Archive

Archive for April, 2011

SCVMM: Service Principal Names (SPNs) Required for Proper SCVMM 2008 Functionality

April 30, 2011 8 comments

SCVMM 2008, 2008 R2, as well as future versions of SCVMM rely on kerberos and kerberos delegation functionality for its security and authentication model. You may encounter various problems with SCVMM related to authentication and authorization if the underlying platform service principal names (SPNs) are not properly set.

There are all sorts of problems ranging from console authentication, to SQL access, or even host access for the purposes of accessing virtual machines managed by SCVMM. All of these problems cann be caused when delegation is failing possibly due to incorrect or missing SPNs (Service Principal Names.)
 
The resolution is to verify and correct any configuration issues with kerberos delegation, often correcting problems related to SPNs not being registered – or even duplicate SPNs.
 
You can use the SETSPN command to check for duplicate SPNs and to create missing ones if needed. Please note not all SPNs may be required as that will vary based on what server roles are installed. SETSPN is a default external command in both Windows Server 2008 and 2008 R2. For Windows Server 2003, I would recommend downloading the SETSPN update for Windows Server 2003. More information and download links are found here:
 
 
The following list below lists all of the SPNs that may be required relating to their corresponding components. Since SCVMM is a management interface that sits on top of so many different platform components, incomplete or improper delegation at these component layers will cause problems in SCVMM functionality.
 
Hyper-V Virtual Consoles:

For Virtual Console Support for Hyper-V Hosts (VMCONNECT.EXE) – This will be required on Hyper-V Hosts. Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual Console Service/HOSTNAME" computername 
setspn -s "Microsoft Virtual Console Service/hostname.fqdn.etc" computername 

For P2V Support.

Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual System Migration Service/hostname.fqdn.etc" computername 
setspn -s "Microsoft Virtual System Migration Service/hostname" computername 

 For VS2005 Hosts and the VMRC utility

– This will be required on Virtual Server 2005 Hosts. Use the following command to set and verify SPNs.

setspn -s vmrc/hostname.fqdn.etc:5900 computername 
setspn -s vmrc/hostname:5900 computername 
setspn -s vssrvc/hostname.fqdn.etc computername 
setspn -s vssrvc/hostname computername 

For RDP Support.

Use the following command to set and verify SPNs.

setspn -s TERMSRV/hostname.fqdn.etc computername 
setspn -s TERMSRV/hostname computername 

 For all Hosts.

Use the following command to set and verify SPNs.

 setspn -s HOST/hostname computername 
setspn -s HOST/hostname.fqdn.etc computername 

 HTTP (may needed for authentication on SSP if VMM server is using Remote SQL.)

Use the following command to set and verify SPNs.

setspn -s HTTP/hostname.fqdn.etc computername 
setspn -s HTTP/hostname computername 

 SQL VMM Database

Depends on port and instance type: 

Named Instance.

Use the following command to set and verify SPNs.

 setspn -s MSSQLSvc/hostname.fqdn.etc:Port computername

setspn -s MSSQLSvc/hostname.fqdn.etc:InstanceName computername 

 Default Instance.

Use the following command to set and verify SPNs.

setspn -s MSSQLSvc/hostname:1433 computername 
setspn -s MSSQLSvc/hostname.fqdn.etc:1433 computername 
 

Here are some links to some excellent articles:

Advertisements

App-V: Error Running Virtualized SAS Client: “Could not Load SAS font”

April 22, 2011 1 comment

After sequencing the SAS Base version 9.2 client, you may get the following error upon launching the application:

WARNING: Could not load SAS font : SAS Monospace WARNING: Could not load SAS font : SAS Monospace Bold

This will not happen during the launch phase so it comes very unexpected post deployment.

The two fonts referenced (“SAS Monospace” & “SAS Monospace Bold”) are located in the virtual file structure (CSIDL_Fonts), and are referenced in the Virtual Registry (in the key HKLM>Software>Microsoft>Windows NY>Current Version>Fonts & referenced as a redirected for another font value in the FontSubstitutes key.)

They are also viewable via sfttray /exe cmd.exe when browsing directly to the c:\windows\fonts folder.

The cause of this tracks back to the fact that the fonts are marked as User Data. Being marked at User Data implies that it is modifiable data that will be copied and maintained in the user’s package volume (*.PKG file.) Since it is marked as user data, when the query is made to the C:\ location, it is going to redirect it to the USER PKG where it may or may not be.

If you look at this through a Process Monitor trace (one both inside and outside the VE) you will see this happening as well.

If you change the source location for SAS Fonts in the file C:\Program Files\SAS\SASFoundation\9.2\nls\en\SASV9.CFG (Q:\\VFS\CSIDL_PROGRAM_FILES\SAS\SASFoundation\9.2\nls\en\SASV9.CFG) to point to the VFS location on the (i.e. Q:\\VFS\CSIDL_PROGRAM_FILES\SAS\SASFoundation\9.2\core\resource) instead of the original location on C:\, the error should go away.

