How to configure the App-V Management Server Service to run as a Service Account

By default the App-V Management Server service is configured to run as the Network Service, but what if your company has a policy that requires the use of Service Accounts rather than running services as "Network Service" or "Local System?" If you change the service to run as a service account, users may get the following error when attempting to perform a DC Refresh:

Failure on Desktop Configuration Server request to URL {rtsp://AppVserv:554/} with header {Host: Appvserv
Content-Type: text/xml} (rc 1690722A-80090322).

Additionally, clients may get the following error attempting to launch applications:

The Application Virtualization Client could not launch <Application Name> 1.0.
The target principal name is incorrect.
Error code: 450482-1690802A-80090322

The reason for this is because when the service installs, SPN's are configured for the App-V service using the hostname. In order to successfully configure the service to run as a service account, we have to manually configure SPNs.

To configure the SPNs, you'll need to install the Support tools for the server's operating system. For Windows 2003, run the suptools.msi from Support\tools directory on the Windows 2003 Server CD. Once the support tools are installed simply follow these steps:

1. Create the service account in AD Users and Computers.

2. Add this account to the administrator group used for the App-V Administrators.

3. Run Services.msc, then right-click on Application Virtualization Management Server and select Properties.

4. Click on the Log on tab.

5. Change the NT Authority\Network Service to the service account created in Step 1 and enter the password.  Click OK.

6. Click OK to acknowledge the Services dialog box indicating that the new logon will not be in effect until the service is restarted.

7. Right-click on Application Virtualization Management Server and select Restart.

8. Assuming the Support Tools are installed on the App-V Management Server, go to Start, All Programs, Windows Support Tools, Command Prompt.

9. Enter the following 2 commands:

setspn -A SoftGrid/<FQDN of your machine> <YourDOMAIN>\<YourServiceAccountName>
setspn –A SoftGrid/<NetBIOS name of your machine> <YourDOMAIN>\<YourServiceAccountName>

Here's an example of what I ran on my lab computer:

Setspn -A SoftGrid/appvserv.contoso.local contoso\AppVSvc
Setspn -A SoftGrid/appvserv contoso\AppVSvc

10. Grant access to the Content share to the Service Account you created.

11. Add the Service Account to Logon as A Service rights in the Local Security Policy.

12. Give the Service Account Modify permissions to the Microsoft System Center App Virt Streaming Server\Logs directory.

Once you do this your users should be good to go.

Here is a link to some additional information on Setspn: https://technet.microsoft.com/en-us/library/cc773257.aspx

Here's some more security related information: https://www.microsoft.com/technet/security/midsizebusiness/topics/networksecurity/securingaccounts.mspx

Michelle Foley | App-V Support Engineer