Contents

Ex 2 - Shopping 5.6 - Installing Shopping

Exercise Overview:

Installing Shopping

In this lab, you will install all Shopping Central components on the 1ETRNAP server along with the Shopping Receiver on the 1ETRNCM server. In addition, the Shopping agent will be installed on all PCs using ConfigMgr.

Prepare the environment

In this exercise, you will prepare the lab environment with the necessary configuration and components required by Shopping.

Always refer to the latest product documentation (http://help.1e.com) for details of pre-requisites and system requirements for the version of Shopping you are installing.

Understanding Shopping Users and Groups

Several components of Shopping are run with the identity of either a defined user account or a special system account (such as Network Service). Beyond the accounts used by the system, there are also roles within Shopping that define the level of access that users of the system have. These roles are assigned to AD security groups and users are added into these groups to assign them the associated role. In this task, you will review the accounts and groups that need to be created or designated for Shopping.

Installer Accounts

The installation of the various Shopping components requires specific permissions. Whichever user performs the installation of the various components requires the permissions specified below. 
To install the Shopping Central server components, the installer account requires the following:

In this lab, the 1ETRN\AppInstaller account will be used to install the Shopping Central components and has already been configured with all the necessary permissions to do so, as specified in this section.

  • Local admin rights on the server that Shopping Central is being installed on
  • SQL Server sysadmin rights on the Shopping Database server

Best practice is to create the Shopping2 database prior to running the installer, so the database and log files can be created at the correct size on suitable drives. If the database has already been created, the user performing the Shopping Database installation needs db_owner rights on the Shopping2 database.

  • Local admin rights on the ConfigMgr server that Shopping will connect to
  • SQL Server sysadmin rights on the ConfigMgr Primary site database server that Shopping Central will connect to (the CAS in multi-site hierarchy) in order to create a SQL Login for the Shopping Central service account (this is then added as a user to the ConfigMgr database)
  • Must be a member of the local SMS Admins group on the ConfigMgr server as the installer adds ConfigMgr security rights (through WMI) for the Shopping Central Service account
  • Must be configured as a Full Administrator in ConfigMgr
  • Must have a minimum of "Write Member" security right on the Full Shopping DB Admin Access and SMS / ConfigMgr Database Access AD groups defined during installation either through the UI or the installer properties SHOPPINGCONSOLEADMINUSERS and SHOPPINGCONSOLESMSUSERS.

To install the Shopping Receiver, the installer account requires the following:

In this lab, the 1ETRN\SCCMAdmin account will be used to install the Shopping receiver component on 1ETRNCM and that account has the necessary rights to do so. No additional configuration is required.

  • Local admin rights on the ConfigMgr Primary site server where the Receiver is being installed
  • Must be a member of the local SMS Admins group on the ConfigMgr server and a member of the Full Administrators role in ConfigMgr as the installer adds ConfigMgr security rights (through WMI) for the Shopping Receiver Service account

In production environments, the ConfigMgr administrator will usually be asked to install the Shopping Receiver component. This simplifies things (in the majority of cases) as no additional accounts need to be created and no additional rights need to be granted to install the Shopping Receiver.
Shopping Central Service account

The Shopping Central Service security principal is a Domain User specified during Shopping Central installation (through either the installer UI or using the SVCUSER and SVCPASSWORD installer properties).

In this lab environment, you will use 1ETRN\svc_ShoppingCentral as the Shopping Central Service account.

This account requires the following permissions and configuration. Items marked * are configured by the Shopping Central installer.

On the Shopping Central server

  • Log on as a service user right*

On the Shopping database

  • Access to the Shopping database is managed through Database Roles (db_ShoppingConsoleAdmin and db_ShoppingConsoleUser). The installer adds the Shopping Central service user to Full Shopping DB Admin Access group, which in turn is associated with the db_ShoppingConsoleAdmin role in the Shopping database

On the ConfigMgr Primary site server (or CAS)

  • db_datareader role on the ConfigMgr database*

The Shopping Central Service account will be added to the SMS/ ConfigMgr Access group defined during installation, either through the installer UI or through the installer property SHOPPINGCONSOLESMSUSERS. This group is in turn added to the db_datareader role in the ConfigMgr database. All this is taken care of by the installer, which is why the Installer Account requires "Write Member" permissions on the AD group and sysadmin role on the ConfigMgr database server.

