App-V Remote Management

02 mei 2011 om 14:10 Wouter Arts General

Again a blog about App-V and this time the subject is remote management of an App-V infrastructure.

When I say remote management of an App-V infrastructure I mean the App-V Management Console component from the App-V server installation is installed on a workstation.

 

First of all, App-V Remote Management can be quite delicate because of the double-hop authentication between the machine on which the Management Console is installed, the App-V server and the SQL Database serverhosting the APPVIRT database. To visualize the double-hop authentication I created the following image:

 

I would like to reference to a great blog written by J.C.Hornbeck from Microsoft about Remote Management of App-V:

http://blogs.technet.com/b/appv/archive/2009/04/21/app-v-4-5-remote-console-configuration-guide.aspx

 

In the mentioned article all of the most common steps to get remote management of App-V going are described in great detail and you are good to go.

But? in my case it wasn't and I got an error saying:

 

Unable to log into the Application Virtualization System.

The specified user is not authorized to administer this system.

Error code: 0000C803

 

Other than the 000C803 error I have also seen the 000C801 and 000C800 errors.

In this case we are using Windows 7 x64 Service Pack 1 as a workstation its also common to use a dedicated management server in your infrastructure from which you manage your infrastructure components like Active Directory, Exchange, App-V etc. In this scenario we are using 6 App-V servers devided over various sites. Alle the servers return the same error code.

Because of our Partner Relationship with Microsoft we are entitled to open support cases to resolve technical issues and so I did.

 

I started with App-V support from Microsoft in the Netherlands and they pointed out the blog from J.C. Hornbeck and I checked the requirements described in the blog.

First I delegated all the Active Directory App-V HTTP Server Computer Objects to any service (Kerberos only).

 

Delegation of App-V Server Computer Accounts

The first step for remote management of the App-V infrastructure it is required that the computer accounts of the servers running IIS are delegated within Active Directory. Delegation is set in the properties of the computer object of all the App-V servers in the Active Directory.

 

 

Service Principal Names

Another requirement for remotely management the App-V infrastructure are the Service Principal Names (SPN's) for the App-V servers and the SQL server in the Active Directory. In the infrastructure the App-V SPN records have been added correctly by the App-V installation process. The SPN record of the Service Account under which the SQL Database service is running have been added manually.

 

 

The SPN Records can also be modified using ADSIEDIT instead of the SETSPN.EXE command line tool.

 

 

But offcourse real man don't click? J

 

Use Global Group instead of Local Group for App-V Administrators

Another requirement for remote management of App-V is that the Active Directory User Group is a Domain Global group instead of a Domain Local Group.

This isn't documented quite well but is an absolute requirement.

 

Please note: Be very careful when modifying or recreating groups in an existing App-V infrastructure, you can lock yourself out quite easily.

 

If you do so, like I did... J you can get control over you App-V infrastructure back by Resetting the Administrators via the App-V Management Console or by manually editing the data in the table in the SQL database which is used for storing App-V administrators. Ofcourse editing the database directly is not supported by Microsoft and is performed at your own risk!

 

 

 

Maximum request length and value settings WWW Service

Two registry entries have to be addedd to the Parameters key of the World Wide Web service section of the registry. The additional entries increase the maximum length and header size fo the HTTP requests. Increasing these values is needed because the request is send as an HTTP request and the length and size can be quite large because all the group memberships are parsed into one URL.

 

The following registry key has to be imported on all the App-V servers to set the maximum values correctly.

 

 

Windows Registry Editor Version 5.00

 


Windows Registry Editor Version 5.00

 

 

 

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

"MaxFieldLength"=dword:0000fffe
"MaxRequestBytes"=dword:01000000

screenshot wouter

 

 

 

 

Please note: The MaxFieldLength and MaxRequestBytes values have to be DWORD (32bit) values instead of QWORD (64bit) values.

 

Well that's it then isn't it?

After following all the steps described above we should be all good to go, but?

In this scenario we still get the same 0000C803 error code when trying to connect the App-V Management Console to one of the App-V servers.

So back to Microsoft then and asking for additional troubleshooting to solve this issue. Microsoft claims that 9 out of 10 times the 0000C803 error is resolved by following the steps described in the blog. Something I'm still wondering why Microsoft hasn't published a Knowledge Base Article about this issue and is reffering to a blog but that's a different story. After contacting Microsoft with the comment the steps in the blog didn't resolve my issue the support case got escalated to the United Kingdom. After verifying all the steps described in the blog were followed up succesfully we started gathering information on different levels. and provided it to Microsoft for research.

 

Network traces

Information gathered were a whole lot of network traces with WireShark (http://www.wireshark.org). The network traces were captures of accessing the App-V HTTP URL on the App-V Web Server and connecting from the App-V Management Console to the App-V server and so reproducing the error.

The URL of the App-V server which the Management Console uses when connecting is : http://<APP-V-SERVER>/SoftGridManagement/Authorization.rem?wsdl

Depending wether you are using SSL to secure the Website the URL may be https://...

 

Please note: When using SSL network traces won't give you any additional information because the network traffic en encrypted that way.

 

App-V Management Console logfiles

Next to the network traces we also examined the App-V logfiles which are generated by the App-V Management Console and saved in a text file named sftmmc.txt

 

Conclusion after investigating supplied information

After investigating all the supplied logfiles, network traces and an online meeting Microsoft concluded that the cause of this issue was related to Kerberos authentication.

Therefore the case was handed over to another team and a Kerberos expert investigated all the traces and provided logfiles again.

From one of the network traces we could tell that NTLM authentication was used between the App-V Management Console and the App-V server instead of Kerberos authentication.

