Home » appstream

Tag: appstream

AppStream Domain Joined SAML Fleet not authenticating after AD domain prompt

Scenario:

A customer had an AD Domain joined fleet and configured through SAML (the only way you CAN log into an AD joined fleet) and after the password prompt the session was looping and asking for their domain credentials over and over again.

Troubleshooting:

After investigating the provided troubleshooting steps something was still blocking the AD joined fleet from logging in at the domain password prompt, though authentication was fine for the Image builders.

https://docs.aws.amazon.com/appstream2/latest/developerguide/troubleshooting-active-directory.html

 

Solution:

https://docs.aws.amazon.com/appstream2/latest/developerguide/active-directory-prerequisites.html

As a prerequisite for AD Domain joined fleets you cannot have an AD Logon banner displayed as it prevents the AppStream service from connecting into / accessing the streamed desktop.

In some scenarions customers will have the logon banner only display for Users and not Administrators (so you never see the prompt on an Image builder for example even if its in the same OU and of course the GPOs dont apply when accessing the Image builder with the built in AppStream administrator/template user/test users.

Snippet from the Prerequisites Page specific to this scenario: (please use the above URL for the most up to date information)

Group Policy Settings

  • Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Disable or Enable software Secure Attention Sequence — Set this to Enabled for Services.
  • Computer Configuration > Administrative Templates > System > Logon > Exclude credential providers — Ensure that the following CLSID is not listed: e7c1bab5-4b49-4e64-a966-8d99686f8c7c
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message text for users attempting to log on — Set this to Not defined.
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message title for users attempting to log on — Set this to Not defined.

As part of a simple deployment or for your simple proof of concepts we recommend you simply ensure the OU your AppStream computer objects are being created under has GPO inheritance blocked and there are no higher level GPOS forced to apply. Get the service running and confirmed as accessible and then slowly start applying the company requried GPOS for look feel and security.

Script a custom AWS AppStream image

Scenario

Lets script a custom aws appstream image

A customer wanted to setup AWS AppStream 2.0 Image Automation for their AppStream image creation especially as there were situations where two or more images were potentially required including monthly updates (minimum) so they needed a repeatable, consistent solution for this.

 

Solution

You can only automate this so far within the current AppStream 2.0 limitations.

Creation of the image builders, the builder image itself, creation or the fleets and stacks then based on this image.

Short of joining your image builder to a domain that launches a script at computer startup – there is no immediate way to call a ‘zero touch build’ for AppStream images, and no current way to automate the Image Builder test and optimize wizard (the wizard you run to seal and snapshot the image)

Things to Consider Scripting / Adding

  • IEES Disable for all users
  • Local Timezone and Regional Settings (particularly if outside the US and your regional settings are not available for selection from the End User interface) (for example UK English and Timezone)
Set-WinSystemLocale en-gb
Set-Culture en-GB
Set-WinSystemLocale en-GB
Set-Timezone "GMT Standard Time"
  • If your images wont be domain joined then
    • Create a login script to apply user settings at ‘login’
    • If you manipulate local Group Policy (gpedit.msc) use the microsoft tool  LGPO.exe to backup and restore the settings easily
    • You can publish Windows Explorer in the Image Assistanc via a batchfile with content
cd %userprofile%\my files\temporary files -Force
start .

Examples

You can automate the image builder application injection using sqlite.exe per below

example.sql file to pass into C:\ProgramData\Amazon\Photon\PhotonAppCatalog.sqlite

INSERT INTO Applications (Name, AbsolutePath, DisplayName, IconFilePath, LaunchParameters) VALUES (“My Intranet Website”, “C:\Program Files (x86)\internet explorer\iexplorer.exe”, “Intranet”, “C:\ProgramData\Amazon\Photon\AppCatalogHelper\AppIcons\ie.png”, “https://www.myintranet.org.uk”)

Any questions or comments get in touch using the social media links at the top of the website and we will do out best to help! 😉

 

Cloud Hosting With Multiple Proxy Servers

Scenario

A customer had a requirement for Cloud Hosting With Multiple Proxy Servers and wanted to send some traffic direct to the internet (host or url whitelist), some hosts or urls to one proxy in their cloud hosting and some traffic via another proxy in another peered network in their cloud hosting.

Solution

Our solution in the end was simple but it does required endpoint configuration (the browsers needs to point to the pac file in order for this to work – this was configured via AD GPO for the AppStream instances in Amazon Web Services as the AppStream instances were domain joined.)

This is also supported on Windows and Mac Endpoints via the proxy autoconfiguration file.

This means we can whitelist traffic to the internet, we can send other url or hosts specific matches to various internal proxy servers and for all else we can return a proxy server that doesnt exist and if it points to 127.0.0.1 its a very quick ‘failure’ response.

