This is the first part of a series about Flexera Software’s App Portal. App Portal greatly expands Configuration Manager’s application management. It allows you to issue and reclaim licenses of a particular software title. It can also hold data such as purchase order number and cost per license.
Flexera says that this product can help save companies millions of dollars in software audit costs, and in just general software license savings for unused software. By connecting directly into the SCCM database, App Portal can tie software to particular users and computers and leverage already existing inventory data.
App Portal can also take the place of Software Center, the Application Web Portal, and software “checkouts” from IT. It combines all these into one easy-to-use enterprise app store.
This series will begin this week with the installation of App Portal. You can look at guides from Flexera on the installation of App Portal, but I found that there were some gaps. This article will fill those gaps.
Requirements and Installation Recommendations
App Portal can run with SCCM 2007 or CM 2012. It works better with CM 2012, due to the increased amount of inventory data. This series will focus exclusively on CM 2012. It also requires an Active Directory with at least a Server 2003 functional level.
App Portal also requires IIS. The App Portal website can be installed on the same server as your CM 2012 environment. I, however, recommend that for production environments you install the website on a different, dedicated server. App Portal requires changes and more features in IIS then is required by CM 2012. I also could not get single-sign-on authentication to work with the web site installed on the same server as CM 2012 (more on this later).
Installation
When you get App Portal, there are two installers that you need to be concerned with. One is the website (AppPortalSetup.exe) and the other is the web service (AppPortalWebServiceSetup.exe). The website is installed on one server running IIS. The web service must be installed on all central administration site servers, primary site servers, and secondary site servers. You can tell which servers need the web service by looking for the “Site Server” site system role.
Installing the Web Site
This is one of the gaps in the Flexera documentation. You need to install the web site before installing the web service on any server. When I first installed App Portal, I assumed the web service came first because it was first in the documentation. The installation of the web site is pretty straight forward. In a first for me, it will even tell you which IIS roles you are missing when you try and run the installer.
The website installation also says that you need a DNS A-RECORD (or CNAME). This also is not required. It will ask you for one during install, and you can elect to keep it as the server name.
You should run the website installer as an account that has full administrator rights to CM 2012. This account should also have sysadmin rights to the SQL server instance where the database will be. App Portal does not have to host its database in the same instance as the CM 2012 database. If you host it in another instance, you will have to give App Portal appropriate rights on the CM 2012 database and open the appropriate firewall rules. I recommend installing App Portal into the same instance as SCCM. Also remember that you must open the firewall for SQL if you follow my recommended method and install the website on a server that is NOT your CM 2012 server.
When going through the website installation, the first question you are asked is for your central site server FQDN. This is either the CAS if you have one, or your primary site server. Keep the “Automatically Extend AD User Discovery Attributes” box checked. For App Portal to function properly, it must add attributes to your CM 2012 user discovery to pull in details like user’s email. Consult the Flexera installation guide for a full list of when attributes are added. Note that is not extending anything in Active Directory. It is simply instructing CM 2012 to discover more data.
Next you are asked to create the DNS Alias. You can either type something new, or leave it the server name. If you running the website on a dedicated server, leaving it the same will not hurt anything. If you enter an alias, it needs to already be created on your DNS servers. This will not create it for you.
Next, we have to give enter the FQDN of the database server that will host the App Portal database. If you are using a specific instance, also enter it (example: sccm.contoso.com\sccmdb). If you used the default instance, it is not required (example: sccm.contoso.com). Here is one the hiccups in the Flexera documentation. The “Computer Browser” service must be started for this screen to work. If it is not, the installer will not find the SQL database, even if it is on the same box. This service only needs to be running during install. Once install is complete, you can disable it again if you want.
On the next screen, enter the credentials App Portal will use to communicate with SCCM, SQL, AD, and clients. This must be the same account, so I recommend using a devoted service account. This account must also have administrator rights on all client machines for certain aspects of App Portal to function.
Next, we get the SCCM configuration. If you have done everything right to this point, the SCCM database name, site code, and catalog server should be filled out for you. Make sure the database name field is the name of your actual SCCM database, and not server\instance. This should be _. You can elect to the fill the mail settings out now, or later from the App Portal admin site.
Finally, we select how App Portal will discover computers. I recommend keeping the default (“Use Active X Control”). If reverse DNS is used, you will get every computer in your DNS instead of just those in SCCM. It also only looks at AD DNS, so if you have other DNS providers, it will not work. You can use SCCM to deploy the ActiveX control, or just add your App Portal site to the Trusted Zone in Internet Explorer.
Installing the Web Service
Next we are going to install the web service. As I said earlier, this must be installed on all servers with the “Site Server” role. I recommend installing this on one server first, then activating App Portal, then installing on the rest (more on activation later).
Run the installer and accept the EULA and default install location. Ensure that the info on the primary site information window is correct. These values are auto-filled based on information gained from the machine. Next, click install and the web service installs. You will know if it is successful if it creates a folder and some collections in your SCCM console.
Next, navigate to “https:///esd”. Hopefully, you should be prompted to upload your App Portal license file. Upload your license, and you have successfully installed App Portal.
Other Installation Issues
I said in the last section that hopefully you are prompted to upload your license file. I was not that fortunate, because I installed the App Portal website on my primary site server of my test domain. I received a generic “HTTP Error 500.19 – Internal Service Error” message with this explanation:
To get around this, I commented out the lines between in the web.config file.
All this does is disable single-sign-on to the App Portal web site. Instead of opening Internet Explorer and getting straight in, your users will have to authenticate. This problem is due to running SCCM on the server. If you run your website on a different server, you should not have this problem.
Once configured correctly and activated, you should be presented this after logging in:
As you can see, we still have some work to do. Come back next week for more.