I am the IIS 7.5 server administrator. My clients are members of a Windows Active Directory Deployment group, which has been granted IIS Manager Permission at the Site level, on Test, Acceptance, and Production servers. My clients are permitted to deploy their applications using web deploy via IIS Manager. Usually they connect and deploy without any problems; however, since July 2016, they have intermittently encountered problems connecting to IIS 7.5 using WMSVC (Web Deploy).
A configuration question: should the Windows AD Deployment Group be granted IIS Manager Permissions only at the Site level, or do they need to have IIS Manager Permission also set for each web application (i.e. the VSE web app (see below))? So far they've managed to deploy successfully without needing this additional permission at the web application level.
The errors appears in the application log like this:
Description:IISWMSVC_LOGIN_UNKNOWN_ERROR
An unexpected error occurred while retrieving the login information.
Exception:System.UnauthorizedAccessException: Filename: MACHINE/WEBROOT/APPHOST/DefaultSite/VSE
Error: Cannot read configuration file due to insufficient permissions
I started the WMSVC Failed Request Tracing log, and found this:
ModuleName="IIS Web Core", Notification="AUTHENTICATE_REQUEST", HttpStatus="401", HttpReason="Unauthorized", HttpSubStatus="2", ErrorCode="Access is denied. (0x80070005)", ConfigExceptionInfo=""