none
Application Catalog stopped working after MBAM upgrade RRS feed

  • Question

  • I have Primary Site 2012 R2 CU2 which was working fine with MBAM 2.0 integration over 1 year. Yesterday I performed MBAM 2.5 upgrade to it, and after that, Application Catalog requires and refuses any authentification (like domain as well). I did some troubleshoting, but I cannot figure this out.

    1. App catalog site is local intranet and protected mode is off (this has always been configured like that)
    2. There is no significant messages in IIS logs during attempt.
    3. There is no messages in Event viewer during attempt.
    4. Uninstalled both App catalog roles, restarted IIS, installed them back. No errors during installation.

    During MBAM upgrade, there was 2 things done:
    - IIS App user registred (setspn), to primary site hostname and FQDN
    - MVC 4 was installed as MBAM´s prereq.

    I could uninstall MP role and IIS and redo them both, but I wouldn´t like to do so on production eviroment.

    Friday, November 21, 2014 11:20 AM

Answers

  • Okay, I got it. The final solution was to move MBAM Web site to another server, away from ConfigMgr IIS. Since MBAM 2.5, authorizaton mechanism is changed directly to domain groups, it requires SPNs, and there is incompatibility issue between that and ConfigMgr´s local groups/services.
    Friday, November 28, 2014 1:40 PM

All replies

  • What do the logfiles for the App Catalog and web service tell (a*.log and portlctrl.log)?

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, November 21, 2014 12:28 PM
    Moderator
  • What do the logfiles for the App Catalog and web service tell (a*.log and portlctrl.log)?

    Torsten Meringer | http://www.mssccmfaq.de

    PORTALWEBs http check returned hr=0, bFailed=0 SMS_PORTALWEB_CONTROL_MANAGER 21.11.2014 12:59:20 9164 (0x23CC)
    PORTALWEB's previous status was 4 (0 = Online, 1 = Failed, 4 = Undefined) SMS_PORTALWEB_CONTROL_MANAGER 21.11.2014 12:59:20 9164 (0x23CC)

    and

    AWEBSVCs http check returned hr=0, bFailed=0 SMS_AWEBSVC_CONTROL_MANAGER 21.11.2014 13:29:18 5504 (0x1580)
    AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined) SMS_AWEBSVC_CONTROL_MANAGER 21.11.2014 13:29:18 5504 (0x1580)

    These logs are clean for errors. Do you need anything else?


    Friday, November 21, 2014 1:02 PM
  • Does this help :-


    Prajwal Desai, http://prajwaldesai.com


    Friday, November 21, 2014 1:05 PM
  • My collegue has W2012 & CM2012 & SQL 2012 configuration and we installed 2.5 on that lab, SAME THING! There, we did this apsnet_regiis -i and it didn´t helped (rebooted, yes).

    I opened a case to MS. I have done this integration and update myself right after 2.5 was released and then I had no issues in my lab.

    Friday, November 21, 2014 1:26 PM
  • While there might be a way around it, out of the box you cannot have the MBAM Website features installed on the same box as your ConfigMgr web roles (MP/DP/AppCatalog, etc).  You can put the MBAM database and configmgr integration roles on your MP/DP/AppCatalog box, but you need to put the MBAM web roles on another box.

     

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Friday, November 21, 2014 3:50 PM
  • While there might be a way around it, out of the box you cannot have the MBAM Website features installed on the same box as your ConfigMgr web roles (MP/DP/AppCatalog, etc).  You can put the MBAM database and configmgr integration roles on your MP/DP/AppCatalog box, but you need to put the MBAM web roles on another box.

     

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Well, I have to disagree with you here, because full MBAM integration in ConfMgr is supported scanario. ConfMgr IIS site works on 80 port and MBAM site works on 443 port with certificate. When MBAM 2.0 was released, I was talking to MS support guy about this before planing MBAM integration. The thing is, that small companies with MDOP license do not want to spend another server and SQL license on MBAM.

    I have a lack of understanding how SPN works, but here in my case, I used same ConfMgr admin account for registring spn and setting it to , so I ran Setspn -s http/confmgr.domain.dom domain\confmgradmin. Our cloud guru told, that the reason why IIS authentification now breakes must be in spn.

    I also found my old post almost year ago then 2.5 was released and I integrated it in a lab, and same thing happend back then. I had to uninstall IIS and MP role, and re-install them to make Application Catalog work. In production enviroment this is too heavy solution though.