Categories: App-V Tags: , , , ,

Microsoft Virtualization Engine and Management Updates


Here are a listing of significant Microsoft management and Virtualization engine downloads and updates at all levels of the stack:

Storage Virtualization:

Microsoft iSCSI Target Software:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=45105d7f-8c6c-4666-a305-c8189062a0d0

iSCSI Software Target is an optional Windows Server component that provides centralized, software-based and hardware-independent iSCSI disk subsystems in storage area networks (SANs).

App-V

Microsoft App-V 4.6 Service Pack 1

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3b48dbfe-612d-4806-b737-9254bd9b2445

Hyper-V

Windows Server 2008 R2 SP1:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3202ce6-4056-4059-8a1b-3a9b77cdfdda

Hyper-V Server 2008 R2 SP1:

http://www.microsoft.com/downloads/details.aspx?familyId=92E2C4BA-6965-4F8E-ABBE-CBB40556B680

Updated Hyper-V Management Tools for Windows 7 SP1 now available

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Update to the Hyper Best Practices Analyzer:

http://support.microsoft.com/kb/2485986

SCVMM:

SCVMM 2008 R2 SP1:

http://blogs.technet.com/b/scvmm/archive/2011/04/01/scvmm-2008-r2-sp1-is-there-an-upgrade-only-download.aspx

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9189bbce-d970-4c6c-9dd3-9e65798ecd70

Updated Configuration Analyzer for SCVMM to include 2008, 2008 R2, and 2008 R2 SP1

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=02d83950-c03d-454e-803b-96d1c1d5be24

Remote Desktop Services Connector for System Center Virtual Machine Manager

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=db795773-2f9f-4439-9df7-0bf162576e57

Planning for a Microsoft VDI Deployment

April 13, 2011 2 comments

In the past, desktop virtualization administrators have used Microsoft for only part of their VDI (virtual desktop infrastructure) while using solutions from VMWare of Citrix as the primary basis.

You may be already familiar with Microsoft’s client-hosted enterprise desktop virtualization solution – MED-V. VDI is Microsoft’s server-based desktop virtualization solution combining all of the following for engine support all the way to complete end-to-end management:

  • Hyper-V
  • Windows 7
  • Windows Server 2008 R2
  • System Center Virtualization Manager
  • Remote Desktop Services
  • RemoteFX

Windows Server 2008 R2 Service Pack 1 adds two new components (RemoteFX and Dynamic Memory) that fill two holes related to management flexibility and user experience that now make Microsoft almost a non-brainer choice for your VDI solution.

Microsoft’s virtualization main page is found here:

http://www.microsoft.com/virtualization/en/us/products-desktop.aspx

First things first,

Licensing Information regarding VDI. One of the first things customers want to know is what are the costs and the potential cost savings:

http://blogs.technet.com/b/virtualization/archive/2009/07/13/microsoft_1920_s-new-vdi-licensing_3a00_-vdi-suites.aspx

In terms of how it works, here is Microsoft’s VDI solution at a high level:

http://blogs.msdn.com/b/rds/archive/2009/08/19/microsoft-vdi-overview.aspx

The next items of concern are often what infrastructure changes will need to be made. Moving to a VDI environment will require the presence of a Windows 2008 or Windows 2008 R2 domain controller (depending on the Hyper-V/RDS platform being used.) You will also need to update the schema accordingly to support these domain controllers and subsequent services required for the VDI environment.

Here are the outlines of the Windows 2008 and Windows 2008 R2 Schema changes:

Windows 2008:

http://technet.microsoft.com/en-us/library/cc730930(WS.10).aspx

Windows 2008 R2:

http://technet.microsoft.com/en-us/library/dd378828(WS.10).aspx

You will need to have Windows 2008 Schema changes minimally however, the minimum AD domain level supported is Windows 200 native. Windows 200 mixed or Windows 2003 interim are not supported.

From: http://technet.microsoft.com/en-us/library/dd883277(WS.10).aspx

The following are important considerations about assigning a personal virtual desktop to a user in AD DS:

  • To deploy personal virtual desktops, your schema for the Active Directory forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer running Windows Server 2008 R2 or a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed.
  • You must use a domain functional level of at least Windows 2000 Server native mode. The functional levels Windows 2000 Server mixed mode and Windows Server 2003 interim mode are not supported.
  • Ensure that the RDVH-SRV computer meets the Hyper-V installation prerequisites (http://go.microsoft.com/fwlink/?LinkId=122183).
  •  The user account and the virtual machine must both be members of an Active Directory domain.
  • Personal virtual desktops can only use Windows client operating systems. You cannot install Windows Server® 2008 R2 on a virtual machine and assign it as a personal virtual desktop.
  • A user can be assigned only one personal virtual desktop at a time.
  • A virtual machine can be assigned as a personal virtual desktop to only one user at a time.
  • The name of the virtual machine in the Hyper-V Manager tool must match the fully qualified domain name (FQDN) of the computer.

