App-V 5: On Package Entitlement and Publishing

Before you ever want to begin testing client publishing, you want to ensure that your entitlements (assignments of packages and package configurations to groups) are properly set and the publishing metadata document is properly updated with the package, configuration, and entitled groups. You could otherwise find yourself in a sea of frustration testing client publishing especially when there is nothing new to retrieve.

Assuming all of the services were installed properly, you will have two primary web services responsible for entitlement and publishing. They may reside on the same machine or they may reside on different machines. Both the Management Service and the Publishing Services run as worker processes within IIS as all services are web-based leveraging RESTful (representational state transfer) technologies. (https://en.wikipedia.org/wiki/REST.) The clients sync with the Publishing Service to retrieve data from the Publishing Service only. The clients do not sync with the Management Service which means the Management Service and the back SQL database no longer create the potential for a single point of failure as was the potential with previous versions of App-V.

Package Entitlement Process

Understanding the steps from entitlement to publishing will help you if you need to isolate actions for troubleshooting issues with packages are not properly publishing. When you open the Silverlight-based management console, just like in previous versions, you are communicating via the management web service to the App-V data store.


 
When a new package is added or modified in any way, after administrative access is verified, the manifest is extracted from the APPV package to obtain key information and configuration (shortcut’s and FTA’s). This information is then placed into the database. The method in which the package is added governs what the package URL location format is captured. This of course can be overridden at the client with the PackageSourceRoot configuration item. In addition to having appropriate administrative access for the user running the Management Console, the services will need to have proper access to the content being added.

If you specify an SMB (UNC) path to the package and file share is located on the same machine as the Management Service, you must ensure that the NT AUTHORITY\Network Service account has at least read access to the package location. If you specify an SMB (UNC) path to the package and file share is located on a different machine than the Management Service, the computer running the management service must have at least read access to the packages. If you specify the source using an HTTP-based URL, then the computer running the management service must have at least read access to the packages. Take note that you would replace the computer account with a service account should you elect to use a service account for the Management Service work process.

Publishing Sequence Number

Upon successful add or modification of the package the next step is to update the Publishing Sequencing Number. Any change in Package Configuration warrants a change in overall publishing data. This begins by incrementing the Publishing Sequence Number in the database in the Configuration table.


 
This is a crucial value as when the Publishing Service syncs with the Management Service, the Management Service compares the sequence number between the one contained in the publishing metadata versus the one in the database. If the metadata and database match sequence numbers, the existing metadata is returned to the Publishing Service. If the database number is different, then new metadata will be generated to the file system then returned to the Publishing Service. The Publishing Service will then store the data in its file system (PublishingMetadata.xml.)


 
Triggering Synchronization between the Management and Publishing Services

The Publishing Service syncs with the Management Server under the following conditions:

1.) At a periodic interval: The registry value PUBLISHING_MGT_SERVER_REFRESH_INTERVAL located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Server\PublishingService governs the interval. It defaults to 600 seconds (10 minutes.) You can tweak this value but remember it is in effect whether the Publishing Service runs on the same machine or on separate machines. If the Publishing Services runs on a spate machine, it must be added as a publishing server in the Management Console.

2.) Upon Start\Recycling of the Publishing Service Worker Process. Since the services exist as worker processes in IIS and not as services controlled in the Service Control Manager, you must restart the services by either rebooting, resetting IIS through IISRESET, or cycling the service directly by stopping and starting the worker process within the IIS Manager. If the Management Service and the Publishing Service reside on the same machine, I would be careful using IISRESET to cycle the services as you cannot control the order as to which service starts up first. You could possibly run into sync issues where the Publishing Service is unable to sync with the Management Service because it may still be in the process of restarting.

  

Take Note of Hotfix 2 for the App-V 5.0 Service Pack 1 Publishing Service

Hotfix 2 for App-V 5 SP2 (https://support.microsoft.com/kb/2897087/en-us) updates the Publishing Service to query Active Directory directly for the user’s group membership rather than using the Access Token. This allows for entitlements to take effect without the user having to log off (or in the case of computer targeting) having to reboot. Be advised that in addition to the hotfix being applied, you must make the following registry adjustment:

Key: HKLM\Software\Microsoft\AppV\Server\PublishingService
Data Type: DWORD
Value: RefreshGroupsFromAD
Data: 1