    So I would need someone to tell me, how spn should be set in this scenario :) ... or other guess? Thank you all for your help.

    Saturday, November 22, 2014 8:45 AM
  • Well, I have to disagree with you here, because full MBAM integration in ConfMgr is supported scanario.

    While integration is certainly supported, there is no support statement expressly saying that you can co-locate every ConfigMgr role with every MBAM role.  The only MBAM roles they expressly say can be installed on a ConfigMgr site system are the MBAM DB and the MBAM CM Integration roles.

    As I said before, while there certainly might be a workaround to enable this, out of the box the MBAM web roles will break the Management Point role. When I've fixed the Management Point, it has broken the MBAM web roles.

    If you are really committed to this an expressly supported scenario, then you will have to open a ticket with CSS since it will not work out of the box.

    I hope that helps,

    Nash



    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.


    • Edited by NPherson Saturday, November 22, 2014 3:35 PM
    Saturday, November 22, 2014 3:34 PM
  • As I said before, while there certainly might be a workaround to enable this, out of the box the MBAM web roles will break the Management Point role. When I've fixed the Management Point, it has broken the MBAM web roles.


    Yes, this will happen if you put MBAM web roles using same ports as MP, I have done that misstake too long time ago. If you will use different ports, like MP=80, MBAM=81 or 443, it will work fine. Same thing with WSUS, which coexists on the same IIS box as ConfMgr.

    Currently my setup is done like that, and there is no overlaping between different IIS sites. I probably will get a call tomorrow from MS, I will report back here how it goes. Meanwhile I need to start studying on spn, how it really works.

    Sunday, November 23, 2014 2:41 PM
  • > it will work fine. 

    If you install the ConfigMgr MP role on a server and then install the MBAM Web Roles on it, it will break authentication to the MP.   I'm not sure how that equates to it working fine.

    It say anywhere in the documentation that it should work fine. The MBAM team is not part of the ConfigMgr team.  Since the documentation only refers to installing the MBAM CM Integration role and DB roles alongside ConfigMgr, you cannot assume that it is a tested and supported scenario.

    Please let us know what you find out from CSS.



    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Sunday, November 23, 2014 4:41 PM
  • If you install the ConfigMgr MP role on a server and then install the MBAM Web Roles on it, it will break authentication to the MP.   I'm not sure how that equates to it working fine.




    Could you elaborate this a little bit deeper? I´m not an IIS guru, and you might be right about this, but how I know if the auth to MP is broke and when it´s not? I have setup MBAM 2.0 and 2.5 few times in LAB this way, and previously done 2.0 full integration to our customer this way, and there was no issues before. I also remember talking to MS support guys about this scenario, and there was no argument not to do so. But as you said, they are in different teams and might not know eachother´s product fully enough.
    Sunday, November 23, 2014 9:48 PM
  • Okay, I got it! My misstake was to use same service account (user account) for ConfMgr and MBAM. I shouldn´t register SPN for ConfMgr user account, but create MBAM account and register SPNs to it. I also had change IIS app pool point to new MBAM user account I created. And I did re-register SPNs point from ConfMgr server to MBAM user account.
    Monday, November 24, 2014 7:34 AM
  • Unfortunately after few hours users noticed that Application Catalog stoped working and keeps requiring credentials and refusing them. If i un-register SPNs for MBAM service, App Catalog will work 100%, but right after applying them back, credential prompt appears.

    I was waiting a call from MS all day but they were too busy. I will compare App Pool settings with my LAB enviroment tomorrow, since my config has worked so far. I doubt that MBAM will not working propertly without SPN. So last solution will be uninstall MBAM´s web role from primary server and setup it on a DP (just thinking will it reflect DP functionality somehow).

    Monday, November 24, 2014 4:24 PM
  • As the MP, DP, and AppCatalog all need authentication to not be impacted, I would not co-locate the MBAM web roles with them.  

    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Monday, November 24, 2014 7:14 PM
  • No I got into my own LAB, where I have been having MBAM 2.5 integration with ConfMgr for ages, and the configuration is, that SPNs are set to ConfMgr, and both App Catalog and MBAM website works. If I delete SPN Records, MBAM websites stops working (keep asking for credentials). In LAB I have W2012 server.

    In producton enviroment, ConfMgr with IIS is sitting on W2008R2 server. There, if I delete SPNs, Application Catalog is working and but MBAM website will not. If I set SPNs, they will turn around.

