Error granting access to an App-V package: Invalid input was passed

Symptoms

Using the Microsoft Application Virtualization (App-V) Management Server website in an attempt to grant access to a package to an Active Directory group fails with the following error:

Invalid input was passed: contoso\appvusers. Specify a group as domain\group.

- OR -

Using the Application Virtualization Management Server PowerShell cmdlet Grant-AppvServerPackage in an attempt to grant access for a package to an Active Directory group fails with the following error:

PS C:\Users\appvadmin> Grant-AppvServerPackage -Name YourAppVPackageName -Groups contoso\appvusers

Grant-AppvServerPackage : An unexpected error occurred during processing.At line:1 char:1
+ Grant-AppvServerPackage -Name YourAppVPackageName  -Groups contoso\appvusers
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
+ CategoryInfo          : NotSpecified: (:) [Grant-AppvServerPackage], Exception   
+ FullyQualifiedErrorId : System.Exception,Microsoft.AppV.Server.Cmdlets.GrantAppvServerPackageCommand

- OR -

Using the Application Virtualization Management Server in an attempt to add a user or group in the Administrators tab fails with the following error:

There was an error on the server. Please view event logs on the server for more information.

NOTE A corresponding event is not registered in the event logs

In each of the above scenarios, in a Fiddler trace you will see an HTTP 500 error. The error is listed as: 

The specified directory service attribute or value does not exist. ImproperADArgument.

Cause

These symptoms can occur if the permissions in Active Directory on one or more of the following Active Directory containers are restricted:

CN=Computers (the default Computers container)
CN=Users (the default users container)
DC=Contoso (the domain container)

By default, the Authenticated Users group has 'Read All Properties' on the above 3 containers. Using this permission, the Management Server account is able to query Active Directory.

Resolution

To resolve this issue, give the 'Authenticated Users' group 'Read All Properties' permissions on each of the above mentioned Active Directory containers. Alternatively, you can add only the computer account of the Management Server(s) with 'Read All Properties' permissions on each of the above mentioned containers.

More Information

The AppVManagement Application Pool, by default, runs under the NetworkService account. The NetworkService account in turn impersonates the computer account when accessing network resources. In this scenario, the network resource is Active Directory.
Propiedades

Id. de artículo: 2797968 - Última revisión: 15 ene. 2013 - Revisión: 1

Comentarios