Recently I had a customer ask for my assistance with a problem they were having in their App-V environment.
Client computers would get the following error when they tried to connect to their defined publishing server:
My Google foo failed me initially on this, as I was not able to find anything related to the 460579-19D0990A-10000009 error message. Despite these seemingly definitive pages (here & here) on other errors.
I decided to look at the Management Server to see if perhaps it could shed more light on the situation. When I looked at the server’s application log I found this message to be more useful:
|Log Name: Application
Source: Application Virtualization Server
Event ID: 44955
Task Category: (1)
Certificate could not be loaded. Error code [-2146893043]. Make sure that the Network Service account has proper access to the certificate and its corresponding private key file.
The Services MMC shows the Application Virtualization Management Server service is logging on as builtin\Network Service. Here is our problem!
Doing a search on this new information brought me to the App-V Security Operations Guide. Within, I found instructions for adjusting the permissions:
In order to modify the permissions of the private key, a Windows Server 2003 Resource Kit tool, WinHttpCertCfg.exe can be used. There are other ways to modify the certificate permissions, however this is the most straightforward and easy way of completing this task. The following steps explain how to modify the permissions of a certificate to support a secure App-V installation.
On Windows Server 2003, the process of changing the permissions on the Private Key to support App-V is described in the steps below. This process requires that a certificate that meets the prerequisites listed above has already been installed on the machine or machines that App-V Management or Streaming Server will be installed on.
Additional information on using the WinHttpCertCfg.exe tools is available at the link below.
1. On the machine that will become the App-V Management or Streaming server, type the following commands in the command shell to list the current permissions assigned to a specific certificate.
winhttpcertcfg -l -c LOCAL_MACHINE\My -s Name_of_cert (eg. server.domain.com)
2. Next, if necessary modify the permissions of the certificate to provide read access to the security context that will be used for Management or Streaming Service.
NOTE: The default security context is Network Service, some organizations don’t use built in accounts and a domain account may be used instead.
winhttpcertcfg -g -c LOCAL_MACHINE\My -s Name_of_cert -a NetworkService
3. Verify that the security context was properly added by listing the permissions on the certificate.
winhttpcertcfg –l –c LOCAL_MACHINE\My –s Name_of_cert
Windows Server 2008 makes the process of changing the ACLs on the private key much easier. The certificates GUI can be used to manage private key permissions.
1. Create an MMC with the Certificates snap-in that targets the Local Machine certificate store.
2. Expand the MMC as shown in the diagram below and select Manage Private Keys.
3. Use the Security tab to add the Network Service account with Read access.
I found that both methods actually work on Server 2008 / R2 in case for some reason you are more comfortable with the command line and/or you didn’t bother to scroll down like I did to realize there is now a GUI alternative! 🙂
After I made this permission adjustment, I tried the client refresh again, and instantly my applications appeared!
I hope this tip helps someone out there!