locked
App-V 5 Package AD Access Issues RRS feed

  • Question

  • Hi everyone,

    I'm having some issues targeting applications to specific users. 

    A bit of background: This is a POC lab environment, running a Windows 2008 R2 domain controller, a single App-V server running both the Management service and Publishing service, and a couple of Windows 7 clients for testing. The Publishing service is set to update every 5 seconds (rather than the default 10 minutes) for the sake of testing.

    I have a couple of groups in AD designed for targeting applications to users. Currently I have a group for FileZilla and Google Chrome, which my user account is a member of. If I publish FileZilla and use the FileZilla AD group as its "AD Access", it never gets published for me, even though I am in the AD group. I see this when I navigate to the publishing server URL:

    - <Publishing Protocol="1.0">
      <Packages /> 
      </Publishing>

    However, if I add the group Domain Users to the AD Access for FileZilla, it publishes fine, and I see this:

    - <Publishing Protocol="1.0">
    - <Packages>
      <Package PackageId="8a77e6b3-6288-41f3-bed0-df2a229ffb2e" VersionId="1ffc7c2d-c7f2-4d13-ad5c-a90a9d0e457d" PackageUrl="\\localhost\AppVShare\FileZilla 3.6.0.2\FileZilla 3.6.0.2.appv" /> 
      </Packages>
    - <NoGroup>
      <Package PackageId="8a77e6b3-6288-41f3-bed0-df2a229ffb2e" /> 
      </NoGroup>
      </Publishing>

    So my question is, what am I missing with the application specific AD group that is stopping the applications publishing for people who are a member of it? I have tried a few things such as changing the group from Domain Local to Global, and I have tried a couple of other applications and groups with the same result.

    Thanks in advance for any assistance.

    Thursday, March 7, 2013 10:33 AM

Answers

  • hi everyone,

    I've opened a support request to Microsoft for a similar issue, the virtual application were not published when the user's membership is modified.

    they have confirmed this as a bug and the hotfix will be released for Spring/Summer 13. Unfortunally I don' know if some KB has been wrote.

    as workaround, you can logoff/logon or use the klist purge - klist tgt to renew the Kerberos token.

    Friday, March 8, 2013 4:20 PM

All replies

  • Just to be sure: you did log off and on again, so that your user's Kerberos ticket contains the new Firefox group membership, didn't you?



    Falko

    Twitter @kirk_tn   |  Blog kirxblog   |  Web kirx.org

    Thursday, March 7, 2013 11:58 AM
    Moderator
  • Hey kirk_tn,

    I have indeed yeah, thanks for checking though!

    Thursday, March 7, 2013 12:01 PM
  • Has it got anything to do with the scope of the groups (i.e. Local, Global, Universal etc)

    Your package URL won't work to well either - you've got \\localhost listed, which will prevent the app from streaming.



    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V

    Thursday, March 7, 2013 12:11 PM
    Moderator
  • Hm,

    it doesn't matter if wheter the groups are domain local, global or universal (as long as all happens in the same domain). I suppose that you used the 'search' feature of the Managemend console to add the group ('domain\gro' -> Search -> 'domain\groupname123'). For tests you should make sure that the app only has one group assigned in the App-V Management console (just incase).

    When you open the publishing server url in a browser: do you need to authenticate? (probably not.. I'm just guessing). Is there anything in the event log (client, publishing server)?

    BTW in the above example you're passing '\\localhost\...' to the clients... and unless all you clients have local copies of the app-v files or you use PackageSourceRoot this potentially would fail on the clients.



    Falko

    Twitter @kirk_tn   |  Blog kirxblog   |  Web kirx.org

    Thursday, March 7, 2013 12:17 PM
    Moderator
  • Yeah I realised the //localhost/ path was a problem about 10 minutes after I posted this, and I corrected it thinking it might be the cause of this problem. Sadly it still isn't working (I have corrected that path to point to the server now).

    I have also tried changing the security group between being Domain Local, Global, etc.

    When I browse to the publishing server URL I do not have to authenticate. And yes, I did use the search function (searched for POC/FileZilla) and it appears, I then select it and click Grant Acess.

    I am going to create a separate set of servers to do the App-V installation again to see if I have just missed something silly, and to check if it's just this installation, or all.

    Thursday, March 7, 2013 12:29 PM
  • hi everyone,

    I've opened a support request to Microsoft for a similar issue, the virtual application were not published when the user's membership is modified.

    they have confirmed this as a bug and the hotfix will be released for Spring/Summer 13. Unfortunally I don' know if some KB has been wrote.

    as workaround, you can logoff/logon or use the klist purge - klist tgt to renew the Kerberos token.

    Friday, March 8, 2013 4:20 PM