SQL Server DACPAC Deployment Dropping Users/Roles/Permissions - sql-server

I'm deploying an (Azure) SQL Server Database using a DACPAC. Every time I deploy it's dropping my users, roles, and permissions even though I'm explicitly telling it not to in the publishing profile I'm using.
The publishing profile is defined as
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<IncludeCompositeObjects>True</IncludeCompositeObjects>
<TargetDatabaseName>neonbliss</TargetDatabaseName>
<DeployScriptFileName>Neon Bliss Storefront Database.sql</DeployScriptFileName>
<BlockOnPossibleDataLoss>True</BlockOnPossibleDataLoss>
<DropObjectsNotInSource>True</DropObjectsNotInSource>
<ProfileVersionNumber>1</ProfileVersionNumber>
<DatabaseEdition>Basic</DatabaseEdition>
<DatabaseServiceObjective>Basic</DatabaseServiceObjective>
<DatabaseMaximumSize>2</DatabaseMaximumSize>
<DoNotDropRoleMembership>True</DoNotDropRoleMembership>
<DoNotDropUsers>True</DoNotDropUsers>
<DoNotDropPermissions>True</DoNotDropPermissions>
<DoNotDropSecurityPolicies>True</DoNotDropSecurityPolicies>
<ExcludeUsers>True</ExcludeUsers>
<ExcludeSecurityPolicies>True</ExcludeSecurityPolicies>
<ExcludeDatabaseRoles>True</ExcludeDatabaseRoles>
<IgnorePermissions>True</IgnorePermissions>
<TreatVerificationErrorsAsWarnings>True</TreatVerificationErrorsAsWarnings>
</PropertyGroup>
</Project>
Has anyone seen this?

This has been an ongoing DACPAC issue, presumably with the DropObjectsNotInSource overriding all other flags indiscriminately.
If you don't want to specifically add the security objects into your SSDT package, then since the publishing profile isn't sticking like you need, you'll need to adjust the arguments of SQLPackage.exe with...
/p:ExcludeObjectTypes=Users;Logins;RoleMembership;Permissions

Related

Windows 10 Kiosk Mode (MultiAppAssignedAccess Provisioning package) won't install

For my Project at work i want to install a provisioning Package, that contains a xml configuration for Kiosk Mode (Assigned Access).
I used the exact code from the xml reference page and inserted my Apps, as an account i used a local account that i created for testing.
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{786df454-09d0-492f-9ef0-c07731d1606f}">
<AllAppsList>
<AllowedApps>
<App DesktopAppPath="C:\Program Files\Google\Chrome\Application\chrome.exe"/>
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" DesktopAppPath="C:\Program Files\Google\Chrome\Application\chrome.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
<Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>.\Kiosk-test</Account>
<DefaultProfile Id="{786df454-09d0-492f-9ef0-c07731d1606f}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
When i try to install it, it either wont install at all with Error code 0x8007000b on one computer or on my private computer the installation will fail.
The Settings say that i has to Lock the user interface and make changes to the device.
then the EventLogs say that it failed due to follwing error: "Error during verification because the document does not contain exactly one root node. (0xC00CE223)" (translated with deepl, so might be a bit different in reality)
I could not find a matching solution on the internet.
I also tried using the configuration Wizard for single app Kiosk, and there the same error occured.
Does anyone of you know a solution to that or can tell me what the problem is at all?
I tried to change every part of the code, so that every aspect (App, User, e.g.) is tested seperately.
I moved my computer out the group policies, so that there are no GPOs that vreate an error.
The error messages didn't change at all
Thanks and best Regards!

It is possible to use new csproj format to build for .NET Framework Client Profile?

