Application Catalog Site URL Auto Selection Producing Unexpected Results RRS feed

  • Question

  • Hi All,

    Thank you in advance for the help.

    We have a client with about 90k computers managed by a CAS and four child primary sites. Each of the four primary sites exists in the AN forest and has a DMZ remote site system with MP, DP, SUP and AppCatalog Website Roles to support IBCM clients in the AN forest. The AppCatalog WebService Role is hosted on the primary site servers themselves. 

    Additionally we support two remote non-trusted forests, CVGH and QH. We have deployed a single DMZ server in each of the remote forests with MP, DP, SUP and AppCatalog Website Roles to support IBCM clients in the remote forests. (There are also Intranet site systems in the CVGH and QH forests supporting these forests’ clients within the primary sites.) 

    All certificates are configured correctly. All authentication is working as expected. Clients in remote forests are able to deploy packages/applications/software updates via Computer Policy and User Policy successfully. Each DMZ server has its own Internet published FQDN and is configured for Internet Only client communication via https. 

    Clients within the AN forest connected via the IBCM DMZ servers in the AN forest are provided with the correct Internet facing FQDN for their respective site’s Application Catalog and these FQDNs are successfully inserted into the Trusted Sites Zone. For example, a client in the PR1 site that exists in the AN forest is furnished with the FQDN for that site’s AN DMZ remote site system. This results in the Application Catalog link in Software Center successfully launching the Application Catalog from the Internet. The user is prompted for credentials from the AN forest and successfully authenticates to the Application Catalog and is able to install software as desired. 

    Clients within a remote non-trusted forest should be furnished with the FQDN of the remote non-trusted forest’s DMZ site system within the PR1 site for example. A client in the QH forest which is managed by a DMZ server in the QH forest which is attached to the PR1 site is not, however, furnished with the correct FQDN for the QH forest’s DMZ site system. Instead it receives the FQDN of the AN forest’s DMZ site system. This results in user’s attempting to launch the Application Catalog from the link in Software Center and being prompted for authentication against the wrong Application Catalog URL (in the wrong forest) and hence against the wrong forest entirely. 

    If we manually open a browser from a ConfigMgr client computer in the QH forest and open the correct FQDN URL for the QH DMZ site server’s Application Catalog website instance from the Internet we are prompted to authenticate against the correct (QH) forest and are able to successfully download applications from the Application Catalog. 

    The issue is that per Technet the QH client should be furnished (or choose I’m not sure) the FQDN of the https: enabled DMZ site server in its forest as its Application Catalog Website URL according to the rules of Application Catalog Automatic Site Selection (right?). The clients in our remote forests are not being provided with the correct FQDN for their respective forest’s DMZ site system’s Application Catalog roles or are not updating these FQDNs in the Software Center link to the Application Catalog Website. 

    I have closely followed this article for troubleshooting: http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx 

    We believe our Default Client Settings are configured correctly as the Application Catalog website configuration is set to auto-detect. There is a higher priority workstation only Client Settings that has the same auto-detect configuration for the Application Catalog that we believe is configured correctly as well. 

    We do not believe configuring another Custom Client Setting to hard code a URL for the remote forest would work as it would point Intranet computers to the FQDN for the Internet DMZ servers when they should be pointed at the Intranet remote site systems for their respective forests. 

    LocationServices.log and ClientIDManagerStartup.log both fail to indicate any issues that I can identify. Clients are successfully assigned to the correct sites. Clients are able to communicate with their respective Management Points in the DMZ. No errors are shown in the Application Catalog websites when they are manually accessed by their correct FQDNs. 

    There are no errors that I have seen in the portal logs for the Application Catalogs. As evidenced by their successful functionality when manually specifying the correct site system’s FQDN in a browser we have no reason to believe that there is an issue with the Application Catalog websites themselves just the mechanism by which ConfigMgr clients are furnished with the correct FQDN for their forest and DMZ site system. 

    Again, thank you for your help. Any input is much appreciated. 

    • Edited by Angry Cartoon Wednesday, June 25, 2014 2:49 AM html edits
    Wednesday, June 25, 2014 2:48 AM

All replies

  • Spoke to CSS. This is expected behavior FYI.

    Tuesday, July 1, 2014 4:59 PM