In Active Directory

  • Requires an email account to be defined in the Email attribute of the user. This email account is used to send system emails to administrators
  • If Shopping AD Integration is to be used to manage self-service of AD group membership, the Shopping Central Service account must have write access to the AD groups which are to be managed by Shopping

In this lab, the groups to be managed through Shopping are contained in a specific OU, to which the Shopping Central Service has Full Control permissions on all descendant group objects.

If a Group Policy that enforces the Access this computer from the network local user rights setting is applied to the ConfigMgr Primary Site server that Shopping Central integrates with, this policy must be updated to include the Shopping Central service (i.e. enabling the Shopping Central service to access the ConfigMgr server remotely). If no such policies are applied to the ConfigMgr server, there is no requirement to create one (default settings for a Server grant this user right to Everyone and Users).
Shopping Receiver Service account

The Shopping Receiver Service runs on each ConfigMgr Primary Site and primarily manages the creation of Collections and Deployments on the local site.

By default, the Shopping Receiver Service will use the local computer's NETWORK SERVICE security principal. It is best practice to create a Domain User account and use this for all Shopping Receivers. If there is an absolute requirement to use different accounts for different Primary sites (this scenario includes using the default NETWORK SERVICE account on each Receiver), it will be necessary to create a Shopping Receivers group, which will be used to grant the necessary security rights to securable objects that the receiver needs to access.

Note that this user (or group if multiple accounts are used) must be specified first during the Shopping Central installation, either through the installer UI or using the RECEIVERACCOUNT installer property as the Central Service uses this as a means of authorizing the receiver that is connecting to it.
For each Receiver installation, the account user name and password must also be provided to install the service, through either the UI or the SVCUSER and SVCPASSWORD installer properties.


In this lab environment, you will use the 1ETRN\svc_ShoppingReceiver account as the Shopping Receiver service account.

The Shopping Receiver account requires the following permissions. Items marked * are configured by the Shopping Receiver installer.

On each ConfigMgr Primary Site

  • Log on as a service user right*
  • Membership of the local SMS Admins group* (required for access to the SMS Provider)
  • The following ConfigMgr Security Rights are required

Class                                              Permission

Applications                                   Read

Collections                                     Full

Configuration Policy                      Full

Distribution Point                          Read

Distribution Point Group               Read

Global Condition                           Full

Site                                                Read

Status Messages                           Read

Task Sequence Package                Read

Users                                             Read


The ConfigMgr security rights will be applied using an imported security role that is preconfigured with the appropriate rights.

  • db_datareader role on the ConfigMgr database
  • EXECUTE permission on the ConfigMgr database scalar functions fn_GetAppState and fnGetSiteNumber

The EXECUTE permission on the two functions above will be granted by the installer.

The Shopping Receiver service account no longer has to have administrator privileges on client computers. Configuration Manager policy refreshes for new requests and re-shopping are now done using the Client Notification feature of Configuration Manager. 

Management Accounts and Groups

Before installing Shopping, you must define a Shopping Admin account or group in AD that will be used the first time you open the console (additional users can be added through the console).You also need to define AD groups that will be assigned to the Report Viewer and License Manager roles in the Shopping console.

Shopping Admin account/group

The Shopping Admin account or group specified during the Shopping Central Service installation (either in the UI or by the ADMINACCOUNT installer property) is initially the only security principal that has visibility of all nodes in the Shopping Admin Console and the Administration tab in the Shopping Web Portal.
During the Shopping Central installation, the Shopping Admin account (or group), is also added to the Full Shopping DB Admin Access and SMS/ConfigMgr Access groups (detailed later in this section) to provide the necessary access to the Shopping and ConfigMgr databases to perform all admin tasks.
This account (or group) must have a valid email account defined in AD.

Use a group, with an associated email Distribution List (DL) rather than a single account, as this enables Shopping administrators to be easily managed though AD group membership.

In this lab environment, the Shopping Admin group is 1ETRN\Shopping_Admins, with an email DL of shopping_admins@1etrn.local.
Shopping Report Viewer account / group

The Shopping Report Viewer account or group defined during the installation of the Shopping Central Service (using either the UI or the REPORTSACCOUNT installer property) is granted permissions necessary to view the Shopping reports by the Shopping Central Service installer. Only this user (or members of the group) will see the Reporting tab on the Shopping Web Portal.

Use a group rather than a single account, as this enables access to Shopping's reporting features to be easily managed though AD group membership.

