Sysadminsblog.com Anything for sysadmins!

29Jul/115

Setting up App-V Management Server

Introduction

Application Virtualization is not the most commonly used technology. However there are quite a lot of advantages to using this software over using GPOs or manually installing software.

  • Centralized application management - Deploy, update and remove applications from a central location
  • Application conflicts - Applications are running in an isolated environment and are therefore not conflicting with other applications installed on the computer.
  • Combine dependent applications in a single package - Deploy a single package to multiple clients without having to worry about dependencies.

As with most software there are some alternatives to App-V. Make sure that you know the pros and cons of each before you make your decision.

I'll skip the pros and cons because these will change quite rapidly and you probably already decided on App-V.

App-V consists of a couple of components.

  • App-V Management Server - Delivers the sequenced applications on-demand.
  • App-V Management System - Consists of the App-V Management Console and the App-V Management Service.
  • App-V Sequencer - Produces the application package consisting of a couple of files.
    • Open Software Description (.osd)
    • Sequenced Application File (.sft)
    • Icon File (.ico)
    • XML Manifest of the Sequence Project (.sprj)
    • A MSI file can be included for offline deployments.
  • App-V Streaming Server - In charge of streaming the packages to clients that lack a good connection to the Management Server.
  • App-V Client - Is installed on the OS of the end-user and communicates with the Management Server. Manages package streaming into cache and publishing refresh, also stores the user-specific information related to the package.

You can find the hardware and software requirements for all the components here.

App-V Infrastructure models

There are several ways of implementing App-V into your environment depending on your requirements.

Stand-Alone Model

The minimalist mode of App-V doesn't require any infrastructure except for the App-V Sequencer and the App-V Client. The packages can be deployed manually, using group policies or using System Center Configuration Manager (SCCM). This is mostly used for smaller companies, and companies that have a lot of Offline users.

Streaming Model

This model is mostly focused on platforms that don't want to run Management Servers. This means that a SQL database is not needed and the permissions are set through ACLs. The difference with the previous model is that by adding the App-V Streaming Server component the applications can be streamed to low-bandwidth clients like clients in branch offices.

Full Infrastructure Model

By utilizing all components of App-V you gain the full advantage of the technology. You can choose not to install the App-V Streaming Server component if you don't have clients on low-bandwidth connections. Using the App-V Management Server will add the application shortcuts within the process of deployment, and also enables features like reporting using a SQL database and central management of application licenses.

Prerequisites

As the management server is using SQL and IIS we'll need to make sure that these are setup correctly before we start. This will minimize the possibility of errors during the setup process.

Adding the IIS role to Windows Server 2008:

  1. Click Start > All Programs > Administrative Tools and select Server Manager
  2. Right-click the Roles node and click Add Roles
  3. Select the Server Roles page click Next and then click Next again
    1. Under Application Development select ASP.NET and when prompted, click Add Required Role Services
    2. Under Security, select Windows Authentication
    3. In the Management Tools node, select IIS Management Scripts and Tools
    4. Under IIS 6 Management Compatibility, ensure that both IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility are selected and click Next
  4. Click Install on the Confirm Installation Selections page
  5. Click Close to exit the Add Roles Wizard

Now we need to tweak IIS a bit by adding some MIME types needed in App-V.

  1. Start the IIS Manager
  2. Select the Default Web Site > SoftGridManagement
  3. Double-click the MIME Types feature
  4. On the action panel, click Add
  5. In the Extension box, type OSD
  6. In the MIME box, type application/softricity-osd
  7. Click OK
  8. Run iisreset to activate the changes

Installing the App-V Management Server

After downloading the Microsoft Desktop Optimization Pack (MDOP) unpack, mount or burn it.

  1. Launch the MDOP autorun
  2. Select Install Management Server 4.5 SP2
  3. Click Next on the welcome screen
  4. Check the I accept license terms and conditions and click Next
  5. Enter you registration information
  6. Select Custom and click Next
  7. I recommend to keep the default features and path and click Next

  8. As my SQL server is not listed, I'll check the box and enter the server name and port, then click Next

  9. Normally you would create a database, unless a DBA already created a database for you. Since I'm my own DBA I'll have App-V create it for me by selecting Create a new database and click Next

  10. I choose not to enable the Use enhanced security for now. You can enable this later if you want to. Click Next.

  11. Accept the defaults for the RTSP (Real Time Streaming Protocol) port: 554

  12. Enter the group name that you want to give administrative access to the App-V Management Console. It will resolve the group and allow you to select a group if multiple results are returned. Click Next.

  13. Enter the group name that you want to give access to the App-V application packages. It will resolve the group allow you to select a group if multiple results are returned. Click Next.

