App-V5 and Citrix XenDesktop/XenApp 7.x

Citrix has been working really hard to make sure that App-V 5 is fully supported in XA/XD.  This is greatly appreciated and a key integration for a wide range of users. However, it doesn’t quite work like we would hope as there is a pretty big “Gotcha”- read on….

I deploy App-V and Citrix on a daily basis and teach hands-on classes to many of our clients and we have approached this a number of different ways.  For users wanting a published desktop the traditional approach was to create published desktops in XA/XD and then deploy applications to the desktop using the standard App-V tools. The App-V client for desktop use would include setting GPO’s with the following settings

  • Enable Package Scripts
  • Reporting Server
  • Configure publishing servers

 

Simple, effective and worked great. Configure Citrix, add the App-V client to the image and then configure App-V and allow the two to do their functions. This is still the method that needs to be followed for published desktops utilizing App-V applications.

For published applications, if you configure your environment in this way currently, things just don’t seem to function properly.  The generic message “Cannot start app” starts to appear.  This is where the problem currently lies.

To help with this, Citrix has recently introduced a node for Desktop Studio that handles app publishing for App-V applications within their Citrix’s console. According to the document released by Citrix (https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-7/install-configure/app-v.html) it says to follow the Microsoft practices and then turn off the Microsoft practices.

Why would I configure all the best practices from Microsoft?!?!?!  According to the Citrix document, it will stop published applications from launching if you leave the best practices enabled.  What is neglected to be said in the article is why that happens.  The Citrix built tool CTXAppLauncher.exe is designed to perform the launch mechanism of the App-V Application.  This is what performs the communication to the App-V Publishing server and packages.

If you want to use published applications, we will need to follow the Citrix documentation to invoke the CTXAppLauncher.  Ok…. So I will configure it for publishing applications.  The key to this is to make sure that the UserRefreshOnLogon setting for a publishing server is set to FALSE.  When this is set to false, during the login process, Citrix will contact the publishing server, download and add the package to the client and launch.  This is great, but now I can’t have the users Refresh their application on logon for a desktop.

This translates to needing 2 delivery groups:

  • One for applications
  • One for Desktops

 

My feeling, is if App-V is in use correctly, I should be able to share the resources to help consolidate my environment.

The other issue is Load Balancing with App-V.  Using Citrix’s GUI, it is impossible to add more than one server.  If you were to use an LB name or DNS Round Robin, XA/XD will not be able communicate the App-V Publishing Servers.  This means I have a single point of failure because of Citrix wanting to make their own method of publishing App-V.  I know you can add more servers through POSH, but they do not show in the GUI.  Most Admins are going to look in a GUI and not doublecheck the config in POSH.

Why is it necessary to create their own publishing methods instead of using the built-in solutions already provided by Microsoft?  This seems to be a waste of time on their part.

In the end, I have found many ways for this to fail:

 

App-V integration is supported and needed by the Citrix products.  Just be sure to follow the Citrix document to the letter and everything should work except……..

Citrix Session Recording is Great!!!

I love that Smart Auditor has come back…..  er… I mean Session Recording.  This is an amazing tool. The only issues I have with this product is if you want to not use SSL and retention and back to multiple consoles.

I could complain about the multiple consoles, but that would be kicking a dead horse again and again.  We will leave that alone and hope that Citrix will consolidate eventually.

Citrix has documented very thoroughly on how to install Session Recording with SSL.  But what if you are with a client that doesn’t have an internal PKI solution and doesn’t want to buy a 3rd party cert for this.

To Configure the Session Recording without SSL, don’t choose a certificate during the installation.  You would believe this to be enough, except when the website is installed, it is setup to require SSL.  To fix this setting, open IIS admin and navigate to the SessionRecordingBroker site.  Choose SSL Settings, and uncheck require SSL.