In this lab environment, the Shopping Report Viewer group is 1ETRN\Shopping_ReportViewers.
Shopping License Manager account / group

The Shopping License Manager account or group defined during the installation of the Shopping Central Service (using either the UI or the LICENSEMGRACCOUNT installer property) receives e-mail notifications when application license thresholds are reached. This user or group must therefore have a valid email address defined in Active Directory.

Use a group with an associated email DL rather than a single account to enable targeting of license notifications to be easily managed though AD group membership.

In this lab environment, 1ETRN\Shopping_LicenseManagers is the Shopping License Managers group, associated with the Shopping_LicenseManagers@1etrn.local email DL.
Database Access groups

When a user of the Shopping Console requires access to either the Shopping database (to manage Shopping objects) or the Principal ConfigMgr Site database (to look-up Sites, Packages and Programs), they are granted access through SQL Database Roles defined (and created during the Shopping Central installation) in the respective databases. The three AD groups described below are associated with these SQL Database Roles.

Full Shopping DB Admin Access group

This group, specified during the Shopping Central Service installation using either the UI or the SHOPPINGCONSOLEADMINUSERS installer property, is associated with the db_ShoppingConsoleAdmin Database Role in the Shopping database.
The db_ShoppingConsoleAdmin database role is granted full permissions on all objects presented through the Shopping Admin Console. This allows members of the Full Shopping DB Admin Access group to manage Node Security, allowing them to define the users and groups that can access each of the nodes in the Shopping Console.
The specified Shopping Admin account / group is added to the Full Shopping DB Admin Access group during installation of the Shopping Central component.

The Full Shopping DB Admin Access group in this lab is 1ETRN\ShoppingConsole_Admins.
Limited Shopping DB Admin Access

This group, specified during the Shopping Central Service installation using either the UI or the SHOPPINGCONSOLEUSERS installer property, is associated with the db_ShoppingConsoleUser Database Role in the Shopping database. 

The db_ShoppingConsoleUser role has restricted permissions in the Shopping database necessary for managing Approvers and User and Computer Categories.

The Limited Shopping DB Admin Access group in this lab is 1ETRN\ShoppingConsole_Users.
SMS/ConfigMgr Access

Definition of Sites and Applications in the Shopping Console require read access to the Principal ConfigMgr site database. This is provided through membership of the SMS / ConfigMgr Access group specified during the Shopping Central installation using either the UI or the SHOPPINGCONSOLESMSUSERS installer property. The specified group is associated with the db_datareader Database Role on the Principal ConfigMgr site database.

The SMS / ConfigMgr Access group in this lab is 1ETRN\ShoppingConsole_SMSUsers.
Group Management

By default, as users or groups are granted access to a node within the Shopping console, the console adds these users or groups (under the context of the logged on user) to the relevant database access groups according to the access required for that particular node. This requires the Full Shopping DB Admin Access group to be granted full permissions on itself and the other two groups when they are first set up in AD. 
This automatic group management can be disabled in the Console Settings by setting the Admin Console Manages Groups setting to False. If this is done, users and groups will need to be manually added to the appropriate groups before they attempt to use the Shopping Console. The table below lists the Admin Console Nodes and the group memberships that provide access to them.


Console Node

Full Shopping DB Access group

Limited Shopping DB Access group

SMS/ConfigMgr DB Access group

Sites

P

 

P

Approvers

P

P

 

User Categories

P

P

 

Computer Categories

P

P

 

Applications

P

 

P

Settings

P

 

 

Node Security

P

 

 

Event Log

P

P

 

Ensure users and groups have email AD attribute set

Shopping uses email as the primary notification method. It is therefore important that all users that interact with Shopping, as well as some of the special accounts and groups identified in the previous task, have a valid email address defined in Active Directory.

1ETRNDC
  1. Log on to 1ETRNDC as 1ETRN\Administrator and start Active Directory Users and Computers
  2. Review the following users and groups and ensure they have the specified email address defined in the General Properties tab

    3. User or Group

    Email address

    svc_ShoppingCentral

    SVC_ShoppingCentral@1etrn.local

    Shopping_Admins (group)

    shopping_admins@1etrn.local

    Shopping_LicenseManagers (group)

    Shopping_LicenseManagers@1etrn.local

    Manager1

    manager1@1etrn.local

    Manager2

    manager2@1etrn.local

    User

    user@1etrn.local

    Finance Director

    FinanceDirector@1etrn.local

    As Shopping is used by most users throughout an organization, it is good practice to use an easily remembered DNS alias for the Shopping Central Web Server. This alias is then defined as the Host Header for the Shopping web site in IIS. This not only makes it easier for users to remember the site name, but also allows the web site to be moved to a different server in the future if required.