  14. Here you can change the default location where the application content will be stored. Accept the default and click Next.
  15. Click Install to start the installation process.

An installation result will be given and a reboot is requested. After the reboot there are still a couple of tasks to preform.

Share the content folder - The default folder (C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\content) will have to be shared to the clients access to the installation packages.

  1. Right-click the folder and select Share with > Advanced sharing

  2. Click Advanced Sharing

  3. Check Share this folder

  4. Click the Permissions button and give the Everyone group Full Control

  5. Click OK, OK, and Close

Set permissions on the content folder - People that need to use the App-V packages need to be able to access them. Therefore the permissions need to be set to allow this.

  1. Right-click the content folder and select Properties
  2. Click the Security tab
  3. Click Edit
  4. Click Add
  5. Enter your App-V users group, Domain Users or even Everyone if you want to
  6. Give the group the Read & Execute, List folder contents and Read permissions
  7. Click OK twice

Set firewall exceptions - If you have the Windows Firewall running on your App-V server you'll have to allow clients access to the App-V components

  1. Start Windows Firewall with Advanced Security
  2. Select Inbound Rules and click New Rule
  3. Select Program and click Next

  4. Click Browse and browse to C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\bin\sghwdsptr.exe then click Open and click Next
  5. Select Allow the connection and click Next
  6. Select all options and click Next
  7. Enter a Name, optionally a Description and click Finish
  8. Repeat step 2 to 7 for C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\bin\sghwsvr.exe

Now we need to change a couple of App-V settings to make it all work properly.

  1. Open the Application Virtualization Management Console
  2. In the Default Content Path, type \\<servername>\content
  3. Click OK

You can now start the Application Virtualization Management Console.

To make sure that everything is working you can install the App-V client on a workstation and see if the Default Application will stream and run properly.

You can always comment below if you run into any errors.

Filed under: App-V, Microsoft 5 Comments
25Jul/113

Word shortcut for creating blog posts

From Word 2007 Microsoft introduced the option to use Word as a blogging client for WordPress or many other blogging services. However if you blog regularly, you will be annoyed by the normal procedure.

  1. Start Word
  2. Click File > New and
  3. Select Blog post

That's a bit too much clicking (or too many shortkeys) for lazy me. That's why I wanted to shorten this process; here's how.

  1. Find the location of winword.exe
    C:\Program Files\Microsoft Office\Office<version>\WINWORD.EXE
    Word 2007:    12
    Word 2010:    14
  2. Find the location of Blog.dotx
    C:\Program Files\Microsoft Office\Templates\<language ID>\Blog.dotx
    English - US:    1033
    Dutch - NL:    1043
    German - DE:    1031
    Find your language ID here: http://technet.microsoft.com/en-us/library/cc179219.aspx
  3. Rightclick your desktop and select New > Shortcut
  4. Enter the following location:
     "&lt;location winword.exe&gt;" /q /t"&lt;location Blog.dotx&gt;"<br/><strong>"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /q /t"C:\Program Files\Microsoft Office\Templates\1033\Blog.dotx"</strong>
  5. Enter a suitable name for the shortcut like Microsoft Word 2010 - Blog
  6. Click Finish

I added the shortcut to my start menu in the Microsoft Office folder. This way I can type blog after pressing the Windows Key followed by an enter to start Word with the blog template.

19Jul/110

Slow mail delivery to Outlook client from Exchange 2010

I just had a lot of problems with email being delivered to my Outlook 2010 really slow. The following findings are the result of my troubleshooting:

  • Messages are delayed ranging from a couple of minutes up to an hour when using Outlook 2010 (using RPC or Outlook Anywhere)
  • Messages are not delayed in OWA
  • PowerShell shows the messages being delivered into the proper folder (Get-MailboxFolderStatistics)
  • Message tracking shows that the internal transport is not delayed
  • Reconnecting your Outlook will force the download of the delayed messages (CTRL+Right click the taskbar icon, selecting Connection status)
  • Messages are not delayed using ActiveSync

After hitting Google with these findings it soon pointed me to the problem and also the solution.

RPC traces showed that the server couldn't contact the clients somehow.

The solution

Install Exchange 2010 SP1 Update Rollup 3 (v3)

Description of Update Rollup 3 for Exchange Server 2010 Service Pack 1

Download Update Rollup 3 for Exchange Server 2010 Service Pack 1

The installation of the Update Rollup will require a reboot of the Exchange server, but it will solve this particular issue along with other issues.

The article that pointed me in the right direction and also the source of some of the troubleshooting steps can be found right here.

