Deploy to IIS permission

I’m trying to deploy to IIS but get the following error

Set application pool identity: SpecificUser

Attempt 1 of 5 failed: Keyset does not exist (Exception from HRESULT: 0x80090016)

My tentacle is running under a system account that is not part of the administrators group.
Is there a specific set of permissions needed to achive this?

Good afternoon @thordur.vilmundarson,

Thank you for contacting Octopus Support and welcome to the forums! I am sorry you are getting errors in your deployment process.

The error you posted up:

Keyset does not exist (Exception from HRESULT: 0x80090016)

Seems to be coming from IIS not Octopus, I am not familiar with that error but I did some googling and there are a few websites that mentions this is to do with corrupted IIS keys or user permissions:

Since I do not know anything about your configuration I would not like to recommend a specific fix for this issue but we did have a user a long time ago on our forums mention he was getting this issue and granted access for the tentacle service account to the keys folder -c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Whilst it does not look like this fixed the issue it might be something you need to do to get this working.

Hopefully one of those websites will point you to the right place in order to fix this and I am sorry I could not provide a more specific fix. I would try granting access to that machinekeys folder first for that user account. If that does not work I would temporarily give the tentacle service account administrative access on that machine and see if that fixes it (you then know its a permission issue somewhere). It looks like you do need to configure specific permissions from this answer on the stack overflow post:

If none of my suggestions works it looks like you may have to start playing with IIS itself or trying one of the other fixes on the websites I linked.

Let me know if one of those helps but I would hazard a guess this is machine specific.
Kind Regards,

Hi Clare, thank you for responding,

I have already given my service account permission to c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

and the deployment works fine when the tentacle has administrative access but I’m hoping this can be achived without granting full admin rights.

Hey @thordur.vilmundarson,

Thanks for letting us know you gave the account permissions to the Machine Keys on the C drive and that the only way you can get this to work so far is giving admin rights to the tentacle service account.

It does look like this is a Windows permissions issue so it might be worth trying what the user Jorge Mauricio mentioned in the last comment on the permissions picture I posted up.

We are not IIS experts I am afraid so are unable to advice further but since you have confirmed giving admin rights to that account means you can deploy another google might lead you to a workaround.

Hopefully you get this sorted, if you do and you have the time it would be great if you could post up what you did to get this working so anyone else who comes across this can try your fix and see if that works for them.

Kind Regards,