Create a DNS Alias

1ETRNDC

    In this lab environment, the chosen DNS alias is APPSTORE.
  1. Log into 1ETRNDC as 1ETRN\Administrator
  2. On 1ETRNDC select DNS from the Start page
  3. In DNS manager, expand 1ETRNDC > Forward Lookup Zones and select 1ETRN.LOCAL
  4. Select the Action menu and select New Alias (CNAME)…
  5. In the Alias name field, type APPSTORE

  1. Click the Browse… button next to Fully qualified domain name (FQDN) for target host, browse to 1ETRNDC > Forward Lookup Zones > 1ETRN.LOCAL, select 1ETRNAP. The new Resource Record dialog should look like the figure below. Click OK

  1. Select OK to complete the New Resource Record wizard
  2. From a command prompt, ping appstore. Ensure it returns 10.0.0.4(1ETRNAP)

Review Windows Features, Roles and Role Services

1ETRNAP has IIS configured as required to support ActiveEfficiency up to this point in the lab exercises. The Shopping Central Server components will also be installed on 1ETRNAP and has an additional role service that is required.


1ETRNAP

    In most production environments, Active Efficiency and Shopping would not be hosted on a single server. This configuration is suitable for small lab environments.
  1. Open Server Manager on 1ETRNAP
  2. Select Add roles and features in the Configure this local server section of the Dashboard page
  3. Click Next on the Before You Begin page
  4. Click Next on the InstallationType page
  5. Click Next on the Server Selection page
  6. In the list of roles on the Server Roles page, scroll down and expand Web Server (IIS) and then Web Server
  7. Expand Common HTTP Features and select HTTP Redirection and click Next
  8. Click Next on the Features page
  9. Click Install on the Confirmation page and close the wizard when complete
  10. Close Server Manager

Create Service Principal Name (SPN)

The Shopping Website Application feature creates the Shopping Application Pools in IIS that use the NETWORK SERVICE identity. Connection to the web application is made through an HTTP service class request on the DNS address of the host. However, because the Shopping web site is not part of the default web site, it requires a separate Host Header and corresponding DNS alias to distinguish it from the Default Web Site on the same server. 

It is therefore necessary to define the host (1ETRNAP) as the security principal for the HTTP service class on the address APPSTORE.1ETRN.LOCAL, so that when clients request a connection to http://appstore.1etrn.local, Kerberos identifies 1ETRNAP as the actual security principal for that service. This is done by defining a Service Principal Name (SPN) as follows.

1ETRNDC

  1. Log on to 1ETRNDC as 1ETRN\Administrator
    2. The 1ETRN\Administrator account is the Domain Admin account. Service Principal Names are attributes of the security principal in AD, so it doesn't actually matter which computer you perform this task on, as long as the user you are logged on as has full permissions on the security principal (in this case the 1ETRNAP computer account) that you are trying to update.
  2. Open a command prompt and type the following command. This will list all Service Principal Names currently held by the 1ETRNAP computer 
    3. SETSPN -L 1ETRNAP

  1. The results should appear as below. Note that SPNs have already been defined for …..

  1. To add an SPN to 1ETRNAP for the DNS name APPSTORE , run the following commands 

SETSPN -S HTTP/APPSTORE 1ETRNAP

SETSPN -S HTTP/APPSTORE.1ETRN.LOCAL 1ETRNAP

Setting SPNs for both APPSTORE and APPSTORE.1ETRN.LOCAL allow connections using either the host name or the FQDN.

  1. To verify the update, run the following command again 
    2. SETSPN -L 1ETRNAP

  1. The results should now include the SPNs for the APPSTORE DNS address

If the NETWORK SERVICE identity of the Shopping Application Pools is replaced with a domain user account, the SPN must be added to that user object rather than the computer account of the Shopping web site, e.g. SETSPN -S HTTP/APPSTORE <domain>\<user>

Create ConfigMgr Administrative User for the Shopping Central Service

One of the features of Shopping, OS Filtering, provides the ability to filter the applications presented to users based on operating system criteria such as Operating System Version (Windows 7 vs. Windows 10) or Operating System Architecture (32-bit vs. 64-bit). If an application installation will fail because of operating system related prerequisites, it doesn't make sense to display these applications to users in the Shopping portal.

