none
Load balancing two App-V 5.0 servers - the publishing service is not able to contact the management service anymore

    Question

  • Hi all,

    I have two App-V 5.0 SP1 server in a farm (connecting to a third machine dedicated to the SQL server role)

    These two machines are working fine: I can publish applications, and my App-V 5.0 clients can execute applications. Everything is fine.

    Now, I would like to add a load balancing mechanism for the management and publishing services.

    What I did:

    - created a dns record with name of a farm, let's called it "FARM". This record points to an IP adress which is a F5 Appliance. The F5 Appliance has been properly configured and performs a load balancing on the two App-V servers. No issues when resolving the farm name, wether via short or FQDN names 

    - created a new AD user account called "ITM"

    - made the two setspn commands: "setspn -A http/FARM domain\ITM" and "setspn -A http/FARM.domain.local domain\ITM"

    - marked the ITM user account as trusted for delegation

    - changed identity of the "Management service" application pool in IIS to ITM

    - changed the authentication of the "Management Service" web site to useAppPoolCredentials="true"

    - Make this ITM member of the IIS_IUSR group on the App-V server. In fact I even added this user account as member of the App-V admins groups and the local admin group

    - made the ITM user a DBO of the App-V database in the SQL

    - configured the App-V client to point to the FARM name. Purged its cache so that there are no applications (unpublish followed by remove)

    Result:

    - the client can connect, it syncs fine with the app-V servers, gets the list of the existing applications, downloads them and execute them

    - BUT if I publish a new application, the application is never displayed by the app-v client. It's just as it does not exist. If I revert back the identity of the publishing application pool in IIS to the "local service account" (the one by default), then the client gets the new application.

    Conclusion: it seems that after I changed the identity of the application pool, the publishing service is not able to contact the management service to refresh its list of published applications. The F5 is not to blame here: if i change the hosts fine on the app-v client and point the FARM name directly to the ip adress of one of the app-v servers, i have exactly the same symptoms. And I added all persmissions I could think of (the ITM account is DBO of the App-V databases !!) 

    I'm quite frustrated because the steps I performed are working fine in a app-v 4.x environment. I even do not need to add ITM part of the App-V admin groups, neither the local admins groups, neither as a DBO of the App-V management database...

    I would really apreciate any idea. THANKS in advance.

    Tuesday, May 14, 2013 3:59 PM

Answers

  • Very late reply... sorry.  I just experienced this same problem.  The key point is that when you change the service identity of the management or publishing IIS application pool, you need to update this info in the management configuration.  I removed the registered publishing servers from the management console, and replaced them with a single entry for the IIS pool identity.  This updates a table in the database with the SID of the publishing service, this authorizing that service account to read the publishing data from the management server.

    The next piece that needed to be fixed was to grant the application pool identity "modify" rights to C:\ProgramData\Microoft\App-V\Server.  Procmon showed that both the management and publishing metadata could not be updated because the app pool identity did not have "write" access to the metadata files.

    Finally, I had to ensure that the URLs for the management and publishing services were set correctly in the registry of each App-V server.  I had added SSL to the services after initial setup, and this broke publishing server connectivity to the management server.  The registry settings were in HKLM\Microsoft\AppV\Server\PublishingService.

    Your post above was of great help to me as I was not previously aware of the need to set useAppPoolCredentials="true" in order to get Kerberos working on IIS 7 and later.  Thanks for that tidbit!

    -J. Greg Mackinnon | Systems Administrator | University of Vermont

    Phone: 802-656-8251 | Web: http://www.uvm.edu/~jgm

    Friday, September 27, 2013 3:36 PM

All replies

  • I am interested in finding out what folks reply with, as may have to fall back to this type of solution if SCCM 2012 can't deliver app-v 5.0 apps to our non-persistent VDI world
    Tuesday, May 14, 2013 7:42 PM
  • hello,

    Is there any reason you made all the configuration with the ITM account for the load-balancing solution, or is that a security implementation your company makes you do regardless of the load balancing?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Tuesday, May 14, 2013 8:58 PM
  • Hi,

    I just followed what I thought were the best practices. Am I wrong?

    What I mean is: if I want the publishing service to answer to Kerberos requests with the name of "FARM", I do have to register the service principal name with SPN. And If I want to do so, I need to have an AD user account, I can't do it using the local service accounts of the app-v servers. Right ?

    Thanks,

    Lionel

    Wednesday, May 15, 2013 11:29 AM
  • Hello,

    There has been no official recommendation howto configure the technical parts of load balancing, apart from this article;

    http://support.microsoft.com/kb/2780309

    Have you perhaps tested to avoid all of the above steps and instead performed a default installation and attempted to balance it like a normal website?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Wednesday, May 15, 2013 11:42 AM
  • Very late reply... sorry.  I just experienced this same problem.  The key point is that when you change the service identity of the management or publishing IIS application pool, you need to update this info in the management configuration.  I removed the registered publishing servers from the management console, and replaced them with a single entry for the IIS pool identity.  This updates a table in the database with the SID of the publishing service, this authorizing that service account to read the publishing data from the management server.

    The next piece that needed to be fixed was to grant the application pool identity "modify" rights to C:\ProgramData\Microoft\App-V\Server.  Procmon showed that both the management and publishing metadata could not be updated because the app pool identity did not have "write" access to the metadata files.