The response message to the clients is not perfect (users receive ‘The Proxy Server is not responding’) but as a simple working solution this was considered tolerable.

Windows > Configure it in Internet Explorer

Internet Explorer pac file configuration
Internet Explorer pac file configuration

Mac > Configure it in Network Settings

Mac automatic proxy configuration
Mac automatic proxy configuration

PAC File Configuration

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
if (shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.google.com"))
return "DIRECT";

// If the hostname matches, send direct.
if (shExpMatch(host, "*.myotherwebsite.com") ||
shExpMatch(host, "*.myotherwebsite2.com"))
return "PROXY internal.squid.proxy:3128";

// If the hostname matches, send direct.
if (shExpMatch(host, "*.myotherwebsite3.com") ||
shExpMatch(host, "*.myotherwebsite4.com"))
return "PROXY internal.squid.proxy2:3128";


// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 127.0.0.1:8081";

}

AWS AppStream 2.0 Whats New?

AWS AppStream 2.0 Whats New for June 2018?

AWS have updated AppStream 2.0 to introduce some fantastic new features in the May & June 2018 releases.

Google Drive support has been added (selectable at fleet creation). It only supports G-suite enterprise and must be enabled in G-Suite to function, but it also has support for multiple G-Suite domains.

This means clients can avoid the clumsy upload and download of files from the local device to the remote and simply log into Google Drive and have immediate access to their files within the AppStream session.

Screenshot of google drive integration for AWS AppStream 2.0
Google Drive integration for AWS AppStream 2.0

 

 

 

Google Drive integration within AppStream 2.0 session
Google Drive integration within AppStream 2.0 session

Here is a screenshot of the Windows Explorer integration and conveniently shows my free space as approx 8000 Petabytes! Good to know!

Google Drive AppStream 2.0 Windows Explorer integration
Google Drive AppStream 2.0 Windows Explorer integration

Support for Administrative controls have also been added (again selectable at fleet creation). Giving the administrator greater control and flexibility in the solution they deploy to the users for things like local device copy and paste, file upload or download (or upload only or download only or disabled) and local print options.

control clipboard, file transfer and print options for AWS AppStream 2.0
Selective administrative controls for AWS AppStream 2.0

Happy Clouding!

AWS AppStream 2.0 Image Builder X Drive not being created

Problem

This month on creation of a new image builder in AWS AppStream we noticed that the AWS AppStream 2.0 Image Builder X Drive was not being created.

The X drive is the temporary drive for uploading and downloading files to and from the AppStream instance, and usually where we house deployment scripts, build scripts, GPOS and installation files.

Solution

As of AppStream Image builder version Base-Image-Builder-05-02-2018 this is by design.

You should update any scripts or pointers

from “X:\Temporary Files” drive

to “C:\Users\ImageBuilderAdmin\My Files\Temporary Files”

#aws #appstream2.0

 

First Look – AWS AppStream 2.0

So what is Amazon AppStream 2.0? Here is the extract from the AWS Website: Amazon AppStream 2.0 is a fully managed, secure, application streaming service that allows you to stream desktop applications from AWS to any device running a web browser, without rewriting them. AppStream 2.0 provides users instant-on access to the applications they need, and a responsive, fluid user experience on the device of their choice. With AppStream 2.0, you can easily import your existing desktop applications to AWS and instantly start streaming them to an HTML5 compatible browser. You can maintain a single version of each of your apps, which makes application management easier. Your users always access the latest versions of their applications. Your applications run on AWS compute resources, and data is never stored on users’ devices, which means they always get a high performance, secure experience. Unlike traditional on-premises solutions for desktop application streaming, AppStream 2.0 offers pay-as-you-go pricing, with no upfront investment and no infrastructure to maintain. You can scale instantly and globally, ensuring that your users always have the best possible experience.

Summary

We like the simplicity of this product, and we hope it stays this way. The solution removes the complications of profile management, user settings and negates the need for other expensive delivery / middleware products solutions like Citrix – and just focuses on delivering the applications to the users. We believe you just need to couple this solution with the following additional components to be a viable replacement to some of your business applications:

  1. The image builder, to start hosting & testing your own applications (Update: Image Builder now available since end of Jan 2017 stay tuned for an update)
  2. A low latency link to the AWS Availability zone.
  3. A storage product like google drive, box, dropbox, or webdrive so you can be sure your clients/customers data is protected and automatically in the cloud and not in the local instance (and a policy that enforces this)

