Can MSBuild deploy using integrated authentication or only basic?
And the answer is...
Following my edit above about the current identity's username persisting to the MSDeploy command even when not passed in the original MSBuild call, I tried reconstructing the parameters to pass an empty username as follows:
MSBuild.exe Web.csproj
/p:Configuration=Debug
/p:DeployOnBuild=True
/p:DeployTarget=MSDeployPublish
/p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
/p:DeployIisAppPath=DeploymentTestProject
/p:MSDeployPublishMethod=RemoteAgent
/p:CreatePackageOnPublish=True
/p:username=
Which then generates the following MSDeploy command:
msdeploy.exe
-source:package='[project path]\obj\Debug\Package\Web.zip'
-dest:auto,ComputerName='http://[server name]/MsDeployAgentService',IncludeAcls='False',AuthType='NTLM'
-verb:sync
-disableLink:AppPoolExtension
-disableLink:ContentExtension
-disableLink:CertificateExtension
-retryAttempts=2
This call no longer includes the UserName attribute. So in short, if you do not add a username parameter to the MSBuild call it will insert the current identity anyway and defer to basic auth which will fail because there's no password. If you include the username parameter but don't give it a value, it doesn't include it at all in the MSDeploy command.
I looked in the Microsoft.Web.Publishing.targets and saw this:
<PropertyGroup>
<NormalizePublishSettings ...>
<AuthType Condition="'$(AuthType)'==''" >Basic</AuthType>
<!--Supported value for $(MSDeployPublishMethod): WMSVC, RemoteAgent, InProc-->
<MSDeployPublishMethod ... >WMSVC</MSDeployPublishMethod>
...
</PropertyGroup>
So, it looks like the default is Basic
authentication when running from MSBuild. Then I found this http://technet.microsoft.com/de-de/library/dd569001(WS.10).aspx
authenticationType specifies the type of authentication to be used. The possible values are NTLM and Basic. If the wmsvc provider setting is specified, the default authentication type is Basic; otherwise, the default authentication type is NTLM.
I haven't tried it yet, but maybe it's something like /p:AuthType=NTLM
I was able to get NTLM working as follows where the service is running under an account with admin privs on [server name].
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" app\Test.Web\Test.Web.csproj /T:Clean /T:Package /P:Configuration=Release
C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.deploy.cmd /Y "/M:http://[server name]/MSDEPLOYAGENTSERVICE" /A:ntlm -allowUntrusted
which generates:
"C:\Program Files\IIS\Microsoft Web Deploy\msdeploy.exe" -source:package='C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\Test.Web.zip' -dest:auto,computerName='http://[server name]/MSDEPLOYAGENTSERVICE',authtype='ntlm',includeAcls='False' -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"C:\hudson\jobs\Test\workspace\app\Test.Web\obj\Release\Package\RapidPrototypeRequestSystem.Web.SetParameters.xml" -allowUntrusted