This post was originally published on Marcel de Vries' blog at How to fix “Error: This access control list is not in canonical form and therefore cannot be modified. Error count: 1”.

In my previous post about Deploying ASP.NET 4.5 to Docker on Windows I forgot to mention that you might run into an issue when running webdeploy.

Julian Perrott, commented on my post and asked if this is an issue. I think it is an issue and that the install does not complete correctly. But there is an easy fix for this as well. What you can do is add a small PowerShell script to your Docker image and run that after the first attempt to deploy the website. Then the next step is to run the script to fix the ACL’s and then again run web deploy. I have not yet tried this on the latest Windows server 2016 bits, but on the Technical preview 5 this worked like a charm.

You need the following script to fix the ACL’s:

$path = "C:inetpubwwwrootMvcMusicStore_deploy"
$acl = Get-Acl $path
Set-Acl $path $acl

This script doe nothing more then getting the ACL on the path and then re-apply it. this will make windows fix the ACL and make them in canonical form again.

You can add this to your dockerfile and make it part of your standard install of a website in your release pipeline.

FROM windowsserveriisaspnetwebdeploy 
RUN mkdir c:webapplication
WORKDIR /webapplication
ADD fixAcls.ps1 /MvcMusicStore/fixAcls.ps1
ADD dockerdeploydemo.zip  /webapplication/dockerdeploydemo.zip
ADD dockerdeploydemo.deploy.cmd /webapplication/dockerdeploydemo.deploy.cmd
ADD dockerdeploydemo.SetParameters.xml /webapplication/dockerdeploydemo.SetParameters.xml
RUN dockerdeploydemo.deploy.cmd, /Y
RUN powershell.exe -executionpolicy bypass .fixAcls.ps1
RUN dockerdeploydemo.deploy.cmd, /Y

So this does nothing more then adding the little PowerShell script to the container and then using that in the step after deploying your website

Hope this helps!