In my last post I discussed issues around Kerberos configuration for an App-V 5 server cluster in a load balanced configuration. Today I will discuss subsequent configuration requirements for making App-V publishing function in a load-balanced environment.
After configuring standalone app-V servers with Management and Publishing Server roles, I had good success with adding packages to the environment and publishing them. However, when switching to a load balanced configuration, I experienced a failure of the publishing server to pick up on changes in the management configuration. Helpful resources and troubleshooting notes follow:
- A TechNet social page that I referenced in my previous post makes reference to this same problem:
But does not point me towards any solutions. This seems like some sort of permissions problem, so I put Sysinternals Procmon on watching w3wp.exe for “Access Denied” events, but I get nothing. However, I do see a fair amount of database traffic at IIS startup time.
- The following TechNet blog provided a key tipoff in App-V server diagnostics:
The trick was to select “Show Analytic and Debug Logs” under “Actions” in the event viewer. With this option enabled, I now see App-V management and publishing debug logs instead of just the default App-V event logs. The debug logs contain the real error. We see that the SID recorded for the publishing server in the management server database does not match the SID of the account making the connection! What we needed to do was delete the publishing server entries from the management configuration, and create one new “server” under the name of the publishing server service account, not the computer account. I just updated the SQL database entry manually, but I likely could have just used the Silverlight UI instead. This change cleared up the mismatched SID error, but now we get an “access denied” error to the publishing metadata directory.
- The following blog gives an excellent technical overview of App-V server infrastructure and the general troubleshooting process for resolving configuration issues:
- Here it is suggested that I look at HKLM/Software/Microsoft/AppV/Server to review the management and publishing server configurations. Sure enough, one problem seen here is that the publishing server is configured to connect to the management server on an http:// address. However, I updated the management servers to use https://. I modified those registry values and restarted IIS. Still no luck…
- This blog explains how published applications are read out of a metadata xml file that is exposed to the publishing server by the management server. Both are stored in c:programdatamicrosoftappv. When running Procmon.exe against w3wp.exe we see “Access Denied” to these directories by our service account. After adding “modify” rights for the service account to these directories, metadata updates again start to happen.
It is unsurprising that switching form the use of a local server account to an AD service account caused access problems for the App-V server. The difficulty of discovering where account info and rights needed to be updated was a bit of a surprise. But thanks to the blog-o-sphere and the mighty “procmon.exe”, we have our answers.
Now on to performance testing…