Tips and Tricks for Deploying the Application Catalog in System Center 2012 Configuration Manager
Published Oct 16 2018 04:53 PM 7,146 Views
Microsoft
First published on CLOUDBLOGS on Jul 05, 2012

The Application Catalog is one of the new and exciting features in the System Center 2012 Configuration Manager. Dave Randall recently posted a great blog post that helps you plan for the Application Catalog deployment and provide a great experience to the users.


This blog post provides additional information about how to deploy the Application Catalog in your environment, which might help you avoid common pitfalls and it offers some troubleshooting tips to resolve some typical issues that we’ve seen and heard from customers. This information also reflects some of the frequently asked questions on the System Center 2012 Configuration Manager forums.


Contents


Application Catalog Deployment Tips:



  • Branding the Application Catalog

  • Support for users in untrusted forests

  • Securing the communication by using HTTPS

  • Customizing the communication ports

  • Support for multiple languages

  • Additional planning tips


Verification Tips:



  • Verify Prerequisites Before You Install the Roles

  • Verify the installation of the roles

  • Verify client settings are configured

  • Verify that the clients can communicate with the Application Catalog


Application Catalog Deployment Tips


Branding the Application Catalog

You can set the color theme of the website to any color that you feel is appropriate for your organization. In addition, you can specify the organization name that the users will see in the bottom-left corner of the page. These options are available in the Add Site System Role Wizard when you install the Application Catalog website role and in the Application Catalog Website Properties after the role is installed.


Support for multiple domains or restricting user access

When the Application Catalog roles are installed, the default permissions allow domain users of the same domain to browse the Application Catalog. Because the Application Catalog uses Windows Authentication, you can add or remove permissions for the following folders to configure the users or groups that have access to the website:




  • CMApplicationCatalog folder



  • CMApplicationCatalogContentImagesAppIcons folder



Note that these permissions are reset to the default values if you reinstall the Application Catalog website role, modify the protocol for the existing role, or change language selection for the primary site.


Support for users in untrusted forests

If you plan to support users in untrusted forests, the Application Catalog must be able to authenticate users who connect to it. The two Application Catalog roles provide flexibility to support this scenario. To support this configuration:




  • Install the Application Catalog web service role on a site system server that is in the same forest as the site database.



  • Install the Application Catalog website role on a site system server that is in the untrusted forest. To do this, specify a Site System Installation Account that has local administrative permissions on the site server computer to install the role and send status messages to the site server. After installation, the Application Catalog website role communicates with the Application Catalog web service role across the security boundaries of the forest by using certificates (self-signed or PKI). For more information about
    how this communication is secured, see the “Cryptographic Controls for Server Communication” section in Technical Reference for Cryptographic Controls Used in Configuration Manager .



  • Make sure that you run User Discovery or User Group Discovery for the untrusted domains to support the users that belong to these domains.



Securing the communication by using HTTPS

You can configure the Application Catalog web service role and the Application Catalog website role to use HTTPS for additional security on the intranet. If users will connect to the Application Catalog from the Internet, you must configure the Application Catalog website point for HTTPS.


Before you select the HTTPS configuration, check the following:




  • IIS is configured with an HTTPS binding with a port number assigned (by default, 443).



  • The binding is configured for a web server certificate that matches the PKI certificate requirements for Configuration Manager .



  • The IIS binding for the port number you selected does not have another certificate assigned to the same port. You can check the list of certificates by running the following command: netsh http show sslcert



  • If you are planning for internet-based client management, make sure you specify the Internet FQDN in the site system properties.



  • Make sure that the certificate contains the intranet FQDN of the site system computer in the subject name or subject alternative name, especially if the Internet FQDN is different from the intranet FQDN.



Customizing the communication ports

If you want the Application Catalog website point or Application Catalog web service point to use non-default ports, perform the following steps:




  • Create a new IIS website and specify the bindings (and PKI certificate if using HTTPS) for the non-default port numbers.



  • Verify that the new IIS website is operational. For example, on the computer that is running IIS, type http://localhost:<port> or https://localhost:<port> in the browser and confirm that you see the IIS welcome screen. Also check that the firewall is configured to allow communication via the specified ports.



  • Specify the new IIS website name and the non-default port number when you install the Application Catalog roles. The port numbers cannot be changed after installation and if you want to do this, you must remove the Application Catalog roles and re-install them.