ScreenRecording

The main problem is there is no interactive way to setup archiving of the Recordings.  If Citrix could develop a utility that would make it easy to configure the managing of the recordings it would be much nicer.  As of now, the only way to manage the recordings is with the icldb utility. https://docs.citrix.com/en-us/xenapp-and-xendesktop/xenapp-6-5/xenapp65-w2k8-wrapper/ps-sa-library-wrapper-v2/ps-sa-reference-wrapper-v2.html

 

Citrix has only listed the main commands in their document.  If you would like to learn more about the commands here is a full list of the options for each command

 

ARCHIVE:

 

ICLDB ARCHIVE /RETENTION:<days> [/LISTFILES] [/MOVETO:<dir>] [/NOTE:<note>]

[/L] [/F] [/S] [/?]

 

Archive session recording files older than the retention period specified.

This will mark files in the database as archived. Physical files will not

be moved unless the /MOVETO option is specified. Archiving a large number

of files may take some time.

 

/RETENTION:<days>  The retention period for session recording files. Files

older than this will be marked as archived in the

database. Retention period must be greater than 2 days.

/LISTFILES         List the path of files as they are being marked as

archived.

/MOVETO:<dir>      Specify a destination directory to which files are to be

physically moved. If this option is omitted, files will

remain in their original location.

/NOTE:<note>       Attach a text note to the database record for each

file that is archived.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

DORMANT:

 

ICLDB DORMANT [/DAYS:<days> | /HOURS:<hours> | /MINUTES:<minutes>]

[/LISTFILES] [/L] [/F] [/S] [/?]

 

Display or count the session recording files that are deemed as dormant.

Dormant files are session recordings that never completed due to data loss.

The search for dormant files can be made across the whole database or only

recordings made within the specified last number of days, hours, or minutes.

 

/DAYS:<days>       Limit the range of the dormant file search to the last

number of days specified.

/HOURS:<hours>     Limit the range of the dormant file search to the last

number of hours specified.

/MINUTES:<minutes> Limit the range of the dormant file search to the last

number of minutes specified.

/LISTFILES         List the file identifier for each dormant file found.

If this is omitted, only the count of dormant files will

be displayed.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

 

IMPORT:

 

ICLDB IMPORT [/LISTFILES] [/RECURSIVE] [/L] [/F] [/S] [/?]

[<file> …] [<directory> …]

 

Import session recording files into the database. The metadata contained

within each file will be read and database records created. Once a file is

imported, the file must not be moved or deleted.

 

/LISTFILES         List the files before importing.

/RECURSIVE         For directories specified, recursively search for files

in all sub-directories.

<file>             Name of file to import (wildcards permitted).

<directory>        Name of directory to search for files to import. Files

must have an .ICL extension. Sub-directories will be

searched if the /RECURSIVE switch is specified.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

 

LOCATE:

 

ICLDB LOCATE /FILEID:<id> [/L] [/F] [/S] [/?]

 

Locate and display the full path to a session recording file given a file

identifier.

 

/FILEID:<id>   Session recording file identifier or file name to search

for. This may be specified in either of the following two

formats:

 

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

(example: 545e8304-cdf1-404d-8ca9-001797ab8090)

 

-or-

 

i_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.icl

(example: i_545e8304-cdf1-404d-8ca9-001797ab8090.icl)

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

REMOVE:

 

ICLDB REMOVE /RETENTION:<days> [/LISTFILES] [/DELETEFILES]

[/L] [/F] [/S] [/?]

 

Remove references to session recording files older than the retention

period specified. This will only remove records from the database, unless

the /DELETEFILES option is specified.

 

/RETENTION:<days>  The retention period for session recording files.

Database records older than this will be removed.

Retention period must be greater than 2 days.

/LISTFILES         List the path of files as their database record is

being removed.

/DELETEFILES       Specify that the associated physical file is to be

deleted from disk.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

REMOVEALL:

 

ICLDB REMOVEALL [/L] [/F] [/S] [/?]

 

Removes all records from the Session Recording Database and returns the database

back to its original state. This command however, does not remove physical

session recording files from disk. On large databases this command may

take some time to complete.

