App V - Client and Management Server authentication mechanism RRS feed

  • Question

  • I'm new to App V and I just finished configuring a small test environment.  I'm curious to find out in depth info on what exactly is the authentication mechanism used between the Management Server and App-V clients.  When does App-V clients check for new published apps during the log on process?  Does it rely on AD and if there is a log on script that runs in the back to check?  How would App-V clients who are offsite check for new published apps if they are logged on thru cache before making the connection to the streaming server? 
    Thursday, June 4, 2009 10:13 AM


All replies

  • Hello,

    This white-paper describes the actual process of server and client interaction;
    App-V Application Publishing and Client Interaction

    Thursday, June 4, 2009 10:18 AM
  • Thanks Znack, as I'm reading the Publishing Refresh section.  On the 1st point, it says the client computer sends the user's Kerberos ticket to the Management Server for authentication.  How can this happen if the client computer is offsite vpn in after they logged on to their computer through cache credentials?
    Thursday, June 4, 2009 4:54 PM
  • Hello,

    I posted this in a similiar question in the client forum;




    Indicates that authorization is always required, whether or not an application is already in cache. Possible values:

    0=False: Always try to connect to the server. If a connection to the server cannot be established, the client still allows the user to launch an application that has previously been loaded into cache.

    1=True (default): Application always must be authorized at startup. For RTSP streamed applications, the user authorization token is sent to the server for authorization. For file-based applications, file ACLs control whether a user may access the application.

    Applied the next time an application is started.

    This value indicates that the client will not try to require an authorization if the application is cached.

    Can be set during a custom installation or via the registry-key

    Thursday, June 4, 2009 5:31 PM
  • I should have phase it better, what I'm trying to say is if I have a laptop floating outside of my network and I decide to publish an app to that user.  How can that user receive the app if they log in to their computer first (cached) before making the vpn connection to the office?  Since any updates are done during log on/log off.
    Thursday, June 4, 2009 5:40 PM
  • Hello,

    I belive the CU1 update might have changed this behaviour, but apart from that your correct. Meaning, the user will not receive the application.

    The CU1 update specifically addresses a behaviour that would resolve that issue, but I am not certain how that works or what has actually changed.

    I would test the scenario with an CU1 server and client.
    (and if the app is received I would ask ms to update the documentation...)

    (and to clarify; the refresh operation is only initiated against a management-server. If msi / sccm is used, other things are in play)

    • Edited by znack Thursday, June 4, 2009 6:01 PM
    Thursday, June 4, 2009 5:45 PM
  • Thanks for your reply Znack, please do post an update if you heard anything back from MS.  I'm really interested in finding out.
    Thursday, June 4, 2009 5:51 PM
  • Asumed that the user logs onto the Notebook using the AD account (cahced credentials), the user's Kerberos information should be fine.

    A user can initiate a "Server Refresh" at almost any time.

    The easiest way to do this that you force the App-V Client to "always show tray icon" (I don't have an App-V client nearby but it could be SOFTWARE\Microsoft\SoftGrid\4.5\Client\CustomSettings" and set "TrayVisibilty" to 1 (=show always).
    The user then can right click on that icon and perform the Refresh. Also this Icon indicates to the user if the App-V clients "feels" online (orange) or offline (blue).

    Please note that the refresh only can be performed if the client is "online". Also if you test the registry (or Client MMC) setting, be aware that the icon only appears _after_ you started an application - or logged off and on again.

    Also you can use "sfttray /refreshall" to initiate the refresh.

    Saturday, June 6, 2009 4:27 PM