And the answer is…
Following my edit above about the current identity’s username persisting to the MSDeploy command even when not passed in the original MSBuild call, I tried reconstructing the parameters to pass an empty username as follows:
MSBuild.exe Web.csproj
/p:Configuration=Debug
/p:DeployOnBuild=True
/p:DeployTarget=MSDeployPublish
/p:MsDeployServiceUrl=http://[server name]/MsDeployAgentService
/p:DeployIisAppPath=DeploymentTestProject
/p:MSDeployPublishMethod=RemoteAgent
/p:CreatePackageOnPublish=True
/p:username=
Which then generates the following MSDeploy command:
msdeploy.exe
-source:package="[project path]\obj\Debug\Package\Web.zip"
-dest:auto,ComputerName="http://[server name]/MsDeployAgentService",IncludeAcls="False",AuthType="NTLM"
-verb:sync
-disableLink:AppPoolExtension
-disableLink:ContentExtension
-disableLink:CertificateExtension
-retryAttempts=2
This call no longer includes the UserName attribute. So in short, if you do not add a username parameter to the MSBuild call it will insert the current identity anyway and defer to basic auth which will fail because there’s no password. If you include the username parameter but don’t give it a value, it doesn’t include it at all in the MSDeploy command.