    Finally, I had to ensure that the URLs for the management and publishing services were set correctly in the registry of each App-V server.  I had added SSL to the services after initial setup, and this broke publishing server connectivity to the management server.  The registry settings were in HKLM\Microsoft\AppV\Server\PublishingService.

    Your post above was of great help to me as I was not previously aware of the need to set useAppPoolCredentials="true" in order to get Kerberos working on IIS 7 and later.  Thanks for that tidbit!

    -J. Greg Mackinnon | Systems Administrator | University of Vermont

    Phone: 802-656-8251 | Web: http://www.uvm.edu/~jgm

    Friday, September 27, 2013 3:36 PM
  • Hey J, Greg,

    You mentioned above that you "removed the registered publishing servers from the management console, and replaced them with a single entry for the IIS pool identity" how did you do this? Did you do this by editing the Management Database directly? or did you do it through the Management console. I believe I have a similar issue as the gentleman above but this step that you mention I am unable to replicate.

    Thanks in advance,

    JD

    Tuesday, January 21, 2014 6:30 AM
  • Hi J. Greg,

    Could you please explain what you meant by below?

     I removed the registered publishing servers from the management console, and replaced them with a single entry for the IIS pool identity.

    On the Mgmt Console, you can only register/unregister servers and I couldn't understand how you replaced publishing servers with a single entry..Did you mean you registered just one server that has Custom apppool identity?

    Thank You

    • Proposed as answer by Raj Yarlagadda Friday, January 31, 2014 3:39 PM
    • Unproposed as answer by Raj Yarlagadda Friday, January 31, 2014 3:40 PM
    Friday, January 24, 2014 4:42 AM
  • Ok, we tested successfully in our environment and here are the details:

    Scenario:

    1) One Management Server and two Publishing Servers

    2) Publishing Servers are load balanced in F5 (VIP Address)

    3) Publishing Servers use Custom App pool identity (Application Pools-->AppVPublishing)

    4) App-V 5 Clients use the VIP address in the registry for Publishing Server name and URL

    Steps on SQL Side:

    1) Obtain the Object SID of the Custom App Pool Identity (ADSI Edit)

    2) Login to SQL Server as Admin and launch SQL Mgmt Studio

    3) Select App-V 5 DB and expand tables and select 'dbo.PublishingServers'

    4) Right click the above table-->edit top 200 Rows'

    5) Replace 'Sid' with the one obtained in Step 1

    6) File-->Save All

    App-V Mgmt Console and Clients

    1) Add new packages

    2) From any App-V client-->Sync Publishing Server

    3) From any browser-->http://<VIP address>:889

    4) Make sure all changes on Mgmt Console are reflecting on the Clients

    Thanks to Greg who put us in right direction even though scenario is bit different. Also thanks to Chuck Timon from MS App-V team for testing with me.

    Now going back to see if we can test this using DSR method on F5 which we tested successfully with App-V 4.6 SP1 earlier. If anyone tested DSR (F5) in App-V 5, please let me know.

    Thanks

    Raj Yarlagadda




    • Proposed as answer by kirk_tnMVP Friday, January 31, 2014 3:56 PM
    • Edited by Raj Yarlagadda Friday, January 31, 2014 4:17 PM
    Friday, January 31, 2014 3:53 PM
  • I have documented the steps to change an AppV 5.0 environment into Load Balanced.  See the instructions at http://www.thinclient.net/blog/?p=344

    This will work for new environments or existing environments and does not entail any database editing.

    • Edited by Hal Lange Tuesday, February 04, 2014 7:46 PM
    • Proposed as answer by znackMVP Tuesday, February 04, 2014 7:52 PM
    Tuesday, February 04, 2014 7:45 PM
  • hi

    do you need to do the SPN work if all you are load balancing are the Publishing servers and the Content share (HTTP) via F5s?

    Reason I ask is our F5 / App-V solution hasn't required us to make any additional IIS changes.


    Friday, February 07, 2014 10:38 AM
  • Ok, we tested successfully in our environment and here are the details:

    Scenario:

    1) One Management Server and two Publishing Servers

    2) Publishing Servers are load balanced in F5 (VIP Address)

    3) Publishing Servers use Custom App pool identity (Application Pools-->AppVPublishing)

    4) App-V 5 Clients use the VIP address in the registry for Publishing Server name and URL

    Steps on SQL Side:

    1) Obtain the Object SID of the Custom App Pool Identity (ADSI Edit)

    2) Login to SQL Server as Admin and launch SQL Mgmt Studio

    3) Select App-V 5 DB and expand tables and select 'dbo.PublishingServers'

    4) Right click the above table-->edit top 200 Rows'

    5) Replace 'Sid' with the one obtained in Step 1

    6) File-->Save All

    App-V Mgmt Console and Clients

    1) Add new packages

    2) From any App-V client-->Sync Publishing Server

    3) From any browser-->http://<VIP address>:889

    4) Make sure all changes on Mgmt Console are reflecting on the Clients

    Thanks to Greg who put us in right direction even though scenario is bit different. Also thanks to Chuck Timon from MS App-V team for testing with me.

    Now going back to see if we can test this using DSR method on F5 which we tested successfully with App-V 4.6 SP1 earlier. If anyone tested DSR (F5) in App-V 5, please let me know.

    Thanks

    Raj Yarlagadda




    I have - 2 publishing servers listed under this "edit top 200 rows" you want to modify the SID of the publishing servers computer accounts to the Custom App Pool Identity's SID ? you can't have the same SID listed for both? 
    Thursday, February 27, 2014 9:37 PM