 Sizing Concerns:

Alongside of instructure changes and concerns is capacity planning. Here is a good webcast on planning and sizing session virtualization and bandwidth for VDI:

 http://www.microsoft.com/showcase/en/us/details/5e9fe509-a9e2-43a0-99e9-c79b655a3412

 And a good document as well:

 http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=bd24503e-b8b7-4b5b-9a86-af03ac5332c8

 RD Web Access Information:

 http://technet.microsoft.com/en-us/library/dd883265(WS.10).aspx

 RD gateway Information:

 http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx

 Why VDI for Hyper-v Whitepaper:

 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f0533021-ca5a-4330-b839-1efedad14479

 Windows 2008 R2 SP1’s RemoteFX feature for Hyper-V

 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5F630FFC-5F30-4B5F-8B2B-8AFB42E14D35&displaylang=en

 If you have time, also check out the VDI videos on technet Edge:

 http://technet.microsoft.com/en-us/edge/ff832960.aspx?query=1&Category=virtualboy

Description and Explanation of the “Failed unregistering callback tracking connected process termination” Error 997 in App-V

April 11, 2011 8 comments

Have you ever noticed that periodically you may see the following error in the SFTLOG.TXT and/or the Windows Application event log:

Failed unregistering callback tracking connected process termination (error: 997).

You will also see the following in the Event Log:

Log Name:      Application
Source:        Application Virtualization Client
Date:         
Event ID:     
Task Category: (3)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      <name>
Description:
{tid=1C3C}
Failed unregistering callback tracking connected process termination (error: 997).
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”Application Virtualization Client” />
    <EventID Qualifiers=”16384″>3219</EventID>
    <Level>3</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime=”2010-09-18T19:34:05.000000000Z” />
    <EventRecordID>834</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTERNAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{tid=1C3C}
</Data>
    <Data>997</Data>
  </EventData>
</Event>

Here is the following explanation of situations where this event may occur:

When one of the App-V client’s front-end component (i.e. UI or SFTTRAY) connects to the SFT Listener, the Listener opens a process handle to that front-end component, and will call a system API that will automatically monitor for that process handle being signaled (i.e. the process exited), and invoke a callback function in the Listener if that occurs.  If the front-end component disconnected normally, the monitoring of the handle is canceled. It appears to the App-V front end component that when the unregistration of the callback function was tried – in this case, the callback function had already been queued up or was in the process of executing which caused this warning to be reported.

In most cases this message is benign. This will often happen when the SFTDCC processes overlap with publishing refreshes and will also happen often on TS/RDS logoffs – especially with Server 2008 and beyond. You will also see this paired with User Profile Service registry closure events.

Setting the online registry key wrong for App-V RDS Client Users in Full Infrastructure Mode will cause new users to not get Applications after Publishing/Refresh

April 7, 2011 1 comment

Users may find when running AppV Remote Desktop Services Client (Terminal Services Client) that precached applications do not appear for new logged on users to the RDS/TS server although existing users still have access to the applications.

This happens even though the new users are members of the same groups previously given authorization to the application in the App-V Management Server console.

This can happen on Terminal Servers (RDS) if the following registry keys are set at the same time:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\<Current Version>\Client\Network

Value:

Online – Set to 0

AllowDisconnectedOperation – Set to 1

The other users had previously refreshed against the server and gained access to the application prior to the “Online” key being set to 0. Once this was done, there is no refreshes against the server and as a result, new users never get an application list from the server.

These new users must refresh against the server at least once. Set the “Online” key back to 1 and restart the Application Virtulization Client service.
Categories: App-V, RDS Tags: , , , , ,

App-V: Description of Feature Flags When Configuring the Office 2010 Deployment Kit for App-V

April 4, 2011 2 comments

For the Feature Flags that come with the Office Deployment Kit, customers may have questions as to what feature options under ADDLOCAL and ADDDEFAULT align with the specific feature.When you deploy to the sequencer, we are determining what elements will be bypassed and leveraged by the handlers during the sequencing process

32-bit:

ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,OSpp,OSpp_Core

64-bit:

ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,OSpp,OSpp_Core,OSppWoW64

The options here:

  • Click2runMapi: For MAPI Overrides 
  • Click2runOWSSupp: Microsoft SharePoint Client Support 
  • Click2runWDS: Search MAPI Protocol Handler and Host Search MAPI Protocol Handler Manager Overrides. This allows for Fast Search in Outlook 
  • OSpp: Microsoft KMS Client. 
  • OSpp_Core: Office Software Protection Platform
  • OSppWoW64: Microsoft KMS Client for x64.

Then on the client, we deploy the handlers which place in the host-side handlers. This will expose the proxies.

ADDDEFAULT=Click2runOneNoteProxy,Click2runOutlookProxies,Click2runWDSProxy,Click2runOWSSuppProxies

  • Click2runOneNoteProxy: Send to OneNote printer Proxy
  • Click2runOutlookProxies: All MAPI and Mail control panel applet 
  • Click2runWDSProxy: Search Proxy and Office Document indexing 
  • Click2runOWSSuppProxies: Sharepoint Client