locked
App-v 5.0 Management Server and Publishing server using DNS and Domain account for App Pool identity RRS feed

  • Question

  • Hey

    So this is my first Technet post so apologies if I am missing required information.

    I work in an IT shop that has some very specific security considerations for web apps and I am being forced to use certain technologies whilst configuring my App-V server infrastructure.

    I am installing the App-V 5.0 Sp1 Management Server, Publishing Server , Reporting Server and associated Databases on the same machine (Windows 2008 R2 and SQL 2008 R2). I have been asked to use a DNS registerd URL (xxx.xxx.xxx) to resolve the machine and I need to set the bindings of the Publishing and management web site to use this URL. I have aslo been asked to set up a service account (Domain based) and I need to set the app pool identity of the Publishing and management app pools to run as this domain based account. I have given access to the management database for this service account. I have also given access to the publishing source for this service account. I am able to get the management console to work with this configuration but I am unable to get the publishing service to work with this configuration and I was hoping that someone out there may have gone down the same track as I am not sure if this is a configuration supported by Microsoft. These are websites so I dont see why not.

    Any help would be very much appreciated.

    Thanks.

    JD .

    Tuesday, January 21, 2014 6:24 AM

All replies

  • What do you mean by unable to get the Publishing Service to work? What's the result of going to the Publishing Server URL in a browser? Are there error messages in the event logs?


    Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually answer your question). This can be beneficial to other community members reading the thread.


    This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.

    Twitter: @stealthpuppy | Blog: stealthpuppy.com | The Definitive Guide to Delivering Microsoft Office with App-V

    Tuesday, January 21, 2014 4:18 PM
    Moderator
  • Hey Aaron,

    Thanks for your response. I shall try to give you as much information as I can.
    During my investigation to get you as much detail as possible I have managed to figure out that it may(or may not) be an issue with packages.
    It seems that I have application that does work and another that doesnt.

    So this is what has trasnpired. I have removed any naming that is specific to my organisation. I dont think my security guys would be keen to see me posting Domain names on here :-)

    1. From my client machine. I launch Internet Explorer with an account that is a member of the group added as admin in the App-V console and I can reach the management console using the DNS entry http://app-vmanagement.xxx.xxx.xxx.xxx:8080/console.html.
    I can see packages, I can add packages and everything looks to be working ok.

    2. From my client machine. With the same Internet Explorer window I can access http://app-vpublishing.xxx.xxx.xxx.xxx:8081/ and I get..

    <Publishing Protocol="1.0">

    <Packages />

    </Publishing>

    This I believe means that I can see the publishing web site but there are no packages for the userID I am using to access it. Which is correct.

    3. From my client machine I launch IE as a standard user and I see the same XML as in step 2.<br> Everything looks rosy at this point!

    4. Now I add the same standard user to an AD security group that has been set up with access to an App-V package (7-Zip) in the console. I jump back onto my client machine launch a command prompt within the standard user context (Our standard users dont have any form of admin - not power users) and run a sync-AppvPublishingServer.

    5. Still on the client machine. The app is streamed and it works.I now move to test the machine based apps.

    6. I add a machine record to the same 7-zip group, log off, log back on and it streams fine.

    Now to the issue (you are thinking where is the issue!) I have another app (Visio 2010) that is hosted on the same share as 7-Zip. The security access for the .appv files are the same for each and Visio has been tested successfully along side zip through another client.

    I add visio to the console. I add the security group (this group is in the same OU as the 7-zip group) to the app on the console and then I publish the application. Everything looks good on the console and in the server. I can even jump into the database and I can see the app in the dbo.applications table.

    The event log on the App-v management server has an entry for a successful Package version update for the app I have just added. Still on the client machine I log off and then log back on again hoping to see the application appear however it doesnt.

    So to the event log on the client machine... No errors.

    - Eventlog entries on the Server

    Server-Management Package version '{67b7ec90-d430-4d70-94b1-12e871aca237}' is successfully updated. This is the package version of the app I have just added.

    Server-Publishing

    Failed to refresh publishing metadata.

    Message: DownloadMetadataError (URL: http://app-vmanagement.xxx.xxx.xxx.xxx:8080/Publishing/Metadata/) Details: An exception occurred during a WebClient request.

