Case of the SCCM 2012 Application Catalog Communication Breakdown

Installing SCCM 2012 SP1 and Application Catalog feature in test environment went without a hitch. However when installed into production server the catalog site was throwing an error

Cannot connect to the application server

The webserver cannot communicate with the server. This might be a temporary problem. Try Again Later to see if the problem has been corrected.

image

My colleague had gone through all the common resolutions/checks for this issue as per these articles

http://blogs.technet.com/b/configmgrteam/archive/2012/07/05/tips-and-tricks-for-deploying-the-application-catalog-in-system-center-2012-configuration-manager.aspx

http://support.microsoft.com/kb/2015129

http://social.technet.microsoft.com/Forums/en-US/267352b5-01d2-4c8e-b40b-0a7ab669b65b/application-catalog-cannot-connect-to-the-application-server-error

http://social.technet.microsoft.com/Forums/en-US/f0772093-bef1-42eb-8bb8-812d838bebde/problem-with-application-catalog-cannot-connect-to-the-application-server

http://sithayuvaraj.wordpress.com/2012/07/04/application-catalog-cannot-connect-to-server-error/

http://blogs.technet.com/b/michaelgriswold/archive/2012/06/08/application-catalog-not-working-for-everyone.aspx

…but to no avail.

Checking IIS configuration we found the Application Pool the CMApplicationCatalogSvc was running under:

clip_image002

Now we have the Application Pool name…

clip_image002[6]

Checking the Application Pool settings in IIS we could see it was .NET 2.0 framework and 64-bit

clip_image002[8]

So running aspnet_regiis.exe -ir would need to be from .NET 2.0 folder under FrameWork64 (64-bit)

clip_image002[10]

After stopping / starting application pool and restarting website still no good.

As the error was a communication error I thought it would be wise to check the database connection. First I retrieved the database connection string by selecting ConnectionStrings in IIS under the CMApplicationCatalogSvc virtual folder.

On the server connecting to SQL I then opened up a PowerShell console and typed the following, where you would set .ConnectionString to whatever was configured in IIS. If you see two connection strings use the one that connects to CM_WEB database.

$sqlConnection = New-Object System.Data.SqlClient.SqlConnection
# replace with your own connection string
$sqlConnection.ConnectionString = "Data Source=SCCMSERVER;Initial Catalog=CM_WEB;Integrated Security=true;ConnectionTimeOut=50;Encrypt=True;TrustServerCertificate=False;Application Name=Application Offer Service"
$sqlConnection.Open()

 

If this works you will see no error message. However in our case it failed with error:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 – The certificate chain was issued by an authority that is not trusted.)

image

(For most accurate replication of any error you may need to run this under the user that the application pool runs under. However in this case that was not necessary)

OK so the error was related to certificate trust for encryption (SSL). So I removed Encrypt=True from the connection string, and we had a successful connection:

image

Updating the connection string in IIS, and voila page refresh and boom – Application Catalog site is up and operational.

However it would be nice to maintain the encrypt=True

Opening SQL Configuration you can check the certificates for SQL, by expanding SQL Server Network Configuration and looking for Protocols for [SQL Instance] right clicking and selecting Properties

image

In this case there was a missing certificate – typically there would be a certificate called ConfigMgr SQL Server Identification Certificate

image

This can be done based on guidance in these articles:

http://support.microsoft.com/kb/316898/en-us 

http://thedataspecialist.wordpress.com/2013/03/12/using-a-self-signed-ssl-certificate-with-sql-server/

http://www.jamesbannanit.com/2011/04/certificate-requirements-for-sccm-2012/

Once the certificate was sorted, we re-run the PowerShell with Encrypt=true and had a successful connection…

On a final note on a test machine although application catalog site worked, requesting applications were failing…

Cannot install or request Software

You can browse the list of software in the Application Catalog and view your list of software requests. However, to install or request applications from the Application Catalog, the Configuration Manager client must be correctly configured on your computer and you must use a browser that is compatible with the Application Catalog.

image

Checking Configuration Manager client on the test PC found the wrong client had been installed, one that pointed to the test SCCM server, not the production one… Getting the client configured correctly fixed the final issue.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in IIS, SCCM, SQL and tagged . Bookmark the permalink.

2 Responses to Case of the SCCM 2012 Application Catalog Communication Breakdown

  1. Uhondo says:

    Its strange that i have followed all the steps to the letter but i still continue to experience the same connection problem!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s