ConfigMgr 2012 : Application Catalog Login Popup Cross-Domain

So, you can probably see from the spat of recent articles on here that I’m working on a Configuration Manager deployment..! The deployment spans multiple domains, with the Application Catalog role residing in another domain to some user accounts – all within the same forest mind. This will cause a login prompt if a user tries to open the Application Catalog Web Site, even if the site is in the Trusted Sites zone.

First things first you need to modify the ACL of the folder containing website itself on the Application Catalog server – <Install Path>\SMS_CCM\CMApplicationCatalog. Add each domain’s Domain Users group with Read and Execute, Read and List Folder Contents.

Next you need to add the site URL’s to the Local Intranet zone in order for credentials to be sent. Unfortunately this cannot be achieved using the Configuration Manager Device Policies, you’ll have to either use a Group Policy or a script.

Scripted Method (preferred)

The following VBscript will work, change the FQDN of your Internet Management Point and then distribute as a package in ConfigMgr 2012. Create a program within your package that has the following command line setup: cscript.exe /nologo <script file>.vbs

Note that this will not work on machines that have Internet Explorer Enhanced Security Configuration (IE ESC) enabled.

{code lang:javascript showtitle:false lines:false hidden:false}On Error Resume Next
Const HKEY_CURRENT_USER = &H80000001

strComputer = “.”

Set objReg = GetObject(“winmgmts:{impersonationLevel=impersonate}\\” & strComputer & “\root\default:StdRegProv”)
strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\<internet MP FQDN>”

objReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = “https”
dwValue = 1

objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
{/code} 

Group Policy Method

Create a new/edit an existing GPO in each domain with the settings defined below.

Browse to: Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

Then look for the Site to Zone Assignment List, enable and add the following (the value ‘1’ is used to define the Local Intranet zone)

    • Value Name: https://<intranet fqdn>/  Value: 1
    • Value Name: https:/</internet> fqdn>/    Value: 1
    • Value Name: http://<intranet fqdn>/  Value: 1
    • Value Name: http:/</internet> fqdn>/    Value: 1

Don’t use the built-in Configuration Manager Device Policy method to add this to Trusted Sites as this will not pass NTLM credentials.

There is a downside to this, all Zones becomes ‘Managed’ – i.e. users will be unable to modify the membership of any zones.