July, 2014

  • Creating Custom RBAC Enabled Reports in ConfigMgr 2012 R2

    This post will step you through the process of creating custom reports in ConfigMgr 2012 R2 that will enforce your Role Based Access Control (RBAC) policies. Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. TechNet reference

    Step 1: Determine the data you wish to report on

    Using SQL Management Studio, confirm your SQL query against the new fn_rbac table views passing through the ('disabled') parameter to bypass the requirement of passing through a user SID

    NOTE: all fn_rbac_<table> views can be found under "Tabled-valued Functions".

    If you query v_<tables> than RBAC is ignored.

    clip_image001

    Step 2: Create a new custom report in ConfigMgr Management Console UI

    clip_image002

    clip_image003

    clip_image004

    Step 3: Editing your custom report will launch SQL Report Builder

    clip_image005

    clip_image006

    clip_image007

    clip_image008

    clip_image009

    Step 4: Design Your Report

    Confirm you can see Dataset values and select the type of Report you want to create

    clip_image010

    clip_image011

    clip_image012

    Step 5: Design and format your report as required

    clip_image013

    Step 7: Configure the Dependencies for RBAC

    Create a New Dataset

    clip_image014

    clip_image015

    clip_image016

    clip_image017

    clip_image018

    clip_image019

    clip_image020

    clip_image021

    clip_image022

    clip_image023

    clip_image024

    clip_image025

    clip_image026

    clip_image027

    clip_image028

    clip_image029

    NOTE: If you do not see the REFERENCES option, try and run your report, it will fail however will present the References parameters

    clip_image030

    clip_image031

    ALL DONE..

    Step 8: Test your custom report

    To test I have granted an admin account "sccm2012r2\Ian" that is limited only to the collection called "Ian's Collection"

    clip_image032

    Launch the ConfigMgr console using SCCM2012R2\Ian

    clip_image033

    clip_image034

    clip_image035

    clip_image036

    clip_image037

  • Application Catalog Failed – “Application installation not started”


    The application could not be installed. The most common reason is that software does not support the version of Windows currently installed on your computer. You can try starting the application installation from the Application Catalog again. If the problem continues, contact your network administrator

    clip_image002

    In the ConfigMgrSoftwareCatalog.log Silverlight log file (found at "C:\Users\mattsha\AppData\LocalLow\Microsoft\Silverlight\is\j2mecbot.hwg\v2uabsdl.022\1\s\s5i52ebhc445n0s2jyvmx5askg5zbspajpmi3e4bvujwll1luiaaaeda\f\ConfigMgrLogs\ConfigMgrSoftwareCatalog.log"), the following three lines were found.

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.RequestPolicyAssingmentForInstallCallback-Error:The policy information is empty or an error ocurred!

    [1][06/23/2014 17:46:43] :ApplicationDetailViewModel.UpdatePageView:PageViewMode changed to:FastInstallError

    [1][06/23/2014 17:46:43] :FastInstallPageView:Create Page View FastInstallError

    Also in the ServicePortalWebSite.log (found "F:\Program Files\SMS_CCM\CMApplicationCatalog\Logs\ServicePortalWebSite.log") the following two errors

    [28, PID:6060][06/23/2014 17:59:54] :The web method threw a fault exception - System.ServiceModel.FaultException`1[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError]: Invalid parameter

    [28, PID:6060][06/23/2014 17:59:54] :System.ServiceModel.FaultException`1[[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError, Microsoft.ConfigurationManager.SoftwareCatalog.Website.PortalClasses, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Invalid parameter

    I spent agestrying to troubleshoot this issue without success, and gave up for a short time while I did other things.

    A week later I was testing the Collection Evaluator Viewer program that comes with the R2 toolset and found that it was unable to connect directly to the database with a very similar error

    A connection was successfully established with the server, then then an error occurred during the login process. (provider: SSL Provider, error:0 – The certificate chain was issued by an authority that is not trusted)

    So now I can kind of tell that the issue is actually with the SQL db side, not necessarily ConfigMgr or the App Catalog site server roles.

    Next, I checked to make sure SQL is not forcing an encrypted connection using SQL Service Manager.

    clip_image003

    clip_image004

    All good there, however under the certificate tab I noticed we’ve got a self-signed certificate

    clip_image005

    And low-and-behold the certificate is having problems

    clip_image006

    I opened the IIS console to view the self-signed certificate

    clip_image007

    Exported the certificate

    clip_image009

    Import it into the Trusted Root Authorities

    clip_image010

    After the import, I attempted again to connect using the Collection Evaluation Viewer, this time it was successful as SQL now trusts the certificate

    clip_image011

    Back to the Application Catalog, and everything is now working nicely!

    clip_image012

    clip_image014