in the build

In a previous article I explained how to deploy an ASP.NET Web Site from a TFS Build thanks to MSDeploy engine. One of the great complain you can have with this solution is the need to specify UserName and password in build configuration and the need to use the AllowUntrustedCertificate=true.

The problem of the certificate is the simpler of the two to solve, you just need to use a certificate that is trusted inside your organization or a certificate issued by a trusted certificate authority (es godaddy) , instead of the default one that is generated by MsDeploy configuration in IIS. This is most an administrative stuff and I’m not going to cover it in this post.

The most annoying stuff is getting rid of the password. You should start configuring the deploy user for IIS using the same user that runs TFS Build, this will give to build user the permission to execute the deploy.


Figure 1: Give to the build user publish permission.

This is not enough, if you fire your bulid you probably will receive an authorization error.

C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v12.0\Web\Microsoft.Web.Publishing.targets (4255): Web deployment task failed. (Connected to the remote computer (“webtest1.cyberpunk.local”) using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site.  Learn more at:

The dreaded ERROR_USER_UNAUTHORIZED can frustrate you for long time, because it is not so easy to solve. First of all you should check if the Windows Authentication is enabled in IIS configuration. Just go to the Web Server and verify settings of Management Service


Figure 2: You should configure Management Service to use Windows Authentication


Figure 3: You should be sure that Windows Credentials is enabled.

This is usually not enough, you should also be sure to add a value in the registry , you should locate HKLM\SOFTWARE\Microsoft\WebManagement\Server key and then add a DWORD value named WindowsAuthenticationEnabled with the value 1. Finally you should restart management service (net stop wmsvc and then net start wmsvc).

If you run the build you will probably still get the ERROR_USER_UNAUTHORIZED error, this is caused by parameters passed to MsBuild. There are two parameters you need to pass to MSBuild to have integrated security works and they are:

  1. /p:UserName=””

  2. /p:AuthType=NTLM

An empty username parameter is needed for it to work , if you forget to specify it, you will get ERROR_USER_UNAUTHORIZED even if the user running the script (tfsbuild) has all the right to deploy the site. The AuthType parameter is telling to the server to use Windows Authentication.

Now your build should be green and you have no credential stored inside the build definition and your are not breaking any security good practice.

Gian Maria.