 

Use this command with caution as removal of database records can only be

reversed by restoring from backup.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

VERSION:

 

ICLDB VERSION [/L] [/F] [/S] [/?]

 

Display the Session Recording Database schema version in the format

<major>.<minor>.<build>.<patch>.

 

/L           Log results and errors to the Windows event logs.

/F           Force command to run without prompting.

/S           Suppress copyright message.

/?           Display command help.

 

Citrix messes with SQL Always On

XenDesktop 7.9 FMA has issues with SQL Always On….

Databases has been a source of controversy since Citrix released XenDesktop.  With the merger of XenApp and XenDesktop the main solution for database availability is SQL Always On.  With SQL Always On you have the benefit of a cluster for OS and SQL protection while still having the benefits of the standalone SQL Server.  I have deployed XD 7.x countless times using these technologies for many customers and have never had an issue with SQL Always On and Citrix technologies until 7.9

Using SQL Always On, I have been able to fail my SQL server, configure and manage my XD environment without issues.  I have recently discovered with 7.9 you are unable to extend the environment while utilizing SQL Always On.  The symptoms are simple:

  • Add a new Delivery Controller to an existing XD/XA 7.9 deployment utilizing SQL Always on
  • Receive an innocuous error, stating unable to connect to the SQL server
  • Datastore is now corrupt

The error received, with unable to connect to the SQL server, shows an error of unable to connect to a SQL Server…..  when you read the error, it is trying to connect to a SQL server directly in your Always On cluster.   The error details state it is unable to update the security in the database.  This is to be expected since the individual node it is trying to connect to is a secondary node in the Always On cluster.  Weird…..

Run the connect to a site wizard again, and it will give an error stating that the database cannot be updated again, this time showing the correct Always On name.

What has happened is the Datastore is now corrupt.  The tables housing the information regarding your Delivery Controllers is the only part effected.    The following screen shot is shows the Controller node of Citrix Studio:

screensql

Once this has occurred, all aspects of XD/XA continue to work, however you will be unable to get information regarding your delivery controllers.  To resolve this issue, you will need to clear out the database regarding any information of the new controller that was added.

Citrix has this handy article (https://support.citrix.com/article/CTX139505/) to remove Delivery Controllers manually.  The simple explanation is:

  • Open powershell and run Get-BrokerController
  • Make note of the SID of the offending Delivery Controller
  • Run the script provided in the article on a delivery controller.
    • Populate the $DBName with your Site Database name
    • Populate the $EvictedSID with the offending Deliver Controller SID
  • This script will create a SQL script the will need to be run against the Datastore

The way to avoid all this hassle is to simply remove your XD/XA DB’s from the SQL Always On group.  Leave the DB’s on the primary server and extend your delivery controllers.  After you have extended your site, put the DB’s back in the Always On Availability Group

I have submitted detailed information and logs to Citrix Technical Support and am working with them toward a permanent resolution- Stay Tuned!

Microsoft App-V 5.0 Load Balancing

I have had the pleasure of working with Microsoft App-V for a while now and HA has always been a very important item.   Load Balancing has been a breeze in the App-V 4.x environments.  All you needed was a load balancer that could pass * for the port and * for the protocol and everything worked great.  Yes, you can argue that RTSP used 554 TCP but the random port is chose after was the killer.

That has all changed in App-V 5.0.  Now Kerberos is a huge deal.  Anyone that has worked with SQL clusters will understand how temperamental Kerberos can be without being properly setup.  After I have had the fun of translating Microsoft language into a usable format, I figured I would document to the best of my ability how to setup App-V 5 to use Kerberos and be load balanced.

Before I start, I would like to share some of the articles that were used or discarded in getting this to work

Microsoft has a “Planning for High Availability” article which can be found here http://technet.microsoft.com/en-us/library/dn343758.aspx.  This article talks about HA for the entire environment and a pretty good read except for the Web Services load balancing

Microsoft has another article on “How to provide fault tolerance and load balancing in Microsoft App-V v5”, http://support.microsoft.com/kb/2780309.   I didn’t find this article very useful

After combining the 2 articles above and many others, I have found these steps to be pretty straight forward and easy to do.