  • Note that Configuration Manager does not configure IIS for the non-default website or port number – you must configure these in IIS before you install the Application Catalog site system roles.



Support for multiple languages

The Application Catalog can display information in different languages, based on the user’s locale:




  • The Application Catalog relies on the language selection in Internet Explorer to determine user’s locale. You can find the language setting on the General tab of the Internet Options. The Application Catalog will pick only the first language specified in the list. In most cases, the primary language selected in the Internet Options matches the locale of the operating system.



  • You can add or remove languages for the Application Catalog by selecting client languages from Configuration Manager Setup. Note that the Application Catalog user interface is configured based on the client language selection and not the server language selection.



  • The Application Catalog will display the application information, such as name or description, based on the localized information provided for the application. You can specify this information in one or more languages on the Application Catalog tab of the application properties. The Application Catalog will display localized information for the user’s language or any of the parent languages if available. Otherwise, the Application Catalog will fall back to the default language, which is specified in the application properties.



Additional planning tips:


  • By default, when you use HTTPS, the Application Catalog URL for the intranet clients is formed by using the NetBIOS name that is specified in the Application Catalog website point properties, which might cause a certificate warning to display when you browse to the Application Catalog. To avoid the warning, configure the URL for the default Application Catalog website point in client settings to match the subject name of the certificate.



  • You can specify the HTTP or HTTPS option separately for each of the Application Catalog roles, although we recommended you use HTTPS for enhanced security. Optional on the intranet, but recommended, clients communicate with the management point by using HTTPS or by using HTTP and a PKI client certificate for client authentication. Configuration Manager provides flexibility to configure the communication options for each role. For example, on the intranet you can configure the Application Catalog website point for HTTPS but clients can connect to a management point by using HTTP, and vice versa.



  • You can change the certificate for existing Application Catalog roles by changing the SSL binding in IIS. When you do this, allow some time for the configuration change to take effect.



  • If you switch between the HTTP or HTTPS Allowed connection options in the Application Catalog website point properties, this action reinstalls the website role for the new setting, which resets the Application Catalog website folder permissions to the Domain Users group of the current domain. You can only change this setting for the Application Catalog website role and not the Application Catalog Web service role.



  • You can install multiple Application Catalog web service and website roles in the same primary site. For example, if you have multiple untrusted forests, you could install an Application Catalog website point in each untrusted forest and one or more Application Catalog web service points in the site server forest.



  • Users from one primary site can use an Application Catalog website point in another primary site.



You can find more information about configuring the Application Catalog on
TechNet: Configuring the
Application Catalog and Software Center in Configuration Manager



Verification Tips


Verify Prerequisites Before You Install the Roles

The Application Catalog requires a set of IIS components to be already installed, as documented in Supported Configurations for Configuration Manager . Key points:




  • Make sure that ASP.NET and related components, as well as IIS 6 Metabase Compatibility, Windows Authentication, and Common HTTP features are installed.



  • Make sure that the Microsoft.NET 4.0 framework is installed for the Application Catalog website role.



  • Make sure that the ASP.NET 4.0 registration is correct, especially if you added any components or features to Windows after you have installed the Microsoft.NET 4.0 framework. You can ensure that ASP.NET is registered by running the following command line:

    %windir%Microsoft.NETFramework64v4.0.30319aspnet_regiis.exe -i -enable
    In some configurations, the command line requires -ir parameter instead of -i.



  • Install WCF Activation, which you can do from the Features node in Server Manager on Windows 2008 Server. Note that after you do this, you must repair the ASP.NET registration by using the previous ASP.NET registration command.



  • Verify that IIS is operational. For example, on the computer that is running IIS, type http://localhost in the browser and confirm that you see the IIS welcome screen.



Verify the installation of the roles

  • When you complete the Add Site System Roles Wizard for the Application Catalog roles, Configuration Manager initiates the role installation, but at this point, the installation isn’t yet complete. You can track the progress by using the following methods:


    • Use the Configuration Manager console and the Monitoring workspace: In the
      Component Status node, look for the two components, SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER. Use these to track the health of the two roles. After the roles are installed successfully, you should see similar messages for both components by drilling down to the status:




If the role installation failed, you might see errors for one or both components, similar to the following:





    • Use log files in the Configuration Manager Logs folder:


      • SMSPORTALWEBSetup.log and SMSAWEBSVCSetup.log show overall installation progress and any error messages.

