Scenario:
The TFS deploy Agent is setup to use built in account Network Service as the identity to conduct actions on server. Using Web Deploy to update the web site using a batch file and Web Deploy package to update a website folder.
Error Encountered:
Upon execution of the batch file, the following error occurs:
2018-05-09T00:24:30.2375370Z Info: Adding directory (Default Web Site/BIO_POCbin).
2018-05-09T00:24:30.2531618Z Error Code: ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER
2018-05-09T00:24:30.2531618Z More Information: Unable to perform the operation ("Create Directory") for the specified directory ("C:inetpubwwwrootBIO_POCbin"). This can occur if the server administrator has not authorized this operation for the user credentials you are using. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER.
Problem:
The TFS build/deploy agent is using the credential of the server's built-in Network Service account and the agent is setup to run as a server. The Network Service account did not have Full control permissions on the folder where the website is located to add/delete files and folders as needed.
Resolution:
One of the following
- Change the identity of the account the agent is using to a local account with membership in the Local Admin group on the server
- Change the identity of the account the agent is using to a Domain account with membership in the Local Admin group on the server
- Add the NT AUTHORITYNETWORK SERVICE account to the C:InetpubwwwrootDefaultWebSite<site> folder with FULL PERMISSIONS