问题
I've configured the deployment to a web server using a service account. On the target machine remote powershell is enabled and the account has been added to the Remote Management Users group.
I initiate a release and the following error occurs. If I add the service account to the local Administrators group on the web server then it succeeds. I can reproduce the same error by remoting into the web server, under the service account, and attempting to call get-service
.
System.AggregateException:
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
CategoryInfo :NotSpecified: (:) [Get-Service], InvalidOperationException
FullyQualifiedErrorId :System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
---> System.Management.Automation.RemoteException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
--- End of inner exception stack trace ---
at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.Invoke(String errorContextMessage, Boolean writeResultToLog, Boolean isCancellable)
at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.AcquireMutexOwnerShip(String serviceName, String destinationPath, Int64 deploymentHeartbeatTimeoutSec)
at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.<RunAsync>d__14.MoveNext()
Does anyone know the minimum permissions required for a service account to get this working? I want to avoid adding the account to the Administrators group.
回答1:
Some background information:
Rather than just executing your Powershell deployment script against the target server using PSRemoting, it uses PSRemoting to install a Windows Service (VisualStudioRemoteDeployer.exe
) on the target server. This service then runs your deployment script locally, and the MSRM server regularly polls this Windows service (see here) to see if it is finished deploying.
I suspect this strange setup has something to do with avoiding the double-hop issue - so that it allows your script to make a 2nd hop from the target server to another server, e.g. for a webservice call.
So you'll need enough permissions to install that Windows service, and according to this post, that means administrative permissions.
来源:https://stackoverflow.com/questions/33962104/what-permissions-are-required-for-a-release-management-2013-vnext-release-using