      • Awebsctl.log and Portlctl.log show the component status after the roles are installed. Look for “status code 200” to verify that the components are operational.



  • Tips to help troubleshoot Application Catalog installation failures:


    • After the Application Catalog roles are installed, it might take a few minutes for Configuration Manager to complete the configuration of these roles. If you have a central administration site in the hierarchy, the configuration might take longer, depending on the speed of the replication between the primary site and central administration site.

    • If either or both of the Application Catalog roles fail to install because of missing prerequisites, the quickest troubleshooting approach is to install the missing prerequisites and then uninstall and then reinstall both the Application Catalog web service role and the Application Catalog website role. If you install the missing prerequisites and do not reinstall the site system roles, they might not be operational for up to two hours.

    • If SMS_PORTALWEB_CONTROL_MANAGER reports message ID 8000 and HTTP status code 500, the most likely cause is misconfiguration of ASP.NET. Run the ASP.NET registration command as listed previously, which repairs the ASP.NET 4.0 registration. To see specific error message returned from IIS, browse to the following URL on the site system server that has the Application Catalog website role installed: http://localhost/CMApplicationCatalog/default.aspx . This command assumes that you are using the default values for the Application Catalog website role with HTTP, so you must adjust them accordingly if you use other values.

    • If SMS_AWEBSVC_CONTROL_MANAGER reports message ID 8100 and HTTP status code 500, the most likely cause is a problem with IIS. Ensure that IIS is operational and healthy, and that all the IIS components that Configuration Manager requires are still installed. To see a specific error message, browse to the following URL on the site system server that has the Application Catalog web service role installed: http://localhost/CMApplicationCatalogSvc/ApplicationOfferService.svc . This URL format assumes that you are using the default values for the Application Catalog web service role with HTTP, so you must adjust them accordingly if you use other values. If you see the following message in the browser, the site system role is operational: This is a Windows© Communication Foundation service.

    • If you experience problems when you use the Application Catalog (for example, you see “Cannot connect to the application server”), use the ServicePortalWebSite.log file (in the CMApplicationCatalogLogs folder) and the ServicePortalWebService.log file (in the CMApplicationCatalogSvcLogs folder). The location of these two folders is described in Step 4 of the Configuring the Application Catalog and Software Center in Configuration Manager TechNet topic. Errors in these logs might indicate that the roles have not yet been configured or that the Application Catalog experienced connectivity issues with SQL Server. If any of the log files are missing, it is probable that one of the roles was not installed successfully.

    • If some users are unable to browse to the Application Catalog and see “Access Denied” errors, check the folder permissions for the CMApplicationCatalog folder as described previously in this post. If you have configured permissions correctly, you can enable IIS failure tracing to troubleshoot authentication failures.



Verify client settings are configured

After the Application Catalog roles are installed, the Configuration Manager clients start picking up the URL for the Application Catalog. Ensure that the following client settings are configured correctly before you use the Application Catalog:



  • Computer Agent, Default Application Catalog website point setting defines the appropriate URLs for your environment.


    • The “Automatically detect” or “(none)”option instructs the site server to provide the URL automatically, based on the client’s site assignment and related client properties. With this option, the clients update the assigned URL once every 25 hours. For testing purposes only, you can restart the SMS Agent Host service on the client computer to force the update to run when the service starts. Note that the SMS Agent Host service might take a few minutes to start.

    • The specific site system, URL format, or custom URL options assign one Application Catalog website role to all client computers in the hierarchy or a specific collection of computers. With this option, the clients pick up the new URL by using their configured client policy polling interval (by default, once every hour). For testing purposes, you can initiate client policy retrieval to force the update by using Configuration Manager from Control Panel. For more information about how to initiate client policy, see Initiate Policy Retrieval for a Configuration Manager Client .


  • Computer Agent, Add default Application Catalog website to Internet Explorer trusted sites zone provides a way to ensure that users can install applications from the Application Catalog. Clients are configured for this setting when they download client policy.

  • User and Device Affinity, Allow user to define their primary devices setting to configure whether users are allowed to specify their primary computers from the Application Catalog. This setting takes effect immediately.


You can find more information about each of these client settings in About Client Settings in Configuration Manager on TechNet.



