Thursday, 13 June 2013

Load Balancing AppSense IIS Servers


Expanding on some of my previous posts relating to AppSense Infrastructure this post is going to talk about leveraging load balancing to make the AppSense IIS servers resilient.

So to start let me clarify that AppSense's Support Organisation will support an AppSense environment in a load balanced configuration however if they deem the problem to be caused by the load balancing technology used they will ask you to re-create the problem bypassing the load balancer. This is in line with the support stance that majority of software organisations will take.

So to start you will need to consider the following factors:
  • Windows Authentication or Anonymous access to the Management and Personalization Servers.
  • Do you need to configure the product through the load balanced VIP?
If the answer to the these questions are Windows Authentication and/or Yes you will need to create a service account as well as Service Principal Names (SPN.) To summarise a SPN is basically a way of mapping a service to a username.

First you'll need to configure your AppSense application pools to run under the service account. Once you'd associated the service account with the application pools you should run the following command which will ensure permissions, etc are correctly configured allowing the service account to access the ASP.NET temporary directories.

The service account also needs to be able to interact with the AppSense Deployment Service on the AppSense Management Servers. This is achieved by running the following command:

 sc sdset "AppSense Deployment Service" D:(A;;LCLO;;;<SERVICE ACCOUNT SID>)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)



In addition, this account MUST have read access to C:\Windows\Temp.
  • Aspnet_regiis.exe -pa AppSenseMasterKey <DOMAIN>\<USERNAME>
  • Aspnet_regiis.exe –ga <DOMAIN>\<USERNAME>
In addition you should ensure the same account has read access to the %WINDIR%\Temp directory.

The SPN's are configured through the following command:
  • Setspn.exe –a host/<FQDN> <DOMAIN>\<USERNAME>
  • Setspn.exe –a http/<FQDN> <DOMAIN>\<USERNAME>
Typically you'd create at least two virtual ip (VIP) addresses for each service so you'd need to create an SPN for each of the VIP's you create.

Now that you have set SPN's up launch Active Directory users and computers and ensure you Trust the user for delegation as seen in the image alongside.

Next you will need to assign the service account <DOMAIN>\<USERNAME> above to each of the following AppSense IIS Application Pools:
  • ManagementServerPool
  • DeploymentPool
  • DownloadsPool
  • PersonalizationServerPool
Once this is done you will need to edit the following files:
  • C:\Program Files\AppSense\Environment Manager\Personalization Server\web.config
  • C:\Program Files\AppSense\Management Center\Server\Web Site\web.config
I'd highly recommend making a copy of the original files immediately before modifying these in case something goes wrong. Within each file locate the security section shown below: 


Update the file to include the text below:


Before you finish off there is one final thing to consider. Every Microsoft Windows installation since Windows Server 2003 Service Pack 1 includes a feature called Loopback Protection which effectively prevents you from connecting to a resource on a machine through another name. For example, if you logged on to a server, launched the Personalization Server console and connected to the load balancer which in turn connected you to the machine you were currently logged on to. If this happened you would most likely receive an authentication failed error. If this scenario is likely to occur review the following Microsoft KB article for information on how to work around this issue:
The foundations are now in place to configure the load balancing. You will need to gather the following information prior to configuring the load balancing:
  • Health Monitors
  • Persistence
  • Personalization and/or Management Server hostnames
Health Monitors

The following pages are available and accessible for load balancing:

Personalization Server


Management Server


The above mentioned manifest.aspx page is UTF-16 encoded so cannot be used by all load balancers to monitor the health of the Management Server. If your load balancer does not support UTF-16 encoding I would recommend reverting to a standard HTTP monitor.

Session Persistence

AppSense Management Center provides the ability to download agent and configuration files and uploading event information using Background Intelligent Transfer Service (BITS). It is essential that connectivity between the endpoint and the Management Server remains consistent throughout the transaction and as such Session Persistence is required.

AppSense Personalization Server does not typically require persistence unless you are accessing the console through the load balancer. However there have been instances where session persistence is required with Windows Auth enabled. If this is the case it is recommended that persistence is used.

I typically recommend using the insert cookie method for implementing session persistence.

Now stitch all of the tips above into a single configuration and you're set. One thing to bear in mind is not to configure individual servers in the failover list and stick to configuring vip's within these lists.