    Server-Publishing-Private

    Failed to refresh publishing metadata. Message: DownloadMetadataError (URL: http://app-vmanagement.xxx.xxx.xxx.xxx:8080/Publishing/Metadata/) Details: An exception occurred during a WebClient request. Stack Trace: at Microsoft.AppV.Server.Publishing.HttpPublishingMetadataSource.DownloadToLocalFile(WebClientExtended webClient, String url, Int32 timeout, String sequenceNumber, String localFile) at Microsoft.AppV.Server.Publishing.HttpPublishingMetadataSource.GetPublishingMetadata(String url, Int32 timeout, String sequenceNumber, String localFile) at Microsoft.AppV.Server.Publishing.DataManager.RefreshPublishingMetadata() at Microsoft.AppV.Server.Publishing.DataManager.DoRefreshOnTimeEvent()

    Publishing website LogFile

    2014-01-23 03:40:01 <server ip address> GET / ClientVersion=5.0.1104.0&ClientOS=WindowsClient_6.1_x64 8081 - <Workstation IP Address> App+Virt+Client/1.0 401 2 5 0 2014-01-23 03:40:01

    <server ip address> GET / ClientVersion=5.0.1104.0&ClientOS=WindowsClient_6.1_x64 8081 DOMAIN\USERID <Workstation IP Address> App+Virt +Client/1.0 200 0 0 249 2014-01-23 03:40:01

    <server ip address> GET / ClientVersion=5.0.1104.0&ClientOS=WindowsClient_6.1_x64 8081 - <Workstation IP Address> App+Virt+Client/1.0 401 2 5 0 2014-01-23 03:40:01

    <server ip address> GET / ClientVersion=5.0.1104.0&ClientOS=WindowsClient_6.1_x64 8081 DOMAIN\Workstation_Name <Workstation IP Address> App +Virt+Client/1.0 200 0 0 249

    I have some failed transaction tracing set up as well but I dont think you want to see a massive dump of XML in here. but I can get that for you as well if you want. This seems like a strange issue but I am almost ceratin it has something to do with permissions somewhere along the line. Thanks again for your help.

    JD



    • Edited by jd0739 Monday, January 27, 2014 9:42 PM
    Thursday, January 23, 2014 6:05 AM
  • bump*
    Monday, January 27, 2014 3:46 AM
  • Hello,

    So the error code (401) means unauthorized access.

    Essentially you are saying;

    AppA and AppB have the same permissions, but a single client can stream AppA - but not AppB?

    have you checked that the permissions are the same on individual-files?


    Nicke Källén | The Knack| Twitter: @Znackattack

    Monday, January 27, 2014 7:39 PM
  • Hey Nicke,

    Thats correct. a single client can stream AppA, I can remove the user/or machine from the AppA resource group, re-sync and the app dissapears. I can re-add the user/machine to the AppA resource group, re-sync and the app is added back again. But for AppB I get nothing. I add the machine or user into the group asscociated with AppB and a re-sync does nothing. I have tried adding the resource group for AppA as the resource group for AppB (just to discount group issues) but AppB still does not work. I have checked permissions on both .appv files a number of times and I cannot see any difference (unless there is something I am missing). I have gone back to a test bed environment to see if I can get it working there and then hopefully I can replicate settings.

    Its a fun one. Thanks for your reply.

    I also noted in my second post that some of the log entry wasnt formatted very well so I edited the post.

    JD


    • Edited by jd0739 Monday, January 27, 2014 9:43 PM
    Monday, January 27, 2014 9:41 PM
  • Hey Nicke,

    So I have moved back to my test bed and I have set up the same configuration. I have been able to get the publishing server working (using dns entries and domain accounts for App Pool identities), but only for user accounts. It will not work for Machine based publishing. In the event log I see

    "The request URL doesnt contain the query string for the client OS"

    and

    "The request URL doesnt contain the query string for the client version"

    Not sure if you have seen this message before?

    Thanks

    JD

    Wednesday, January 29, 2014 7:27 AM
  • I have also been getting "Failed to pre-load publishing metadata

    Message: DwnloadMetaDataError (URL:http://app-vmanagement.test.local:8080/Publishing/Metadata/)

    Details:Unable to connect to the remote server

    This is in the Server-Publishing event log on the App V management/publishing server.

    Both services are on the same server. These are the same messages that I have been getting on my dev servers as in my post above.

    is it simply not capable of working when using service accounts for both app pools?????'

    Wednesday, January 29, 2014 7:33 AM
  • Could it be that the publishing service app pool does not need to run with a domain identity as it is not calling back to the database?

    Is it only the management web service that communicates with the back end database?

    Wednesday, January 29, 2014 7:36 AM
  • Hello,

    The publishing server only communicates with the management server. Default polling interval is 15 minutes I believe...

    The client talks to the publishing server. The management server talks to the database...


    Nicke Källén | The Knack| Twitter: @Znackattack

    Wednesday, January 29, 2014 8:13 AM
  • Hello,

    Did you manage to resolve the above issue. I am also facing the same.

    Friday, May 9, 2014 5:40 AM