I am trying to manually update a new csproj file to configure building for .NET Framework 4.0 Client Profile.
This works correctly
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFrameworks>NET40</TargetFrameworks>
</PropertyGroup>
</Project>
but this generates an error
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFrameworks>NET40</TargetFrameworks>
<TargetFrameworkProfile>Client</TargetFrameworkProfile>
</PropertyGroup>
</Project>
'project.assets.json' doesn't have a target for
'.NETFramework,Version=v4.0,Profile=Client'.
Ensure that restore has run and that you have included
'net40-client' in the TargetFrameworks for your project.
Is it possible to use new csproj format e.g. <Project Sdk="Microsoft.NET.Sdk"> to build for .NET Framework Client Profile?
This worked for me:
<TargetFramework>net40-client</TargetFramework>
<TargetFrameworkIdentifier>.NETFramework</TargetFrameworkIdentifier>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<TargetFrameworkProfile>Client</TargetFrameworkProfile>
There is a package for this, all you have to do is to replace the first line of your csproj with:
<Project Sdk="MSBuild.Sdk.Extras/2.0.54">
Then you have some new target frameworks available such as net40-client, so
<TargetFrameworks>net40-client</TargetFrameworks>
will now work.
See the project page (https://github.com/novotnyllc/MSBuildSdkExtras) if you want more information.

DACPAC Deployment setting

I want to publish my dacpac file using VSTS. I will be giving only DACPAC file to Dev ops team. I want to ignore drop table that is not in source. If i Publish it from SSDT, I can change in advanced settings. How to do that for VSTS. I can see an option under debug menu, But I am unable to check that option, Screen shot is attached in below URL.
https://i.stack.imgur.com/TBQPe.png
You can give publish.xml along side your dacpac and include a similar setting in that xml as well such as mentioned below
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0"
xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<IncludeCompositeObjects>True</IncludeCompositeObjects>
<TargetDatabaseName>dbname</TargetDatabaseName>
<DeployScriptFileName>dbname.sql</DeployScriptFileName>
<TargetConnectionString>Data Source=<name>;Integrated Security=True;Persist
Security Info=False;Pooling=False;MultipleActiveResultSets=False;Connect
Timeout=60;Encrypt=False;TrustServerCertificate=True</TargetConnectionString>
<BlockOnPossibleDataLoss>False</BlockOnPossibleDataLoss>
<DropObjectsNotInSource>False</DropObjectsNotInSource>
<ProfileVersionNumber>1</ProfileVersionNumber>
</PropertyGroup>
<ItemGroup>
</ItemGroup>
</Project>
and while deploying dacpac (using cmd or powershell) you need to pass this xml file path in /Profile: parameter to pick this xml for deployment settings

TeamCity SQL Deploy

I followed the guide at http://blogs.adatis.co.uk/jonathon%20eveoconnor/post/Using-TeamCity-to-Automate-Building-and-Deployment-of-Database-Projects to set up SQL build and publish from TeamCity.
The build step works great, but I'm stuck when it comes to publishing. I've set the step up as below, which matches what is in the guide, but I'm getting an error.
Step 2/2: Publish (MSBuild) (2s)
[Step 2/2] KAInternal\KAInternal.sqlproj.teamcity: Build target: Publish
[KAInternal\KAInternal.sqlproj.teamcity] SqlPublish
[SqlPublish] SqlPublishTask
[SqlPublishTask] C:\TeamCity\buildAgent\work\1472f1322571ddd\KAInternal\bin\Debug\KAInternal.sqlproj.publish.sql error Deploy72002: Unable to connect to master or target server 'KAInternal'. You must have a user with the same password in master or target server 'KAInternal'.
[Step 2/2] Step Publish (MSBuild) failed
I've searched a fair bit, but everyone seems to believe this is a permission issue on the source machine, well my publish profile is using the built in "sa" SQL Server account to publish (for now, mainly to disprove this theory).
Here is the publish profile XML:
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<IncludeCompositeObjects>True</IncludeCompositeObjects>
<TargetDatabaseName>KAInternal</TargetDatabaseName>
<DeployScriptFileName>Staging_KAInternal.sql</DeployScriptFileName>
<TargetConnectionString>Data Source=192.168.194.6;Persist Security Info=False;User ID=sa;Pooling=False;MultipleActiveResultSets=False;Connect Timeout=60;Encrypt=False;TrustServerCertificate=True</TargetConnectionString>
<BlockOnPossibleDataLoss>True</BlockOnPossibleDataLoss>
<ExcludeLogins>True</ExcludeLogins>
<IgnoreRoleMembership>True</IgnoreRoleMembership>
<ExcludeUsers>True</ExcludeUsers>
<ProfileVersionNumber>1</ProfileVersionNumber>
</PropertyGroup>
And the publish step in TeamCity
Hopefully someone can point me in the right direction, thanks in advance.
The guide you're following describes creating a separate proj file for the deployment, but here you're using the sqlproj file instead. There actually is an msbuild publish target for sqlproj files, so I'm not sure whether this was an intentional deviation on your part.
It may be the case that the sqlproj build task doesn't accept the password as an msbuild property. You could test whether this is the problem by specifying the password in the connection string in the publish profile file.
Also, I would suggest ensuring that you're using the latest versions of SSDT and DACFx. See the SSDT team blog for information about the latest versions and download links: https://blogs.msdn.microsoft.com/ssdt/