Verify that the clients can communicate with the Application
Catalog

Follow these steps to verify that the clients received the client settings and that they are configured correctly for the Application Catalog:



  • Open Software Center and click Find additional applications from the Application Catalog link, as shown in the following picture.



If the link is disabled or takes you to an old or incorrect URL, the client might not yet be configured for the Application Catalog URL. Refer to the previous section in this post to make sure that the client receives the updated URL. Note that you must close and re-open Software Center to refresh the Application Catalog link.



  • After the web page is opened in Internet Explorer, check that the URL is added to the trusted sites or other zone, as appropriate. This configures protected mode to be off, which is required for the Application Catalog. In Internet Explorer 8 or earlier versions of the browser, check the status bar to see whether protected mode is off. In Internet Explorer 9, you can find this information from the File menu, Properties. If protected mode is on, you must add the URL to the appropriate security zone, such as the Trusted Sites zone. You can do this by using the client settings mentioned above, or by manually specifying this configuration, or by using Group Policy.

  • Navigate to the My Devices tab of the Application Catalog. You should see one of the following messages:


    • “This setting is managed by your IT department”

    • “This computer is set as your primary computer”

    • “This computer is not set as your primary computer”



If you see an error displayed on the My Devices tab or see the following error message “Cannot install or request software” when you install an application, the Application Catalog website has a problem communicating with the client.



Some troubleshooting tips for client communication to the Application Catalog:




    • Ensure that the Configuration Manager client is successfully assigned to a site and operational by checking LocationServices.log and ClientIDManagerStartup.log.

    • Verify that the client can communicate with the management point. For example, check out any HTTP errors in the CcmMessaging.log file.

    • Check the LocationServices.log file for any errors during the time you browsed to the Application Catalog. One typical reason for Application Catalog failures in this log is client communication failures to the management point, indicated by the following error: “Failed to send web service info Location Request Message.” In this case, verify that the management point is operational and reachable from the client computer.

    • If you have recently installed the Application Catalog roles, the configuration on the site system server might take some time to complete. If you have a central administration site, make sure that sites are replicating successfully. In this scenario, information about the Application Catalog roles must replicate to the central administration site and then back to the primary site before the Application Catalog is fully operational. For example, until the replication is complete, users will not be able to request or install applications from the Application Catalog.

    • Ensure that the domain and user name that is displayed in the top right corner of the Application Catalog matches the user that is logged in to Windows, especially if Internet Explorer prompts the user for credentials.

    • Ensure that any required Internet Explorer plugins are enabled and not explicitly blocked in Internet Explorer. For more information, see Prerequisites for Client Deployment in Configuration Manager on TechNet.

    • If you have configured client settings to add the URL to the trusted sites and the URL is not added to the trusted sites zone, check whether the client successfully downloads client policy and also check group policy settings in your environment to ensure that the Configuration Manager client can add the URL to the trusted sites zone.

    • If the Application Catalog shows an error page, the error will also be displayed in the ConfigMgrSoftwareCatalog.log. You can find the log file by searching the user profile folder. For example, in Windows 7, you can find the log file inside the following folder:

      %systemdrive%Users<username>AppDataLocalLowMicrosoftSilverlight

      Note that the error in this log most likely indicates one of the issues mentioned previously.


  • If you see the following error message when you request or install software in the Application Catalog, ensure that the domain and user name that is displayed in the top right corner of the Application Catalog matches the user that is logged in to Windows. If you are prompted for a user name and password, do not specify a different account from the one that you used to log in to Windows. In addition, you will see the same error message if the client setting Install permissions prevents you from installing software (for example,this setting is configured for Only administrators and your account is not a member of the local Administrators group).



Summary


I hope that this blog post helps you to configure the Application Catalog in your environment and provides you with information about some typical troubleshooting problems with solutions. For more information about the Application Catalog, see Dave’s Deploying A Great Application Catalog Experience for System Center 2012 Configuration Manager ... post, Introducing the Application Catalog and Software Center in System Center 2012 Configuration Man... post, and Configuring the Application Catalog and Software Center in Configuration Manager on TechNet.


-- Anton Varshavskiy


This posting is provided "AS IS" with no warranties, and confers no rights.


Version history
Last update:
‎Oct 16 2018 04:53 PM
Updated by: