App Streaming in Citrix XenApp 6.0 supports isolation of NT Services. It’s a big deal, fulfilling one of the last remaining big-ticket items in the isolation capabilities of the streaming system. How do you use it? Simple! Profile up an application which installs a service during it’s installation, publish the application to the user and when the streaming system brings the app to life, the service will be loaded under isolation and available to the application. But, there’s one step omitted.
As the admin, you must also mark the streaming source as “approved” or if you have crypto infrastructure, you can digitally sign the profile using a certificate chain trusted on the execution machine and the streaming system will know that the application and it’s service are “admin approved”. Lacking approval, the streaming client will, on-purpose, not load the service and instead leave you a hint in the event log noting that it politely declined to load a service for the given execution.
Run my services, but ONLY my services
Inquiries to customers over the last 4 years have produced a common theme. Customers all ask for isolation of services as a function they need for running their application set in a virtualized application environment. When faced with the concept of services being privileged, the response is, yeah, not a problem, I run privileged services all the time in my production environment – please run only the services that I tell you are okay.
In a programming perspective running services is easy. Services are “applications”, so you run them in the isolation space and it’s all done. If only it’s that easy…
Running the service and having it succeed means that the service needs privilege, which means that it must run on a different user token than does the application and the service needs to be “one service” to “many application” usage. Privileged execution then means separate isolation space for the service compared to the isolated applications and you can keep going on this for a long time. The eventual conclusion is that it is a difficult thing and this is why it has taken until version 6.0 to get this function into place.
Setting the approved list
To get the service to load, you have to whitelist approve the Application Hubs (plural), that are allowed to provide services. The application hub should be read-only to users, so this restricts the streaming system to run only content that the administrator places onto the Application Hub.
To define the whitelist, add a registry item to HKLM\Software\Citrix\Rade, name AppHubWhiteList REG_SZ. It is a semicolon delimited string, which can specify multiple “approved” Application Hubs. Here’s an example from our usage inside Citrix on my 32-bit Win 7 notebook.
For 64-bit systems, the Rade space is located in the Wow6432Hive that holds the 32-bit registry.
Update: Apr-27-2010. The streaming service reads the AppHubWhiteList from the 64-bit registry on 64-bit machines. All of the other Rade service configuration settings are in the Wow6432 Hive (32-bit registry). This means that the AppHubWhiteList should be in HKLM\Software\Citrix\Rade on both 32 and 64-bit machines. IMHO, this is a bug and we should expect it to move into the 32-bit space in a future release with a measure of backward compatibility.
In the example above, I have two approved sources, both are UNC network locations. The double backslashes that are part of the UNC specification should not be specified in the white list definition. With this key set, all profiles stored on either of these two application hubs can have services, and the streaming system will load them as a function of running the applications that go along with those services.
Web Servers as App Hubs
Web servers can also be Application Hubs. To white-list these, the “http://” or “https://” prefix is required. Using https adds benefit of validating the server via SSL => more secure and should always be done for production uses.
If the whitelist is empty, no services will be loaded.
Why is this necessary?
Isolation and PRIVILEGE are very different things. Just because a service is isolated, this does not mean that it is not powerful. Indeed, most services REQUIRE power, otherwise, there isn’t any really good reason for the application programmer to have gone to the trouble of writing the service in the first place. If the service could do it’s job from user privilege, then the application programmer could have just placed that function into the application.
To run services under isolation, successfully, the service has to be run with the level of power needed to run that service where the service were locally installed. I will write a later post on how this is captured by the streaming profiler and how the streaming client runs the service in the “correct” privilege level to support that service’s needs. For example, running a service as LOCAL_SYSTEM where the service needs a lower power NETWORK_SERVICE could present a situation where the service would be run, but would be unable to talk on the network. By running the service in the correct privilege, the streaming system should support a wide set of applications.
Product Architect – Application Streaming and User Profile Manager