IIS MSDeploy doesn`t work with appgateway v2 and self signed certificate

Question

IIS MSDeploy doesn`t work with appgateway v2 and self signed certificate

Yehor Sereda 0

I migrated from Azure AppGateway v1 to v2 and configured self signed ssl certificate for configuration of backend setting with msdeploy.axd on 8172 port and ssl root certificate for WMSVC according to this doc: https://free.blessedness.top/en-us/azure/application-gateway/self-signed-certificates

Currently IIS configured to use this certificate and authenticate only Windows Management Service with windows credentials or IIS Manager creds. Backend healthprobe shows healthy status and it responce code is 401 and it`s ok. Problem is when I am trying to make msbuild with deploy parameter and AllowUntrustedCertificate and it fails each time with below error:

C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\MSBuild\Microsoft\VisualStudio\v17.0\Web\Microsoft.Web.Publishing.targets(4455,5): error : Web deployment task failed. ((9/3/2025 1:52:14 PM) An error occurred when the request was processed on the remote computer.)

When I try to search any info in Event Viewer for WebDeploy it shows this error:

Content-Type:

Version: 9.0.0.0

MSDeploy.VersionMin:

MSDeploy.VersionMax:

MSDeploy.Method:

MSDeploy.RequestId:

MSDeploy.RequestCulture:

MSDeploy.RequestUICulture:

ServerVersion: 9.0.1973.0

A tracing deployment agent exception occurred that was propagated to the client. Request ID ''. Request Timestamp: '9/3/2025 1:52:14 PM'. Error Details:

System.ArgumentNullException: Value cannot be null.

Parameter name: input

at System.Version.Parse(String input)

at System.Version..ctor(String version)

at Microsoft.Web.Deployment.DeploymentAgentWorkerRequest.get_MaximumSupportedVersion()

at Microsoft.Web.Deployment.DeploymentAgent.HandleClientServerVersionMismatch(DeploymentAgentWorkerRequest workerRequest)

at Microsoft.Web.Deployment.DeploymentAgent.HandleRequestWorker(DeploymentAgentAsyncData asyncData)

at Microsoft.Web.Deployment.DeploymentAgent.HandleRequest(DeploymentAgentAsyncData asyncData)

Multiple times checked configuration of IIS, Gateway and SSL certs and it seems that everything looks correct but problem occurs or on gateway side or on auth with ssl. Can you please provide any info how to resolve this issue and what this error means?

1 answer

Your answer

Answer 1

Thanmayi Godithi 1,635 Microsoft External Staff Moderator

Hi @Yehor Sereda,

Thank you for reaching out on the Microsoft Q&A forum.

I understand that after migrating from Application Gateway v1 to v2, you configured IIS with a self-signed SSL certificate for Web Deploy (msdeploy.axd over port 8172). You mentioned that the backend health probe shows as healthy (401), but when deploying through MSBuild with AllowUntrustedCertificate, the deployment fails with the error:

System.ArgumentNullException: Value cannot be null.  
Parameter name: input  
at System.Version.Parse(String input)  
at System.Version..ctor(String version)  
at Microsoft.Web.Deployment.DeploymentAgentWorkerRequest.get_MaximumSupportedVersion()

In Application Gateway v2 SKU, the certificate handling model is different from v1. Application Gateway v2 only accepts trusted root certificates for backend authentication. Unlike v1, where you could upload a self-signed certificate, in v2 this is not supported. If your IIS server is using a self-signed certificate, Application Gateway will fail to trust it unless its root certificate is uploaded to the backend HTTP settings. This stricter validation ensures that the TLS handshake between the gateway and the backend can complete successfully. Without trust, the handshake can fail silently, causing Web Deploy requests to break and resulting in incomplete metadata being sent to IIS, which explains why the deployment agent throws parsing errors.

You can find the relevant documentation here:

Certificates required for backend authentication in Application Gateway v2

Using self-signed certificates with Application Gateway

If you would like to continue using a self-signed certificate, you will need to:

Export the root certificate (Base-64 encoded .cer file)- Export a root certificate.
Upload the root certificate in Application Gateway > Backend HTTP Settings > Trusted root certificates.

Once the root certificate is registered, Application Gateway will be able to establish a trusted TLS connection to IIS, and your Web Deploy traffic should flow correctly.

Could you please confirm whether you have already uploaded the root certificate into the Application Gateway backend HTTP settings?

If not, please try the steps above and let us know if this resolves the issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Yehor Sereda 0 Reputation points

2025-09-03T19:34:54.53+00:00

Indeed, after creating self signed certificate I imported pfx file to WMSVC and uploaded root .CER file to backend settings. That is why health probes are working correctly. Also I noticed that I can reach /msdeploy.axd uri through browser and it shows me auth dialog window, similar as for agw v1. I suppose that connection between gateway and WMSVC are working fine but for some reason it cannot correctly parse msdeploy request and fails with error 500. Unfortunately IIS and WMSVC doesn`t show any informative log about that so I do not know where to seek for issue.
Yehor Sereda 0 Reputation points

2025-09-03T20:31:37.24+00:00

Also I tried to bypass app gateway and it seems that msdeploy works fine. I don`t have any rewrite rules or hostname overrides on backend settings within app gateway v2
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator

2025-09-03T21:50:08.84+00:00

Hi @Yehor Sereda,As noted in my previous guidance, for testing purposes, using a self-signed certificate with the root uploaded to Application Gateway’s backend HTTP settings is appropriate.However, as you are seeing, Web Deploy requests through Application Gateway v2 can fail even with the root uploaded. This is because self-signed certificates, while sufficient for testing and basic connectivity, may not fully support all aspects of Web Deploy metadata parsing and protocol handling in production scenarios.

For production deployments, it is strongly recommended to use a CA-issued trusted certificate for WMSVC/IIS. Application Gateway v2 will trust it automatically, avoiding subtle TLS or request-parsing issues and ensuring reliable Web Deploy functionality.

Kindly let us know if the above helps or you need further assistance on this issue.
Yehor Sereda 0 Reputation points

2025-10-15T17:14:24.7633333+00:00

Thanmayi Godithi, I configured IIS WebDeploy server to use certificate issued Sectigo and I set on Backend Http settings Public CA for Backend server certificate issuer and got same issue. Again, it seems that App gateway v2 rewrites my requests but I don`t have any rewrite rules. If I try to bypass app gateway and upload archived app everything works fine. On v1 with auth cert everything works fine.
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator

2025-10-17T05:58:10.1733333+00:00

Hi @Yehor Sereda,

Thanks for the troubleshooting so far.

Because your Web Deploy works when bypassing Application Gateway v2 and fails only when routed through it, the simplest immediate option is to use the direct/bypass path for deployment. Are you willing to do deployments that way (direct to the IIS/WMSVC endpoint or via a private endpoint) while keeping App Gateway v2 in front of end-user traffic? If yes, that’s the recommended short-term workaround.

If you prefer to keep deploying through App Gateway v2, please send me the following details over private message.

Email ID:

Time zone:

Subscription ID:

Tenand ID:

Thanks

Share via

IIS MSDeploy doesn`t work with appgateway v2 and self signed certificate

1 answer

Your answer