Written by:
10/03/2011 18:27 

 In this instance you are running the App-V Management Console from a different computer to where the Management Web Service is installed.

In certain configurations you may need to configure SPN’s and delegation. This is normally when you install different App-V components on different Servers, e.g. if you install the Management Web Service on a separate IIS Server or if you have the App-V Management Server & App-V Web Management Services on one computer and your Content share on another computer, but you use the Management Console function to ‘Specify Windows Account’ - Sometimes this is done to avoid stressing the App-V Management server while running App-V reports or even to further restrict access to the Management Console using IIS IP restrictions (this is a dual layer of security so that even if you are an App-V Admin, you can’t access the management server unless you’re sitting at the correct PC).

The first thing to do is setup Delegation. This will also confirm whether or not your SQL server has an SPN setup for the SQL Service. You will need to be a Domain Admin to perform this.

Configure the Internet Information Services (IIS) server to be trusted for delegation

1. Log into a server with Active Directory Users & Computers

2. Find your Server in Active Directory (using dsa.msc)

3. View the Server Properties

4. Click the Delegation Tab

5. Tick ‘Trust this computer for delegation to specified services’,

6. Tick ‘Use Kerberos Only’

7. Click ‘Add’

8. Click ‘Users and Computers’

9. Enter the name of your SQL Server and click ‘OK’.

10. Find the MSSQLSvc in the list and click OK. (See Note)

Note: This is where I mentioned we can confirm if an SPN is setup or not. If you can’t find the MSSQLSvc service in the list, you will have to create an SPN for it. Here’s how:

Download SETSPN from the Microsoft website
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en

1. Open the CAB file and copy setspn.exe to your local computer (somewhere in the PATH)

2. Open a Command Window (cmd.exe)

3. Run the following:

        setspn -A MSSQLSvc/hostname:1433 hostname

        If your SQL server is referred to by additional names, then run SETSPN multiple times.

        e.g.

        setspn -A MSSQLSvc/hostname.domain.local:1433 hostname

        ‘MSSQLSvc/hostname:1433’ is the property you want to assign to the AD Object

        ‘hostname’ this is the AD Object name

If you are using IIS7 to run the App-V Management Web Service you will need to run the following command at the server:

appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true

Paul

Trackback Print

Tags: AppV , Microsoft Application Virtualization , AppV Management Console , AppV Management Web Service , SQL , Paul Coe

Categories:

Location: Blogs The App-V Training Blog