15Jul/110

SharePoint 2010 Trusted Identity Token Issuer Error

I was setting up SharePoint to use Federated Authentication using Azure Access Control Service (ACS) when it ran into an error. After checking the SharePoint logs I ran into the following lines:

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     eu2n    Monitorable    Trusted login provider 'Public Account' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'    

07/15/2011 10:23:36.54     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Monitoring     b4ly    High     Leaving Monitored Scope (SPSecurityTokenService.GetTokenLifetime()). Execution Time=125,240686737495    

07/15/2011 10:23:36.56     w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest() at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityT...    

07/15/2011 10:23:36.56*    w3wp.exe (0x1670)     0x0C60    SharePoint Foundation     Claims Authentication     fo1t    Monitorable    ...oken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

Also the event viewer returned the following error:

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Date: 15-7-2011 10:23:36

Event ID: 8306

Task Category: Claims Authentication

Level: Error

Keywords:

User: DOMAIN\user

Computer: sharepoint.domain.local

Description:

An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm..

Quite obviously when I select Windows Live ID it doesn't return the expected type of claim; namely http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

Solution

In Azure ACS you can set what type of data is retrieved and also what type it returns. The Windows Live ID Identity Provider doesn't support email address as a claim type, however you can map the only available input claim type to any other type that you use to validated the incoming claim in SharePoint.

My SharePoint environment is setup to allow validation through emailaddress. I'll have to map the 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' claim type to the 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' claim type as shown below.

  1. Navigate to your Azure ACS URL (https://<ServiceNamespace>.accesscontrol.windows.net/v2/mgmt/web)
  2. Click Rule groups
  3. Click the Rule group that is used by your SharePoint environment
  4. Click on the only entry with Windows Live ID as Claim Issuer
  5. Check Select Type in the Then section and select the proper claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) that SharePoint is expecting
  6. Click Save and check the results

Now try to log in to your SharePoint environment with the Windows Live ID and it should work flawlessly.

One thing to note is that the login name is an odd string of characters instead of a nicely structured email address. Unfortunately there is no way of getting a nice looking login name using Windows Live ID as there is no other option than returning the nameidentifier. This seems kind of odd since it's a Microsoft product and the most restricted Identity provider is also from Microsoft. I hope that Microsoft will add other options soon.

4Jul/118

Installing and Configuring ADFS 2.0

As we're setting up collaboration sites on our SharePoint 2010 farm, we wanted to provide the ability to have external logins using Facebook or Google accounts. Everything soon pointed into the direction of Active Directory Federation Services. As the version 1.0 that comes with Windows Server 2008 R2 is already outdated I needed to download the 2.0 version. Make sure that you download the proper version as you might run into some very strange errors otherwise. Since I'm running Windows 2008 R2 x64 I selected the RTW\W2K8R2\amd64\AdfsSetup.exe.

When the installation started the IIS part took quite some time. When I figured it was stuck and the TrustedInstaller.exe was using around 750MB of memory I decided to kill the process as it might crash the entire server. As this seemed the right thing to do, the consequences where somewhat strange. When I restarted the installation it ran into an error right away stating that the install of KB981002.msu could not complete. I tried installing this update manually, but it indicated that the system doesn't need the update. I rebooted the system and retried the installation, which then proceeded without a hitch.

SSL

Make sure that you have a Certificate Authority installed in your domain. You can use these certificates for Exchange servers, SharePoint Servers and also need it for the ADFS server.

If you don't have a proper certificate installed you might get an error like this, which might put you on the wrong track. Just create a new certificate, or use one that is already installed.

To create a SSL certificate request in IIS you have to open IIS Manager, select the host and double-click the Server Certificates icon. You have your certificate options on the right.

         

When you installed the SSL certificate in IIS, you can set it by right clicking the website in IIS and select Edit Bindings. Then edit or add a https port and select the SSL certificate you want to use.

        

Configure ADFS 2.0

As I didn't have a Federation Server running anywhere I needed to create a new Federation Service. Here are the steps:

  1. After the install the ADFS configuration was started.

    

  1. Click the AD FS 2.0 Federation Server Configuration Wizard to start the configuration.
  2. Select Create a new Federation Service
        
  3. Select New Federation server farm
        
  4. The certificate should be automatically selected. You get the option to select the Federation Service name
        
  5. Create a service account for the ADFS services The following permissions are needed for this account:
        Service Logon right. This right is required for an account to logon using the service logon type.
        Audit Privilege right. This right is required to generate audit log entries.
    See this post for setting the permissions. You can use the same guide for the service logon.

        

  6. A summary of the settings will be presented. ADFS will be installed with a Windows Internal Database service. However you can change this later on.
        
        

If the name of the federation service is already in use you might be presented with an error: "The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again." You'll have to use setspn.exe to set the proper SPN.

Filed under: ADFS, Microsoft 8 Comments