Deploy Applications using the Application Catalog in an Untrusted Forest

This blog post by Paul Gregory describes very well how to use the application catalog in an untrusted or cross forest situation.

The main solution to this problem is to Install the Application Catalog Website on a server in the same domain as where the ConfigMgr clients reside.

The main issue you will run into when you try to open the Application Catalog in the domain where the SCCM server resides is an authentication problem.

You will receive three attempts to login:

app catalog untrusted credentials

And these will result in an Access is denied page

app catalog untrusted

When you add a site system to your SCCM environment in the untrusted domain using the blog post and add the Application Catalog Website point this authentication issue will disappear.

The clients in the untrusted domain will use the Application Catalog in their domain using windows authentication and the Application Catalog Website will use Self Signed certificates to get data from the Application Catalog Webservice in the SCCM domain.


After installing the Application Catalog Point was installed I browsed to it (http://myserver/CMApplicationCatalog) and immediately I received the error “Cannot connect to the application server

AppCatalog error

After reviewing the log file on my trusted Application Catalog webserver

– c:\windows\ccm\cmapplicationcatalog\logs\serviceportalwebsite.svclog

I found a few different error messages :

System.ServiceModel.FaultException: An error occurred when verifying security for the message.


An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. —> System.ServiceModel.FaultException: An error occurred when verifying security for the message.

AppCatalog log error

After some “tremendously long minutes” of searching the internet on these error messages I discovered that my VM’s synced time from the Virtual hosts and it’s time was 30 minutes out of sync. Long story short Always keep your time in sync.

So now you’d think every will work fine and partially it did, refreshing the Application Catalog al my assigned applications were shown.

Application Catalog


Unfortunately I ran into more problems when I tried installing them the error message was

Cannot Install or request software

AppCatalog install error


After some investiging I found that you have to reconfigure the “Computer Agent” in the SCCM Client Settings to point the clients in your domain to the trusted Application Catalog Website instead of the default Application Catalog Website configured in the default Client Settings.

You can check the current setting by clicking op the Find additional applications from the application catalog link in the software center.

Application Catalog Link

To configure the “Computer Agent – default Application Catalog Website point” create a custom Device settings and configure the default Application Website point URL/

Client Settings


Don’t forget to Deploy the settings to the collection where all the untrusted clients reside to apply these custom settings. After some waiting (I configured the Client policy polling to 3 minutes for troubleshooting purposes) I clicked on the Find additional applications from the application catalog link again and I safely landed on my trusted Application Catalog website.

I am now able to install applications on my untrusted clients without any issues.

Hopefully this blog will save you some time when using this setup.



Leave a Reply

Your email address will not be published. Required fields are marked *


Please enter the CAPTCHA text

This site uses Akismet to reduce spam. Learn how your comment data is processed.