    So Since in my lab everything was working, I assumed this is supported scenario. 

     
    Tuesday, November 25, 2014 10:12 AM
  • Okay, I got it. The final solution was to move MBAM Web site to another server, away from ConfigMgr IIS. Since MBAM 2.5, authorizaton mechanism is changed directly to domain groups, it requires SPNs, and there is incompatibility issue between that and ConfigMgr´s local groups/services.
    Friday, November 28, 2014 1:40 PM
  • Thanks for posting an update confirming that out of the box you cannot put the MBAM web roles on the same server as the ConfigMgr web roles.

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.


    • Edited by NPherson Saturday, November 29, 2014 11:41 PM
    Saturday, November 29, 2014 11:40 PM
  • I actually found a workaround:

    I created an A record in DNS (CNAME did not work) to point to the same Application Catalog server IP with a different name; for example if your servername is iis01.mydomain.local, create an A record in DNS, say mbamweb01.mydomain.local and point it to the same IP as iis01.

    next, install the MBAM portal using this newly created Name. in the wizard there is a place that you have to type in the host name for MBAM web application. by default it is populated with the actual server name on which you're installing the MBAM. change it to that new name whose A record you created on step above.

    I verified that the SPN is indeed registered using this new name, hence no conflict between MBAM and ConfigMan SPNs happen. both came up fine.

    to be on the safe side, i actually changed the port of MBAM to be something random, not the 80 or 443 that most probably is taken by ConfigMan. however I don't think this step is necessary as MBAM will work with HTTP host header.

    Tuesday, November 29, 2016 4:42 AM
  • Was there ever an official fix for this? I just wasted 2 days trying to figure out why I couldn't get my SCCM MP/DP authentication to work after installing MBAM web services.

    And does anyone have any suggestion how I can delete the SPN's that MBAM created?  I've read in some forums that is the solution to get configuration manager authenticating again, but I have no idea how to do this.  I'm guessing something with the setspn command.

    I really don't want to have to rebuild the SCCM server, but after simply removing the MBAM web roles it is still not authenticating.

    • Edited by bakerr12304 Monday, September 25, 2017 8:27 PM
    Monday, September 25, 2017 7:58 PM
  • Was there ever an official fix for this? I just wasted 2 days trying to figure out why I couldn't get my SCCM MP/DP authentication to work after installing MBAM web services.

    And does anyone have any suggestion how I can delete the SPN's that MBAM created?  I've read in some forums that is the solution to get configuration manager authenticating again, but I have no idea how to do this.  I'm guessing something with the setspn command.

    I really don't want to have to rebuild the SCCM server, but after simply removing the MBAM web roles it is still not authenticating.


    Official "fix" is not to mix MBAM and SCCM roles into same IIS. With setspn, you can delete all existing records pointing to MBAM IIS user. If your SCCM still will not work, I could list you the proper SPNs of mine SCCM tomorrow. There is a chance, you will need to re-register SPNs for your SCCM again. During clean setup, installing SQL will do the trick for you, so you probably weren´t aware of that.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, September 26, 2017 2:08 PM
  • I'm not sure what you mean.  A clean setup of SQL will do the trick of what?  Re-registering the SPNs?

    MBAM isn't installed on the server anymore, the IIS_IUSRS group is empty, the IIS Application groups are all using Local Service and my currently registered SPNs are as follows:

    SCCM Server SPNs:
    WSMAN/SCCM
    WSMAN/SCCM.domain.com
    MSSQLSvc/SCCM.domain.com:ADK
    TERMSRV/SCCM.domain.com
    TERMSRV/SCCM
    RestrictedKrbHost/SCCM
    HOST/SCCM
    RestrictedKrbHost/SCCM.domain.com
    HOST/SCCM.domain.com

    Previously Used MBAM Account SPNs:
     HTTP/account.domain.com
     MSSQLSvc/account.domain.com:1433
     MSSQLSvc/account.domain.com

    Are you saying I should remove any SPN's attached to that previously used MBAM account (the 3 above)?

    Thanks for taking a look.

    Wednesday, September 27, 2017 5:58 PM
  • Disregard my previous post. Removing those 3 SPN's associated to the user worked exactly as you said it would.

    Thank you so much yannara.  You are a lifesaver.

    Wednesday, September 27, 2017 6:25 PM