Because the information required to filter applications based on operating system criteria resides in WMI, the Shopping Central Service will need to be granted permission to access WMI remotely.
In this task, you will grant the Shopping Central Service these rights by adding them as an administrative user with Read access to ConfigMgr objects in WMI. This will support the OS Filtering exercise later in the labs.

1ETRNCM

  1. Log into 1ETRNCM as 1ETRN\SCCMAdmin. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.6 Course Content download the MiscFiles.zip to c:\temp and right click and extract all files.
  2. Launch the ConfigMgr console. In the Administration workspace of the ConfigMgr console, expand Security and select Security Roles
  3. Right-click on Security Roles and choose Import Security Roles
  4. Browse to C:\Temp\MiscFiles and double-click on the 1E Shopping Central Service Security Role.xml file and observe that 1E Shopping Central Service now appears in the list of Security Roles
    5. Ensure the right XML file is being copied, there are two in the folder, we will use the second one during the Shopping Receiver installation.
    The 1E Shopping Central Service Security Role was created using the same permissions that are granted to the Read-only Analyst Security Role. The Shopping Central Service does not have rights to make any changes to ConfigMgr – only to read information.
  5. Right-click on Administrative Users in the Administration pane and select Add User or Group
  6. Click on the Browse… button and enter svc_ShoppingCentral as the object name and click Check Names
  7. Click OK when the name resolves
  8. In the Assigned security roles section, click the Add… button
  9. Select 1E Shopping Central Service and click OK
  10. Click OK to close the Add User or Group dialog box
    11. By adding the Shopping Central Service account as an Administrative User in the ConfigMgr console, it also adds the account to the local SMS Admins group that has access to WMI remotely.

Install Shopping Central

In this exercise, you will install all Shopping Central components onto 1ETRNAP.

Install Shopping Central on Application Server

1ETRNAP 

  1. On 1ETRNAP and log in as 1ETRN\AppInstaller. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.6 Course Content and download the Shopping.v5.6.0.409.zip and copy C:\Temp and right click and extract all
  2. Start a command prompt (Run as administrator) and switch to the C:\Temp\shopping.v5.6.0.409 directory
  3. Run the following command to start the installation wizard 
    4. msiexec.exe /i ShoppingCentral.msi /l*v ShoppingCentral-Install.log
  4. On the Welcome page click Next
  5. On the Shopping Prerequisite page, ensure all the checks passed and click Next
  6. Accept the license agreement and click Next
  7. On the Installation Type page, select Complete Install and click Next
  8. On the Customer Information page, input an Organization name. Copy and paste the Shopping license key from 1E Shopping - Course Content\Shopping 5.6 Course Content\License.txt by launching the SkyTap Shared Drive shortcut on the desktop into Shopping License Key: field and click Next
    9. WSA is out of scope for this course, so we will leave that blank.
  9. On the Custom Setup page, ensure all features are selected for installation and click Next
  10. On the Database Server page, leave the server as (local) and the Database Name as Shopping2 and click Next
  11. On the 1E ActiveEfficiency Server page, enter 1ETRNAP as the name of the ActiveEfficiency Server and click Next
  12. On the Active Directory Integration page, type 1ETRN.LOCAL and click Next


    13. This can be either the name of a domain controller or the fully qualified domain name.
  13. On the Service Account page, in the User name field, type 1ETRN\svc_ShoppingCentral and in the Password field, type Passw0rd
  14. In the field for the receiver service account, type 1ETRN\svc_ShoppingReceiver and click Next


    15. The Shopping Receiver service connects to the Shopping Central Web Site using HTTP. The Shopping Central installer checks that this is a valid account (or group) during installation of Shopping Central.
    The recommended approach in production environments is to add the Receiver service account to an AD group and specify the group rather than the actual account. This allows for future changes to the Receiver service account, adding the new account into the defined group rather than having to reconfigure Shopping.
  15. On the Exchange or SMTP Server page, type 1ETRNDC.1ETRN.LOCAL and click Next
    16. For this lab, a simple SMTP application has been installed on 1ETRNDC to enable the sending of email via Shopping. In a production environment, this should be the fully qualified domain name of the SMTP server where Shopping will send emails.
  16. On the SMS / System Center Configuration Manager Integration page, enter the name of the Principal ConfigMgr site server, in this case 1ETRNCM.1ETRN.LOCAL and click Next


