Deploy Applications using the Application Catalog in an Untrusted Forest
This blog post by Paul Gregory describes very well how to use the application catalog in an untrusted or cross forest situation.
The main solution to this problem is to Install the Application Catalog Website on a server in the same domain as where the ConfigMgr clients reside.
The main issue you will run into when you try to open the Application Catalog in the domain where the SCCM server resides is an authentication problem.
You will receive three attempts to login:
And these will result in an Access is denied page
When you add a site system to your SCCM environment in the untrusted domain using the blog post and add the Application Catalog Website point this authentication issue will disappear.
The clients in the untrusted domain will use the Application Catalog in their domain using windows authentication and the Application Catalog Website will use Self Signed certificates to get data from the Application Catalog Webservice in the SCCM domain.
Issues
After installing the Application Catalog Point was installed I browsed to it (http://myserver/CMApplicationCatalog) and immediately I received the error “Cannot connect to the application server“
After reviewing the log file on my trusted Application Catalog webserver
– c:\windows\ccm\cmapplicationcatalog\logs\serviceportalwebsite.svclog
I found a few different error messages :
System.ServiceModel.FaultException: An error occurred when verifying security for the message.
and
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. —> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
After some “tremendously long minutes” of searching the internet on these error messages I discovered that my VM’s synced time from the Virtual hosts and it’s time was 30 minutes out of sync. Long story short Always keep your time in sync.
So now you’d think every will work fine and partially it did, refreshing the Application Catalog al my assigned applications were shown.
Unfortunately I ran into more problems when I tried installing them the error message was
Cannot Install or request software
After some investiging I found that you have to reconfigure the “Computer Agent” in the SCCM Client Settings to point the clients in your domain to the trusted Application Catalog Website instead of the default Application Catalog Website configured in the default Client Settings.
You can check the current setting by clicking op the Find additional applications from the application catalog link in the software center.
To configure the “Computer Agent – default Application Catalog Website point” create a custom Device settings and configure the default Application Website point URL/
Don’t forget to Deploy the settings to the collection where all the untrusted clients reside to apply these custom settings. After some waiting (I configured the Client policy polling to 3 minutes for troubleshooting purposes) I clicked on the Find additional applications from the application catalog link again and I safely landed on my trusted Application Catalog website.
I am now able to install applications on my untrusted clients without any issues.
Hopefully this blog will save you some time when using this setup.