Security - Fix Access Control List on the Certificate - Application

Microsoft.AppVirtualization.Server.45.LightWeightServer.Security_FixAccessControlListontheCertificate_Application (UnitMonitor)

The Security aspect reports on the status of the Application Virtualization Server's certificate and secure communication.

Knowledge Base article:

Summary

The Security aspect reports on the status of the Application Virtualization Server's certificate and secure communication.

Resolutions

Once the certificate is properly provisioned on the server, the Application Virtualization Service needs access to the private key in order to complete the TLS transaction. the 4.5 release, the Application Virtualization service runs under the Network Service by default. The Network Service must have READ permissions on the certificate private key.

The private key for the server certificate can be found here:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Right click on the private key file and select Properties. Click on the Security tab.
Change the ACL of that file to allow NETWORK SERVICE read access

If you have multiple certificates provisioned to the server and are unsure which private key corresponds to your Application Virtualization certificate, the following steps should be followed to locate the private key.

First, find the Thumbprint for the Application Virtualization server certificate.

Launch the Microsoft Management Console (mmc.exe). Click File->Add/Remove Snapin
Choose Certificates in the available Snapins. Click Add.
Choose Computer account on the dialog and click Next.
Choose Local Computer and click Finish. Click OK in the Add/Remove Snapins dialog.
Click Certificates\Trusted Root Certification Authorities\Certificates node.
Double click the certificate to be used to enable TLS
Go to the Details Tab. Scroll Down until you see the Field Thumbprint
Select Thumbprint and Copy the information displayed for the Thumbprint.

Next, use the thumbprint information to located the corresponding private key file on the local file system.

Download the FindPrivateKey tool from MSDN to c:\. http://msdn2.microsoft.com/library/ms732026.aspx
From a command prompt, use the following command to find the the correct private key associated to the certificate provisioned to the Application Virtualization server based on the Thumbprint.
C:\> FindPrivateKey.exe My LocalMachine -t "<paste thumbprint code here>"
This will return the Private key directory. C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
This will also return the Private key file name: for example : c55cba5a3183f6509a3bfa7e4c7b8b6e_4df07ed6-ffdf-4c11-ac94-3dd02af9a838
Open the private key directory and find the specific Private key file name. C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

To make sure the proper access rights are set on the private key file, do the following.

Right click on the private key file and select Properties. Click on the Security tab.

Change the ACL of that file to allow NETWORK SERVICE read access

Element properties:

Target

Microsoft.AppVirtualization.Server.45.LightWeightServer

Parent Monitor

Microsoft.AppVirtualization.Server.45.Security_LWS.HealthState

Category

EventCollection

Enabled

True

Alert Generate

True

Alert Severity

MatchMonitorHealth

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.SingleEventLogManualReset2StateMonitorType

Remotable

True

Accessibility

Public

Alert Message

Security - Fix Access Control List on the Certificate - Application

{0}

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.AppVirtualization.Server.45.LightWeightServer.Security_FixAccessControlListontheCertificate_Application" Accessibility="Public" Target="Microsoft.AppVirtualization.Server.45.LightWeightServer" TypeID="Windows!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" ParentMonitorID="Microsoft.AppVirtualization.Server.45.Security_LWS.HealthState">

  <Category>EventCollection</Category>

  <AlertSettings AlertMessage="Microsoft.AppVirtualization.Server.45.LightWeightServer.Security_FixAccessControlListontheCertificate_Application.Alert">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Error"/>

    <OperationalState ID="ManualResetEventRaised" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <LogName>Application</LogName>

    <Expression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">Application Virtualization Server</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">44955</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </Expression>

  </Configuration>

</UnitMonitor>