    17. The Principal ConfigMgr site is the site where the Packages to be offered through Shopping are defined. This is typically the Central site in ConfigMgr 2007 and the CAS (if installed) in ConfigMgr 2012. However, if you are using ConfigMgr 2007 and have Packages defined on primary sites below the Central site (e.g. on Regional Primary Sites), Shopping Central may need to be configured to use this site. In these scenarios, it is often necessary to create multiple Shopping environments – one for each Regional primary site.
  17. On the Admin Console Node Security page, enter the following information and click Next
    18. Full Shopping DB Admin Access:        1ETRN\ShoppingConsole_Admins
    Limited Shopping DB Admin Access:  1ETRN\ShoppingConsole_Users
    SMS / ConfigMgr Access:                    1ETRN\ShoppingConsole_SMSUsers
    Refer to the Database Access groups information for details of these groups
  18. On the Shopping Management Accounts page, enter the following information and click Next
    19. Admin account:                  1ETRN\Shopping_Admins
    Reports access account:     1ETRN\Shopping_ReportViewers
    License manager account: 1ETRN\Shopping_LicenseManagers
    Refer to the Management Accounts and Groups section for more details of these groups.
  19. On the Website Configuration page, in the Host Header field, type APPSTORE and click Next
    20. If a non-standard port is used, the Shopping URL will need to have the port appended to the end. e.g. If port 8081 is used, then the host header for this example would be http://appstore:8081.
  20. On the Shopping URL prefix page, ensure that http://appstore is displayed and click Next
  21. On the Ready to Install the Program page, click Install
  22. Click Finish to close the setup wizard once complete

Review the installation

In this task, you will observe the changes made by the Shopping Central installer.

1ETRNAP
  1. Open Windows Explorer and browse to C:\Program Files (x86)\1E\Shopping. Note the following subfolders:

    2. Folder

    Description

    AdminConsole

    This is the Shopping Administrator Console

    CentralService

    This is the Shopping Central Service and includes workflow integration components for integration with 3rd party systems

    Database

    This folder contains all the binary files used to configure the Shopping SQL database. Using compiled code to manage the SQL configuration enables Shopping to be easily patched using Windows Installer patches (MSP).

    Website

    This folder contains the Shopping website and Shopping API components

  2. From the Start screen start Internet Information Services (IIS) Manager, expand 1ETRNAP > Sites and observe the Shopping website
  3. Select Application Pools (just above Sites) and note that there are two application pools for Shopping (Shopping Pool and ShoppingAPI Pool) and that they are configured to run with the identity of NETWORK SERVICE
  4. Start the Registry Editor (from the Start screen, start typing regedit and click regedit.exe when it appears in the search results) then navigate to HKLM\Software\1E\ShoppingCentral. Note that this only contains licensing information which is hashed
  5. In the Registry Editor, navigate to HKLM\Software\Wow6432Node\1E\ShoppingCentral. Note that this contains basic information regarding the installation
  6. Open the Services console (from the Start screen) and identify the 1E Shopping Central service. Ensure this service is running
  7. Open Microsoft SQL Server Management Studio (from the Start screen) and expand the Shopping2 database. Note that the installer has created objects (tables, views, stored procedures etc)
  8. In the Security node of the Shopping2 database, navigate to Roles > Database Roles and note that the db_ShoppingConsoleAdmin and db_ShoppingConsoleUser roles have been created by the Database feature installation. View the properties of both and note that the group ShoppingConsole_Admins is added to the ShoppingConsoleAdmin role and that ShoppingConsole_Users is added to the ShoppingConsoleUser role
  9. Browse to C:\ProgramData\1E\ShoppingCentral. This is where you will find the ShoppingCentral diagnostic log. Double-click ShoppingCentral.log to open it. Review the log entries focussing on service startup tasks
  10. From the Start screen, start typing Shopping. When Shopping Administration appears in the search results, right-click it and select Pin to Taskbar (you'll be using this a lot, so let's make it easy to get to)
  11. Now click Shopping Administration on the Start screen. Ensure that the Shopping Admin Console opens without errors and note the different nodes available in the left-hand pane. We'll come on to each of these throughout this course
  12. Open Internet Explorer (from the Start screen) and go to http://appstore/shopping
  13. Ensure the Shopping web page opens successfully. There won't be much of interest on it currently, but the Home page should load without errors

Configure HTTP Redirection

Now, the URL to connect to Shopping is http://appstore/shopping. HTTP Redirection (a Web Server (IIS) Role Service - see earlier task) can be used to simplify this to http://appstore.

