This blog is owned and operated by the ANZ ConfigMgr Premier Field Engineer team.
Ian BartlettMatt ShadboltGeorge Smpyrakis
This post will step you through the process of creating custom reports in ConfigMgr 2012 R2 that will enforce your Role Based Access Control (RBAC) policies. Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. TechNet reference
Using SQL Management Studio, confirm your SQL query against the new fn_rbac table views passing through the ('disabled') parameter to bypass the requirement of passing through a user SID
Confirm you can see Dataset values and select the type of Report you want to create
Create a New Dataset
NOTE: If you do not see the REFERENCES option, try and run your report, it will fail however will present the References parameters
To test I have granted an admin account "sccm2012r2\Ian" that is limited only to the collection called "Ian's Collection"
Launch the ConfigMgr console using SCCM2012R2\Ian
The application could not be installed. The most common reason is that software does not support the version of Windows currently installed on your computer. You can try starting the application installation from the Application Catalog again. If the problem continues, contact your network administrator
In the ConfigMgrSoftwareCatalog.log Silverlight log file (found at "C:\Users\mattsha\AppData\LocalLow\Microsoft\Silverlight\is\j2mecbot.hwg\v2uabsdl.022\1\s\s5i52ebhc445n0s2jyvmx5askg5zbspajpmi3e4bvujwll1luiaaaeda\f\ConfigMgrLogs\ConfigMgrSoftwareCatalog.log"), the following three lines were found.
[06/23/2014 17:46:43] :ApplicationDetailViewModel.RequestPolicyAssingmentForInstallCallback-Error:The policy information is empty or an error ocurred!
[06/23/2014 17:46:43] :ApplicationDetailViewModel.UpdatePageView:PageViewMode changed to:FastInstallError
[06/23/2014 17:46:43] :FastInstallPageView:Create Page View FastInstallError
Also in the ServicePortalWebSite.log (found "F:\Program Files\SMS_CCM\CMApplicationCatalog\Logs\ServicePortalWebSite.log") the following two errors
[28, PID:6060][06/23/2014 17:59:54] :The web method threw a fault exception - System.ServiceModel.FaultException`1[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError]: Invalid parameter
[28, PID:6060][06/23/2014 17:59:54] :System.ServiceModel.FaultException`1[[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError, Microsoft.ConfigurationManager.SoftwareCatalog.Website.PortalClasses, Version=220.127.116.11, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Invalid parameter
I spent agestrying to troubleshoot this issue without success, and gave up for a short time while I did other things.
A week later I was testing the Collection Evaluator Viewer program that comes with the R2 toolset and found that it was unable to connect directly to the database with a very similar error
A connection was successfully established with the server, then then an error occurred during the login process. (provider: SSL Provider, error:0 – The certificate chain was issued by an authority that is not trusted)
So now I can kind of tell that the issue is actually with the SQL db side, not necessarily ConfigMgr or the App Catalog site server roles.
Next, I checked to make sure SQL is not forcing an encrypted connection using SQL Service Manager.
All good there, however under the certificate tab I noticed we’ve got a self-signed certificate
And low-and-behold the certificate is having problems
I opened the IIS console to view the self-signed certificate
Exported the certificate
Import it into the Trusted Root Authorities
After the import, I attempted again to connect using the Collection Evaluation Viewer, this time it was successful as SQL now trusts the certificate
Back to the Application Catalog, and everything is now working nicely!