Deploy to none domain machines with Visual Studio Release Management vNext

There is a lot of documentation on how to deploy to machines outside your domain using agent based deployment ( i.e. on msdn) using shadow accounts. But I couldn’t find any documentation if and how this is done using vNext / agent-less deployment.

If you deploy to server outside your domain you get the following error messge:

Connecting to remote server <name> failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request. 

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---&gt; System.AggregateException: One or more errors occurred. ---&gt; Microsoft.TeamFoundation.Release.Common.Helpers.OperationFailedException: Failed to establish remote power shell session to the deployment machine L&lt;name&gt; on the port:5985 due to unexpected exception. Error Message:
System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server &lt;name&gt; failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at System.Management.Automation.RemoteRunspace.Open()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.GetOpenedRunspace()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.EstablishRemoteSession()System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server L&lt;name&gt; failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at System.Management.Automation.RemoteRunspace.Open()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.GetOpenedRunspace()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.EstablishRemoteSession()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.RetryExecutor.Execute(Action action)
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.&lt;Initialize&gt;d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.&lt;Initialize&gt;d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.&lt;Initialize&gt;d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.&lt;RunAsync&gt;d__11.MoveNext() ---&gt; System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server L&lt;name&gt; failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: There are currently no logon servers available to service the logon request.  
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at System.Management.Automation.RemoteRunspace.Open()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.GetOpenedRunspace()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.EstablishRemoteSession()
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.RetryExecutor.Execute(Action action)
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.&lt;Initialize&gt;d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.PowershellExecutor.&lt;Initialize&gt;d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.RemoteDeploymentHelper.&lt;Initialize&gt;d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.DevTestLabs.Deployment.Deployment.DeploymentClient.&lt;RunAsync&gt;d__11.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.TeamFoundation.Release.EnvironmentProvider.OnPrem.Implementation.OnPremDeploymentProvider.ReadDeploymentResponse(DeploymentResponse response)
   at Microsoft.TeamFoundation.Release.EnvironmentProvider.OnPrem.Implementation.OnPremDeploymentProvider.&lt;CopyBuildsLocally&gt;d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.TeamFoundation.Release.EnvironmentProvider.OnPrem.Implementation.OnPremDeploymentProvider.&lt;RunScript&gt;d__0.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Microsoft.TeamFoundation.Release.MonitorServices.Dsc.OnPrem.OnPremDeploymentActions.InvokePlatform(String activityId, MachineSpecification machineSpecification, StorageSpecification storageSpecification, String scriptPath, String configurationPath, Dictionary`2 configurationVariables)
   at Microsoft.TeamFoundation.Release.MonitorServices.Dsc.OnPrem.OnPremDeploymentActions.RunScript(DscComponent dscComponentParameters, String serverName, String userName, String password, String componentName, String scriptPath, String configurationPath, String useCredSecuritySupportProvider, String useHttps, String skipCACheck)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.TeamFoundation.Release.DeploymentAgent.Services.Deployer.Dsc.DscComponentInstaller.InvokeMethodByReflection(String methodArguments)

So this is not a release management problem. The release management server connects to the servers using remote PowerShell. The remote PowerShell only sends Credentials to machines inside the domain or to trusted hosts. So what we need to do is to add the target machine to the trusted hosts on the release management server. Thanks to Donovan Brown for helping me to figure this out! You can add an asterisk to the trusted hosts so that you don’t have to add every new machine to your RM server.

cd WSMan::localhost\Client
Set-Item TrustedHosts * -Force
Restart-Service WinRm

Here are some other considerations if you deploy to machines outside your domain:

  • Specify local acounts on the target server prefixed with a dot in the release management template (i.e. .\userXYZ)
  • Make sure the Port 5985 or 5986 or opened on your firewall(HTTP = 5985, HTTPS = 5986)
  • Make sure your target machine has access to you drop folder.

UPDATE: I finally found a good documentation when I was tracking another error:

http://social.technet.microsoft.com/wiki/contents/articles/30920.vnext-release-management-template-for-on-premise-target-server-in-un-trusted-domain.aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s