 

 

Now we know wat causes the error we can do something to fix it

After we found out that NTLM authentication is being used instead of Kerberos authentication we known were to look for the cause of the issue -> IIS Authentication Settings.

We had to try out all the different autentication settings before we were able to point out what the right set of settings are. The following settings fixed the error in our situation.

 

 

Within IIS there are multiple settings that need to be modified before remote management can be performed succesfully. The following table contains the correct security settings of the Default Web Site and the SoftGridManagement site.

The following table contains all of the settings required in this scenario to get the App-V remote management going without the authentication errors.

 

Authentication setting

Value

App-V Web Server

Sites

Default Web Site

Authentication

Anonymous Authentication

Disabled

ASP.NET Impersonation

Disabled

Forms Authentication

Disabled

Windows Authentication

Enabled

Advanced Settings

Extended Protection

Off

Enable Kernel-mode authentication

Unchecked

SoftGridManagement

Authentication

ASP.NET Impersonation

Disabled

Forms Authentication

Disabled

Windows Authentication

Enabled

Advanced Settings

Extended Protection

Off

Enable Kernel-mode authentication

Unchecked

 

There is only one thing left to do - Happy managing J

 

Last but not least: I would like to thank Madelinde, Julliet and Ravi from Microsoft for their dedicated support and effort to solve this issue!

39 reacties

02 september 2014 om 11:48 Wouter Arts
Hello Peter Bien, Thanks for your feedback. I have corrected the screenshot and registry export.
02 september 2014 om 11:48 Wouter Arts
Hello “Baker”, Thanks, I am glad it fixed the issue that has puzzled you for months.
22 augustus 2014 om 09:00 Peter Bien
Have you noticed that the screenshot you posted about the registry settings MaxFieldLength and MaxRequestBytes contains an error? You swapped the value for decimal and hexadecimal. The decimal value for MaxFieldLength should be 00065534, but the screenshot shows you entered that value as hexidecimal. Same goes for the MaxRequestBytes value, entered 16777216 as hexidecimal where it should be the decimal value. With values like the one in the screenshot, one could get very strange behaviour. I hope you can take another screenshot with the right settings. :)
25 mei 2014 om 13:17 Pharmb483
-Deze reactie is verwijderd-
25 mei 2014 om 13:16 Pharmg191
-Deze reactie is verwijderd-
25 mei 2014 om 13:15 Pharmb46
-Deze reactie is verwijderd-
25 mei 2014 om 13:15 Pharmf28
-Deze reactie is verwijderd-
25 mei 2014 om 06:48 Pharmk180
-Deze reactie is verwijderd-
25 mei 2014 om 06:44 Pharmd853
-Deze reactie is verwijderd-
25 mei 2014 om 06:43 Pharmg55
-Deze reactie is verwijderd-
23 mei 2014 om 22:56 Pharmd301
-Deze reactie is verwijderd-
23 mei 2014 om 22:55 Pharmd989
-Deze reactie is verwijderd-
23 mei 2014 om 22:54 Pharmf9
-Deze reactie is verwijderd-
23 mei 2014 om 22:53 Pharmf800
-Deze reactie is verwijderd-
22 mei 2014 om 16:18 Pharme645
-Deze reactie is verwijderd-
22 mei 2014 om 16:17 Pharmd944
-Deze reactie is verwijderd-
21 mei 2014 om 09:58 Pharmc837
-Deze reactie is verwijderd-
21 mei 2014 om 09:58 Pharmd544
-Deze reactie is verwijderd-
21 mei 2014 om 09:55 Pharmd984
-Deze reactie is verwijderd-
20 mei 2014 om 02:39 Pharme648
-Deze reactie is verwijderd-
20 mei 2014 om 02:39 Pharma370
-Deze reactie is verwijderd-
20 mei 2014 om 02:39 Pharmf90
-Deze reactie is verwijderd-
20 mei 2014 om 02:38 Pharmg675
-Deze reactie is verwijderd-
19 mei 2014 om 20:55 Pharme315
-Deze reactie is verwijderd-
19 mei 2014 om 20:54 Pharmb256
-Deze reactie is verwijderd-
18 mei 2014 om 13:56 Pharmf238
-Deze reactie is verwijderd-
18 mei 2014 om 13:56 Pharmg569
-Deze reactie is verwijderd-
18 mei 2014 om 13:55 Pharmf915
-Deze reactie is verwijderd-
18 mei 2014 om 13:55 Pharmc884
-Deze reactie is verwijderd-
17 mei 2014 om 06:30 Pharme701
-Deze reactie is verwijderd-
17 mei 2014 om 06:28 Pharmc475
-Deze reactie is verwijderd-
17 mei 2014 om 06:25 Pharmd919
-Deze reactie is verwijderd-
17 mei 2014 om 00:52 Pharmg974
-Deze reactie is verwijderd-
17 mei 2014 om 00:51 Pharma641
-Deze reactie is verwijderd-
16 mei 2014 om 09:12 Smitha564
-Deze reactie is verwijderd-
12 maart 2014 om 09:38 baker
Great works and it solved the problems that puzzled me for several months.
18 februari 2013 om 14:18 banlin mithra
-Deze reactie is verwijderd-
16 juli 2012 om 06:56 The knack &raquo; Blog Archive &raquo; How I learned to stop worrying and installed the App-V Mgt Server
[...] Lets go into verifying IIS – as per a quite extensive written article there are some additional topics needed to address to get the final pieces [...]
25 november 2011 om 11:11 Alexander Beffers
Many thanks for this article. I could not have fixed this without the information provided here. I have never encountered so many difficulties with installing a remote console. Thanks again. Alexander

Reageer