Useful Notes during the Test

  • Fleet build takes approximately 30-35+ minutes at creation
  • If you stop the fleet and start it again, the startup time is just as long as the initial creation.
  • You need an individual instance for every user so 5 servers in a fleet = 5 concurrent users.
  • Instances of Appstream do not appear under EC2
  • Opening and displaying the demo applications is lightening quick
  • Connecting from London to Ireland Appstream instance was laggy (keyboard and mouse) in fact at time it was worse than normal RDP, with a latency ave of 371ms
  • Connecting from a site with a Direct Connection to AWS and a latency of 30ms the experience was much improved
  • The entire session ran in a browser windows over HTML5 and full screen mode looked great.
  • Youtube in firefox actually would run and display videos – but in no use-able fashion, even browsing the youtube page with all the video thumbnails was borderline unusable, the session was laggy, and unresponsive, in comparison RDP actually performs better with the same youtube page, resolution and site (not that this would be the main purpose for the platform anyway, just interesting for a comparison)
  • Keys would sometimes get ‘stuck’ so instead of typing you could end up closing windows instead (but bashing the Windows, CTRL and Alt keys quickly fixed this.
  • As Appstream is only currently available in US East – N Virginia, US West-Oregon, EU – Ireland, AsiaPacific – Tokyo – I couldn’t test the new London Zone.
  • Creation of the streaming URL (username to access the instance) failed if I change the logonID to the same ‘instance’ within the same fleet (I only had one instance), after that user had logged in (im guessing this is because the session was still active / running for the previous user as there was no log off button, only a disconnect.
  • Currently image availability is only limited to Windows 2012 with the AWS demo applications (Firefox OpenOffice, Notepad++)
  • A image builder component is planned which is exciting to see what options it will have. <Stay tuned for an update review>
  • We modified settings and saved files to desktop, documents and the X:\ session share all which remained available so long as we used the same connection string (or recreated one with the same ‘loginID’ aka Windows username)
  • You can choose the VPC Appstream runs on so you should be able to run it on your internal VPC (note: we didn’t test or try this)
  • For 3 users and 6 hours of running we were billed $13.23 USD which included:
    • $4.19 per user per month RDS Cal
    • $0.11 per hour the instance was running (whether the users were connected or not)

Note: you will need an instance per concurrent user so hourly usage = $0.11 * number of concurrent users

1 user, 8 hours a day – 160 hours a month = $21.79 (Annualised $261.48)

1 user, 24 Hours a day – 480 hours a month = $56.99 (Annualised $683.88)

We are excited to see where Amazon will take this new service and how we can leverage this for our customers and as a business tool especially if it means removing the complicated middle layers of delivery software.

Walk Through

Description Screenshot
Opening the AWS Console and selecting Appsteam 2.0

Create a ‘stack’

Get the naming right

Cant choose any other image at this point

Spin up the template ‘instance’ and select the resources

Choosing the details network Subnet in our default VPC

Choose your ‘fleet’ size (1 streaming instance = 1 concurrent user)

You still pay for the resources whether users are logged in or not as the instance will remain on unless you instruct AppStream to stop it.

Review the rest of the deployment details then click ‘create’

Wait for the creation of the fleet instance There is little feedback at this point and the whole process took over 35 minutes

After waiting for a while and when the console said it was active I tried creating a streaming URL

This failed, as the instance was still not ready

Turns out you need to be using the Fleet details tab for the progress of the instance (status)

Note: seems they are bringing an image builder option so you can deploy your own images (assuming where you can install your own applications)

Update: This has been released as of End of Jan 2017! Review coming soon!

Running instances are NOT created in EC2  
Finally the fleet was running

Create the streaming URL – which you can set to expire

Once that had been created however I was unable to reauthenticate a second time i the user name was NOT the same as the original streaming URL ‘userid’

But based on that all my settings and saved files ‘still existed.

 

Open the URL

 

Launch your apps

The Appstream ’task bar’ gives you the following options

‘Start’

All Windows

Upload and Download files

Copy and Paste

Settings (display resolution and info re session details)

And a full screen option or numerous other options
The Appstreamed application opens ‘seamlessly’ (to use a Citrix term)

Closing the app, ‘ close the window

More apps could be launched from the ‘appstream’ start button

Multiple apps running

Currently there seems to be restricted access to the local disks / shared (when test saving a notepad++ document)

 

I tested a save to Session Folder, Desktop and Documents directory – and I am assuming these settings & documents ‘stick’ as I only have the one machine, not multiple instances in the ‘fleet’ and also one device to one user ‘requirement.

 

This makes sense to keep the solution simple and not have to over complicate it with user profiles and the like.

At the time of writing this the only option was to disconnect the session, there is no option to reboot from the session, or log off?

You can do this from the fleet details ‘management page’.

Stopping the instance took sub 10 seconds to stop.

However starting it again (which I now deeply regret) took another 35+ minutes)

Server was back online But all settings, documents created were gone (as expected for a demo really)