Blog
Microsoft App-v 5.0 Load Balancing
I have had the pleasure of working with Microsoft App-V for a while now and HA has always been a very important item. Load Balancing has been a breeze in the App-V 4.x environments. All you needed was a load balancer that could pass * for the port and * for the protocol and everything worked great. Yes, you can argue that RTSP used 554 TCP but the random port is chose after was the killer.
That has all changed in App-V 5.0. Now Kerberos is a huge deal. Anyone that has worked with SQL clusters will understand how temperamental Kerberos can be without being properly setup. After I have had the fun of translating Microsoft language into a usable format, I figured I would document to the best of my ability how to setup App-V 5 to use Kerberos and be load balanced.
Before I start, I would like to share some of the articles that were used or discarded in getting this to work
Microsoft has a “Planning for High Availability” article which can be found here http://technet.microsoft.com/en-us/library/dn343758.aspx. This article talks about HA for the entire environment and a pretty good read except for the Web Services load balancing
Microsoft has another article on “How to provide fault tolerance and load balancing in Microsoft App-V v5”, http://support.microsoft.com/kb/2780309. I didn’t find this article very useful
After combining the 2 articles above and many others, I have found these steps to be pretty straight forward and easy to do.
Assumptions: I am assuming you have 2 or more App-V 5 servers installed with Management and Publishing working in the environment. I put both Management and Publishing on the same servers, but it is up to your design. I have performed these steps in Windows 2012 R2 Standard
I will be using the following as examples
Server Names: vAppV01 and vAppV02
Load Balanced Name: AppV
FQDN: dummy.lcl
App-V Management port: 8080
App-V Publishing port: 8081
Step 1: Have a Load Balancer and DNS A record
I tend to use Citrix Netscalers for LB on the projects I work on, but any should work. Just like App-V 4.0, it is easiest to use a LB with * for ports and * for protocols. Again the security guys will argue with me about you are opening to much. My point is it is internal traffic and not transferring in company data. All that is being transmitted is bits to launch an application.
Step 2: Setup an AD Computer Account
Create a computer account in Active Directory with the Load Balanced Name. This will be used to assign the SPN’s to later.
Step 3: Change the IIS ApplicationPool Identity
This is where all the confusion comes in. If you read all the information out there regarding the ApplicationPool Identity, it leads you to believe that you need to change this to run as a service account. Performing this step will break the syncing of your publishing servers with the Management service. We will just skip that part and allow the KernelMode to take care of Kerberos for you:
- Navigate to c:\windows\system32\inetsrv\config and make a backup of ApplicationHost.config
- Now we need to edit 2 parts of this file, both are found at the bottom of the file and crossed out below.
<location path=”Microsoft App-V Management Service”>
<system.webServer>
<security>
<authentication>
<digestAuthentication enabled=”false” />
<basicAuthentication enabled=”false” />
<anonymousAuthentication enabled=”false” />
<windowsAuthentication enabled=”true” />
</authentication>
</security>
<webdav>
<authoring enabled=”false” />
</webdav>
</system.webServer>
</location>
<location path=”Microsoft App-V Publishing Service”>
<system.webServer>
<security>
<authentication>
<digestAuthentication enabled=”false” />
<basicAuthentication enabled=”false” />
<anonymousAuthentication enabled=”false” />
<windowsAuthentication enabled=”true” />
</authentication>
</security>
</system.webServer>
</location> - These sections need to read as the following:
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” />
Now reboot your server to verify that changes have taken effect.
Step 4: Adding SPN’s to Active Directory
Now that your file has been changed, we need to setup the following SPN’s to help allow AD to provide the Kerberos authentication for both App-V Publishing and Management Roles
Run the following commands with Domain Admin rights
Setspn –a http/<server>:<port> <domain>\<LB Name>
Setspn –a http/<server.FQDN>:port <domain>\<LB Name>
Examples below
- • setspn –a http/appv:8080 dummy\appv
- • setspn –a http/appv:8081 dummy\appv
- • setspn –a http/appv.dummy.lcl:8080 dummy\appv
- • setspn –a http/appv.dummy.lcl:8081 dummy\appv
Step 5: Your Database
Nothing to add or change to the DB
Step 6: Your Content Share
Nothing to add or change to the Content Share
Step 7: Final Step
Now to make sure we don’t have the Publishing Servers going across to the other Management Server, I make one final change
Edit the Hosts file on each App-V Server to point to its own IP for the LB name
example:
If the IP for vAppV01 is 192.168.1.1 and IP for vAppV02 is 192.168.1.2 and the LB Name of AppV is 192.168.1.3, the hosts files should read like this:
Hosts File vAppV01:
192.168.1.1 AppV
Hosts File vAppV02:
192.16.1.2 AppV
Conclusion:
Now you have successfully setup the load balancing for App-V 5. It is not as complicated as it seemed when I first started this journey, but again, there was no place that I found that had everything needed for App-V documented.