How do I force MSDeploy API to keep an existing Connectionstring?

We are deploying an ASP.Net application to IIS via MSDeploy API. We only want to update existing websites. In our ...pubxml we have defined following:
<ItemGroup>
<MSDeployParameterValue Include="$(DeployParameterPrefix)ConnectionstringA-Web.config Connection String">
<UpdateDestWebConfig>False</UpdateDestWebConfig>
</MSDeployParameterValue>
<MSDeployParameterValue Include="$(DeployParameterPrefix)ConnectionstringB-Web.config Connection String">
<UpdateDestWebConfig>False</UpdateDestWebConfig>
</MSDeployParameterValue>
</ItemGroup>
By default, the setParameters.xml created on publish, looks like this:
<setParameter name="ConnectionstringA-Web.config Connection String" value="metadata=res://*/itrDTO.csdl|res://*/itrDTO.ssdl|res://*/itrDTO.msl;provider=System.Data.SqlClient;provider connection string="data source=devServer;initial catalog=devDB;User Id=devUser;Password=devPW;MultipleActiveResultSets=True;App=EntityFramework"" />
<setParameter name="ConnectionstringB-Web.config Connection String" value="data source=devServer;initial catalog=devDB;integrated security=True" />
I also tried to create a "Projectname.wpp.targets" with this configuration inside my project:
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<PropertyGroup>
<AutoParameterizationWebConfigConnectionStrings>false</AutoParameterizationWebConfigConnectionStrings>
</PropertyGroup>
</Project>
The result is that the connectionstrings are not created inside setparameters.xml.
However, all combinations of configurations here are changing the connectionstrings inside the web.config on the destinationserver. This happens if we import the package by the IIS-ManagementUI AND when we deploy the package by MSDeploy API.
All examples I've found for the "parameterization" - topic are for the IIS-Management process. As I understand parameterization, this is only usefull for manually installing updates, so that the admin has a UI to configure stuff. But we have no UI when we update the systems of our customers.
Update:
When I Publish with Visual Studio, here is the funny result:
I think this means "Hey WebDeploy, keep your hands off the connection strings!"
When I preview the changes, this is the result:
Parameterization is useful both through the IIS install UI and via the commandline. We use WebDeploy/Parameterization for the deployment of all our 40+ applications.
I just ran a test with a new blank ASP.NET application and found that by default the ConnectionString is parameterized but after setting the AutoParameterizationWebConfigConnectionStrings MSBUILD property to false it did not parameterize the ConnectionString. The parameter entry was removed from both the parameters.xml and SetParameters files.
I suggest you clear out your target website folder and republish with this property set.
Also double check that you don't have config transforms or something else that might be changing the config.

Resources