Anonymous Access to App-V Applications in a Central Deployment Scenario

In the former SoftGrid platform there was an option to allow “Anonymous Access” to virtual Applications. Anonymous Access was used in environments with only a limited Active Directory Infrastructure (like Novell Directories, Samba or others). With App-V 4.5 the option to allow “Anonymous” access disappeared from the App-V Management infrastructure without any easy substitute.

Beyond being an academic exercise I recently meet a customer in a Training class who wanted to have as much as “legacy” SoftGrid features along with new opportunities (namely Dynamic Suiting).

The requirements:

  1. There is no “real” Active Directory. All Users are members of an “Alternative” Directory Service (Samba in that case, but it also might be a Windows Workgroup, eDirectory or so).
  2. A Stand-Alone-AD with a very limited amount of Lab Users and no Trust Relationship to the Directory Service is acceptable but must not require any administration
  3. All Users get the same set of applications
  4. Client Devices get their Virtual Applications as dynamic as possible without the need to “touch” them. There is no Electronic Software Distribution solution in place
  5. Dynamic Suite Composition and Active Upgrade are highly demanded
  6. File Type Associations should be assigned on the Client.
  7. Application Shortcut Integration (Desktop Icon, Start Menu) is optional
  8. Applications are listed on an Intranet web site
  9. Management efforts are as limited as possible

When evaluating the topics above, the result doesn’t look pretty nice:

  1. A “legacy like” App-V Management Server infrastructure is not possible, because the App-V Management Server requires Kerberos based authentication and authorization. While the “downloading” part could be done by a simple Web Server or App-V Streaming Server, applications can’t be Published that way
  2. Does not make things much easier. The existence of an “almost empty” AD was the foundation of the former “Anonymous Authentication”, because “anonymous” meant that all the  user requests were mapped to  one and the same “Service” users – and its authorization was mapped back to the users – but this option disappeared in App-V 4.5
  3. That’s obvious for Anonymous Authentication – if you don’t know the users you can’t differentiate between them.
  4. Because of this, any MSI based publishing (like MSI + Central Deployment or MSI in Standalone Mode) can’t be used. An MSI based announcement requires touching the client.
  5. Esp. Dynamic Suiting is one of the drivers to move from SoftGrid 4.2 to App-V 4.5
  6. This item prohibits the use of a simple Web Site that semi-automated displays a list of all available applications (by parsing the “Content” folder), because though the Web Site allows to launch an Application (i.e. the OSD file) it does not allow to register File Type Associations on the Client device.
  7. Creating Shortcuts on the user’s desktop would allow offline access, but this is an optional feature
  8. This can be done by using a script that parses the “Content” folder and creates web links to all OSD files
  9. Perhaps some requirements could have been fulfilled with smart scripting solutions, but this firstly would require to actively touch the client (push the scripts) and secondly can be quite sophisticated (using SFTMIME loops with different parameters to publish the Applications Shortcuts, File Type Associations and so on).

After some discussions and testing, we came to a solution that only can be considered as a work around, because it does not provide exactly the same flexibility as the old “Anonymous Authentication”.
The Solution Design:
In the Back End

  • Build an App-V Streaming Server that can be contacted from the Production Clients. Configure it to not enforce Authentication nor Authorization.
  • Build a simple Web Server that can host a file. I’d recommend installing IIS on the Streaming Server Box and configure IIS to have a virtual web directory pointing to “Content”
  • Build an isolated App-V Management Server on a (virtual) machine that also acts as AD Domain Controller, Database Server and (optional) Web Server.
  • Make sure, all components point to the same Content folder
  • Install and configure the App-V Client on the same machine pointing to that server as Publishing Server (I’ll call this client the “Publishing Client”).
  • Whenever a new Application has to be published (or an existing one has to be modified), use the Publishing Client to extract the so called “Applist”. The Applist is an XML like proprietary file that tells the client how to publish applications and where to gather the required resources. The APPLIST.XML structure can be found inside the Client’s “sftlog.txt” file after increasing the log level.
  • Place the Applist.xml file mon a Web Server that can be contacted by the Production Clients.

On the Clients

  • Install the App-V Client and configure it as follows:
  • Define the Publishing Server to be an HTTP(s) Server and point to the Applist.xml file
  • Disable “RequireAuthorizationIfCached”
  • Recommended: Configure the Variable SFT_SOFTGRIDSERVER to point to the streaming server

The result:
Upon User Logon, the App-V Client connects to the Web Server and downloads the Applist.xml file. This file is parsed by the Client and instructs it to download the OSD and ICO files, to create the application records on the client, to create the Shortcuts and FTAs. Upon Application Launch, there is nothing new: The client parses the OSD, contacts the Streaming Server (that is defined by SFT_SOFTGRIDSERVER, the OSD File or ApplicationSourceRoot) and transfers the Package GUID for the SFT. Streaming Server checks if there is a new version of the package and starts to deliver the SFT.
Considerations and Advantages
The biggest consideration is that some action is required every time an Application’s Publishing information are changed: The administrator has to extract a new Applist.xml and place it on the Publishing Web Server. However, this could be semi-automated in a script.
The advantage is, that with only limited effort, also Non-AD-Users can be provided with App-V Applications “on demand” – without the need to implement an MSI-based distribution solution.