Assumptions:  I am assuming you have 2 or more App-V 5 servers installed with Management and Publishing working in the environment.  I put both Management and Publishing on the same servers, but it is up to your design.  I have performed these steps in Windows 2012 R2 Standard

I will be using the following as examples

Server Names:  vAppV01 and vAppV02
Load Balanced Name:  AppV
FQDN:  dummy.lcl
App-V Management port: 8080
App-V Publishing port: 8081

Step 1:  Have a Load Balancer and DNS A record

I tend to use Citrix Netscalers for LB on the projects I work on, but any should work.  Just like App-V 4.0, it is easiest to use a LB with * for ports and * for protocols.  Again the security guys will argue with me about you are opening to much.  My point is it is internal traffic and not transferring in company data.  All that is being transmitted is bits to launch an application.

Step 2:  Setup an AD Computer Account

Create a computer account in Active Directory with the Load Balanced Name.  This will be used to assign the SPN’s to later.

Step 3:  Change the IIS ApplicationPool Identity

This is where all the confusion comes in.  If you read all the information out there regarding the ApplicationPool Identity, it leads you to believe that you need to change this to run as a service account.  Performing this step will break the syncing of your publishing servers with the Management service.  We will just skip that part and allow the KernelMode to take care of Kerberos for you:

  • Navigate to c:\windows\system32\inetsrv\config and make a backup of ApplicationHost.config
  • Now we need to edit 2 parts of this file, both are found at the bottom of the file and crossed out below.
    <location path=”Microsoft App-V Management Service”>
    <system.webServer>
    <security>
    <authentication>
    <digestAuthentication enabled=”false” />
    <basicAuthentication enabled=”false” />
    <anonymousAuthentication enabled=”false” />
    <windowsAuthentication enabled=”true” />
    </authentication>
    </security>
    <webdav>
    <authoring enabled=”false” />
    </webdav>
    </system.webServer>
    </location>
    <location path=”Microsoft App-V Publishing Service”>
    <system.webServer>
    <security>
    <authentication>
    <digestAuthentication enabled=”false” />
    <basicAuthentication enabled=”false” />
    <anonymousAuthentication enabled=”false” />
    <windowsAuthentication enabled=”true” />
    </authentication>
    </security>
    </system.webServer>
    </location>
  • These sections need to read as the following:
    <windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” />

Now reboot your server to verify that changes have taken effect.

Step 4:  Adding SPN’s to Active Directory

Now that your file has been changed, we need to setup the following SPN’s to help allow AD to provide the Kerberos authentication for both App-V Publishing and Management Roles

Run the following commands with Domain Admin rights

Setspn –a http/<server>:<port> <domain>\<LB Name>
Setspn –a http/<server.FQDN>:port <domain>\<LB Name>

Examples below

  • • setspn –a http/appv:8080 dummy\appv
  • • setspn –a http/appv:8081 dummy\appv
  • • setspn –a http/appv.dummy.lcl:8080 dummy\appv
  • • setspn –a http/appv.dummy.lcl:8081 dummy\appv

Step 5:  Your Database

Nothing to add or change to the DB

Step 6:  Your Content Share

Nothing to add or change to the Content Share

Step 7:  Final Step

Now to make sure we don’t have the Publishing Servers going across to the other Management Server, I make one final change

Edit the Hosts file on each App-V Server to point to its own IP for the LB name

example:

If the IP for vAppV01 is 192.168.1.1 and IP for vAppV02 is 192.168.1.2 and the LB Name of AppV is 192.168.1.3, the hosts files should read like this:

Hosts File vAppV01:

192.168.1.1                 AppV

Hosts File vAppV02:

192.16.1.2                  AppV

 

Conclusion:

Now you have successfully setup the load balancing for App-V 5.  It is not as complicated as it seemed when I first started this journey, but again, there was no place that I found that had everything needed for App-V documented.