1ETRNAP

  1. Open Internet Information Services (IIS) Manager and select the Shopping web site
  2. In the main center pane with all the icons, double-click the HTTP Redirect icon in the IIS section (you may need to scroll down to see it)
  3. Check the Redirect requests to this destination option and enter ../shopping
  4. Check the Only redirect requests to content in this directory (not subdirectories) option
    5. By default, IIS will apply the redirection to all sub-sites (/Shopping and /ShoppingAPI in this case). This would cause any attempts to load the page to enter an infinite loop as /Shopping would redirect to itself! In some cases, even if this option is selected, you may find the subdirectories still have the redirection applied. To be sure, check the HTTP Redirect settings on the /Shopping and /ShoppingAPI subdirectories and ensure redirection is DISABLED on these.
  5. Click Apply (in the Actions list on the right)
  6. Open Internet Explorer (if the Shopping site is already open, close and reopen the browser) and browse to http://appstore to confirm the redirection is working and the shorter URL can be used

Increase Shopping Central logging level

In order to use the Central Service log file to monitor processes throughout this course, you will now increase the level of detail that is written to the ShoppingCentral log.

1ETRNAP 

  1. On 1ETRNAP browse to C:\Program Files (x86)\1E\Shopping\CentralService
  2. Make a backup copy of ShoppingCentral.exe.config
    3. The lab environment has been modified so that file extensions are displayed, but this may not be the case in many production environments. In the default Windows Explorer view (with file extensions hidden), ShoppingCentral.exe.config will appear as ShoppingCentral.exe, and ShoppingCentral.exe appears as ShoppingCentral.
  3. Right-click on ShoppingCentral.exe.config and select Edit to open the file in Notepad
  4. Search for the text <level value="INFO"/> in the <log4net> section of the file
  5. Replace the word INFO with ALL and save the file, then restart the 1E Shopping Central Service
    6. If the 1E Shopping Central service fails to start, an error was made when editing the file.

Reduce the Cache Duration for user access to the portal

When a user launches the Shopping portal from a given computer for the first time, Shopping will evaluate the applications that are available to the user based on the User Categories associated with that the user and Computer Categories associated with that the computer. Rather than performing this evaluation every time the user logs on to the Shopping portal, the information is cached, along with the last logon time for that particular user and computer combination. If the Shopping portal is launched within 15 minutes of the last time the user launched Shopping from the same computer, the available applications will reflect whatever was cached at that earlier time.
As we will be making many changes to categories throughout this course, we do not want to be waiting around for up to 15 minutes before we see the effect of these. In this task, you will reduce this duration down to 1 minute to make things move a bit faster.

This behavior is designed to balance performance on the Shopping Central server. While it is fine to reduce this in a small lab environment, this should not be modified in a production environment unless advised by 1E support.

1ETRNAP

  1. Open Microsoft SQL Server Management Studio, select the Shopping2 database and click New Query in the toolbar
  2. Enter the following query and click !Execute in the toolbar. You should see (1 row(s) affected) in the Messages tab 
    3. Update tb_Preference set PreferenceValue=1 where PreferenceName='Cache Duration'
    The tb_Preference table stores all the settings that you see in the Settings node in the console. Cache Duration is defined as a hidden setting so it can only be changed directly in the database.
  3. Restart the 1E Shopping Central service for the logging info and cache duration changes to take effect
  4. If the ShoppingCentral service fails to start, an error was made when editing the config file

Install the Shopping Receiver

In this exercise, you will install the Shopping Receiver Installer components onto 1ETRNCM.

Create Shopping Receiver security role in ConfigMgr

The Shopping Receiver service account requires the ConfigMgr permissions defined earlier in the Understanding Shopping Users and Groups section. 1E provide an XML file that can be imported to create a ConfigMgr Security Role with the required permissions.

1E provide a number of Security Roles that can be imported into Config Mgr depending on the version installed in your environment. These are available at: Product Documentation, and navigate to Shopping 5.6 Preparation 1E Shopping Receivers security role, select the one appropriate for your Config Mgr version.
In this task, you will import a security role definition and then add the Shopping Receiver service account to the new role.

