Support for users in untrusted forests If you plan to support users in untrusted forests, the Application Catalog must be able to authenticate users who connect to it. The two Application Catalog roles provide flexibility to support this scenario. To support this configuration:
* Install the Application Catalog web service role on a site system server that is in the same forest as the site database. * Install the Application Catalog website role on a site system server that is in the untrusted forest. To do this, specify a Site System Installation Account that has local administrative permissions on the site server computer to install the role and send status messages to the site server. After installation, the Application Catalog website role communicates with the Application Catalog web service role across the security boundaries of the forest by using certificates (self-signed or PKI). For more information about how this communication is secured, see the "Cryptographic Controls for Server Communication" section inTechnical Reference for Cryptographic Controls Used in Configuration Manager<http://technet.microsoft.com/en-us/library/hh427327.aspx>. * Make sure that you run User Discovery or User Group Discovery for the untrusted domains to support the users that belong to these domains. You'll probably want an mp in the untrusted forest as well. From: [email protected] [mailto:[email protected]] On Behalf Of Trevor Sullivan Sent: Monday, February 17, 2014 01:25 To: SMS Subject: [mssms] Re: ConfigMgr 2012 SP1 :: Application Catalog - Cross-Forest Bump On Mon, Feb 10, 2014 at 5:38 PM, Trevor Sullivan <[email protected]<mailto:[email protected]>> wrote: Hey folks, Just curious - what are the Active Directory requirements for systems & users accessing the Configuration Manager 2012 Application Catalog? Is a two-way domain trust between the server holding the Application Catalog Web Service Point and Application Catalog Website Point, and the forest where the computer and user both exist required? Is any special configuration required in order to support this configuration? I'm not sure that the ConfigMgr documentation very clearly states what the requirements are in this scenario. The cross-forest support documentation seems to be mainly geared towards Active Directory discovery, publishing, and client management. Cheers, Trevor Sullivan -- Cheers, Trevor Sullivan Mobile: (630) 344-9867 E-mail: [email protected]<mailto:[email protected]> http://trevorsullivan.net IMPORTANT: Do NOT e-mail me personally at this e-mail address. Use the one in my signature above.
