Kim,
You hit the nail on the head. IIS permissions are one of the things that I assumed would need to be adjusted, in order to accommodate users in remote, trusted forests & domains. I was hoping that Microsoft had some official documentation on this scenario, but it seems there isn't much. I am wondering if access would also need to be granted to the Application Catalog Web Service. My understanding is that the user's credential gets passed through to the web service, to determine which Applications they do/don't have access to. Cheers, Trevor Sullivan From: [email protected] [mailto:[email protected]] On Behalf Of Kim Oppalfens Sent: Monday, February 17, 2014 10:10 AM To: [email protected] Subject: RE: [mssms] Re: ConfigMgr 2012 SP1 :: Application Catalog - Cross-Forest I think all of it would work out of the box. Prior to sp1 one had to make sure the users had access to the application catalog. Make sure users have the following permissions to the CMApplicationCatalog folder and CMApplicationCatalog\Content\Images\AppIcons folder: * Read & execute * List folder contents * Read By default only domain users of the domain the application catalog is in have these permissions. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Trevor Sullivan Sent: Monday, February 17, 2014 16:21 To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] Re: ConfigMgr 2012 SP1 :: Application Catalog - Cross-Forest Kim, What if there are transitive trusts set up between the forests. What would be required in that scenario? Cheers, Trevor Sullivan From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kim Oppalfens Sent: Monday, February 17, 2014 4:06 AM To: [email protected] <mailto:[email protected]> Subject: RE: [mssms] Re: ConfigMgr 2012 SP1 :: Application Catalog - Cross-Forest Support for users in untrusted forests If you plan to support users in untrusted forests, the Application Catalog must be able to authenticate users who connect to it. The two Application Catalog roles provide flexibility to support this scenario. To support this configuration: * Install the Application Catalog web service role on a site system server that is in the same forest as the site database. * Install the Application Catalog website role on a site system server that is in the untrusted forest. To do this, specify a Site System Installation Account that has local administrative permissions on the site server computer to install the role and send status messages to the site server. After installation, the Application Catalog website role communicates with the Application Catalog web service role across the security boundaries of the forest by using certificates (self-signed or PKI). For more information about how this communication is secured, see the "Cryptographic Controls for Server Communication" section in <http://technet.microsoft.com/en-us/library/hh427327.aspx> Technical Reference for Cryptographic Controls Used in Configuration Manager. * Make sure that you run User Discovery or User Group Discovery for the untrusted domains to support the users that belong to these domains. You'll probably want an mp in the untrusted forest as well. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Trevor Sullivan Sent: Monday, February 17, 2014 01:25 To: SMS Subject: [mssms] Re: ConfigMgr 2012 SP1 :: Application Catalog - Cross-Forest Bump On Mon, Feb 10, 2014 at 5:38 PM, Trevor Sullivan <[email protected] <mailto:[email protected]> > wrote: Hey folks, Just curious - what are the Active Directory requirements for systems & users accessing the Configuration Manager 2012 Application Catalog? Is a two-way domain trust between the server holding the Application Catalog Web Service Point and Application Catalog Website Point, and the forest where the computer and user both exist required? Is any special configuration required in order to support this configuration? I'm not sure that the ConfigMgr documentation very clearly states what the requirements are in this scenario. The cross-forest support documentation seems to be mainly geared towards Active Directory discovery, publishing, and client management. Cheers, Trevor Sullivan -- Cheers, Trevor Sullivan Mobile: (630) 344-9867 E-mail: [email protected] <mailto:[email protected]> http://trevorsullivan.net IMPORTANT: Do NOT e-mail me personally at this e-mail address. Use the one in my signature above.
