Installing ConfigMGR portal on different domain without trust?

Billy_Lee

Hello, is there a guide on installing configmgr portal on a domain not trusted from the sccm server domain?

Davis_Mathai

Hi Billy,
No there isn't any documentation specifically around this as I don't think it will be a popular scenario.  Technically (thinking as I type) you should have no problems installing it as we can work with SQL authentication for the database as long as that authentication method is enabled.  The main issue I can think of would be the application pool account which needs to be in the SMS admins group and will probably not work in the untrusted domain (is there a one-way trust from remote domain to ConfigMgr server domain?).  

Are there any reasons why you would want to do this rather than install the portal on the ConfigMgr server itself or another server in the same domain?

Davis

Davis_Mathai

Hi Billy,
No there isn't any documentation specifically around this as I don't think it will be a popular scenario.  Technically (thinking as I type) you should have no problems installing it as we can work with SQL authentication for the database as long as that authentication method is enabled.  The main issue I can think of would be the application pool account which needs to be in the SMS admins group and will probably not work in the untrusted domain (is there a one-way trust from remote domain to ConfigMgr server domain?).  

Are there any reasons why you would want to do this rather than install the portal on the ConfigMgr server itself or another server in the same domain?

Davis

Billy_Lee

No, there isn't any trust between the two domains at all.  Our design calls for separate environments.  I thought this would be the case, thank you for your response.

Billy

F_Christiansen

Hi Billy, 

This should be possible if you do the following:
Use SQL Authentication for communicating with the database as Davis mention.

In CMP under Settings->General Settings, select the Domains tab.
Register the domain where ConfigMgr resides with an account that is Full Administrator in ConfigMgr and resides in the SMS_Admins local group on the ConfigMgr server.
This account will take precedence over the Application Pool account when communicating with the ConfigMgr provider.

If you want to create software packages from CMP, you will need to establish a connection to the file share on the ConfigMgr server from the IIS server manually before working with that. You will typically do a manual NET USE with the credentials for that domain.

Best regards
Flemming Appelon Christiansen

Billy_Lee

Hi Flemming,

I'm guessing this requires the manual install ahead of time to get to the Settings pages?  I'll try that.

Thank you,
Billy 

Billy_Lee

Did not work for me.  Error when logging in.

Error loading page. Login failed for user 'SQLAccount'. at ConfigMgrPortal.Core.DAL.SQLHelper.ExecuteDataset(String cmdText) in d:\a\1\s\ConfigMgr Portal Core\DAL\SQLHelper.cs:line 159 at ConfigMgrPortal.Core.DAL.SQLHelper.ExecuteDataTable(String cmdText) in d:\a\1\s\ConfigMgr Portal Core\DAL\SQLHelper.cs:line 211 at ConfigMgrPortal.ConfigMgr.Query.GetDeploymentSummary(DateTime newerThan) in d:\a\1\s\ConfigMgr Portal Core\ConfigMgr\Query.cs:line 2261 at ConfigMgrPortal.UI.Default.Page_Load(Object sender, EventArgs e) in d:\a\1\s\ConfigMgr Portal UI\Default.aspx.cs:line 43 at System.Web.UI.Control.OnLoad(EventArgs e) at ConfigMgrPortal.Core.UI.BasePage.OnLoad(EventArgs e) in d:\a\1\s\ConfigMgr Portal Core\UI\BasePage.cs:line 267

F_Christiansen

Hi Billy,

You don't need to do a manual installation in order to use SQL Authentication; the installer can handle that.
But given the posted error message, you will need check access and perhaps adjust your SQL permissions for the user "SQLAccount",

Follow the steps in the section "Granting the Portal user access to the SQL Databases" in the installation guide:
https://ciresonreleases.blob.core.windows.net/cmp/Cireson%20Portal%20for%20Configuration%20Manager%20Install%20Guide%20v2.0.pdf

Best regards
Flemming Appelon Christiansen

F_Christiansen

Hi Billy,

Did that help you?

Billy_Lee

Hi Flemming,

I was able to get it to load the Dashboard, Users, Computers and Task Sequences tab.  However, the Software and Deployments tab are not loading.  There is also another issue where the Users/Computers doesn't have a primary user/device attached to it.

Here are a couple logs 

Error for pulling Deloyment
Error in DeploymentStatus.GetDeployments. Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Debug for Pulling Software Packages
WQL connection to ''SCCM.Domain.Local'' could not be established using the credentials for user ''SCCM.SVC.ACCT''. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Thank you for the support,
Billy

Billy_Lee

Updated credential under domain to Domain\username and it was able to load the Deployments section, but still unable to load the Software section, and still not listing primary devices under users.

F_Christiansen

Hi Billy,

So you don't see any software at all?
Sounds like there is a problem with the caching service.
Go to %programfiles%\Cireson\Portal for Configuration Manager\Services\logs and check the hostingservice.log for any errors.
And if you open the file %programfiles%\Cireson\Portal for Configuration Manager\Services\ConfigMgr Portal Hosting Service.exe.config verify that the value for BaseFolder point to the folder from where IIS is hosting CMP, e.g:
    <add key="BaseFolder" value="C:\Inetpub\ConfigMgr Portal" />

Billy_Lee

No software listed at all.  the BaseFolder value is correct.

F_Christiansen

Could you please upload the file %programfiles%\Cireson\Portal for Configuration Manager\Services\logs\hostingservice.log?
Or send it in a private message to me if you prefer.