1ETRNCM

  1. Log on to 1ETRNCM as 1ETRN\SCCMAdmin
  2. Earlier we imported the Shopping Central security role, here we will import the 1E Shopping Receivers Security Role in CB1906 and later.xml
  3. Open the Configuration Manager Console from the Start screen
  4. Select the Administration workspace and expand the Security node
  5. Right-click Security Roles and select Import Security Role
  6. In the Import Security Role dialog box browse to C:\Temp\MiscFiles\1E Shopping Receivers Security Role in CB1906 and later.xml and click Open
  7. Once imported right click the new role and select Properties
  8. Select the Permissions tab
  9. Scroll to and open the Folder Class node
  10. Review the configuration (this is new in CB1906) and click cancel when done
  11. Right-click the Administrative Users node and select Add User or Group
  12. In the Add User or Group dialog box, click Browse… then enter svc_ShoppingReceiver and click OK
  13. Click the Add… button to the right of the Assigned security roles list, select 1E Shopping Receivers from the list of roles and click OK
    14. Do not get the receiver and central roles/users mixed up!
  14. Click OK to close the Add User or Group

Install the Shopping Receiver on ConfigMgr Primary Site

In this task, you will install the Shopping Receiver Service on the ConfigMgr Primary site server.

1ETRNCM

  1. Launch Explorer from the desktop and navigate to \\1etrnap\Temp\shopping.v5.6.0.409 and copy ShoppingReceiver.msi to C:\Temp
  2. Start a command prompt (run as administrator) and switch to the C:\Temp directory
  3. Type the following to start the Shopping Receiver install wizard 
    4. msiexec.exe /i ShoppingReceiver.msi /l*v ShoppingReceiver-Install.log
  4. On the Welcome page click Next
  5. Accept the license agreement and click Next
  6. On the Destination Folder page, click Next
  7. On the Register Service Account page, select This Account and in the user name field, type 1ETRN\svc_ShoppingReceiver and in the password field type Passw0rd, then click Next
  8. On the Policy Refresh page, ensure Native is selected and set the Policy Refresh delay to 30 seconds then click Next
    9. Policy refresh triggers the ConfigMgr agent to perform a 'Machine Policy Retrieval & Evaluation Cycle' to accelerate the delivery of the deployed program or application. With policy refresh enabled, Shopping is able to deliver applications immediately after the approval process has been completed. Policy Refresh can be invoked directly via the Shopping Receiver (native) or by integration with 1E WakeUp. The Policy refresh delay allows ConfigMgr to process the Collection update and policy assignment before getting the client to check for the new policy. While 10 seconds is usually sufficient time, in this lab we increase the delay to 30 seconds to allow for performance of the virtual ConfigMgr server.
  9. On the Shopping URL Prefix page, type http://appstore and click Next
  10. On the Default Advanced Client Flags page, select Default and click Next

    11. The Receiver installer allows you to enter default settings that will be used when it creates a Deployment in ConfigMgr. These settings are especially useful if integrating Shopping with 1E Nomad. The following options are available:

    Default – Uses the default deployment options for ConfigMgr.
    Always download from DP – The package is always downloaded from the distribution point. This should be used when integrating with 1E Nomad.
    Always run from DP –The package is always run from the distribution point (only applicable to legacy Packages).

  11. Click Next on the Configuration Manager Database Connection page. On the Ready to Install the Program page, click Install. When the installation completes, close the setup wizard

Review the installation

In this task, you will review the effects of the Shopping Receiver installation.

1ETRNCM

  1. Run regedit.exe and navigate to HKLM\Software\Wow6432Node\1E\Shopping.Receiver.v5.6.0. Note that this contains basic information regarding the installation
  2. Open the Services console from the Start menu and identify the 1E Shopping Receiver+5.6.0 service
  3. Browse to C:\ProgramData\1E\Shopping.Receiver\v5.6.0. This is where you will find the Shopping Receiver diagnostic log. Double-click Shopping.Receiver.log to open it in CM Trace and ensure the Shopping Receiver service started successfully without any errors
  4. Browse to C:\Program Files (x86)\1E\Shopping\Shopping.Receiver.v5.6.0. This folder contains the Shopping Receiver binaries that interact with ConfigMgr
  5. Double-click Shopping.Receiver.exe.config to open it in Notepad and observe the configurable settings for the Shopping Receiver service in the <appSettings> section. Many of these settings were specified in the Install wizard
  6. Search for level value="INFO"
  7. Change the INFO to ALL
  8. Save the file
    9. Leave this file open, we'll be returning to it to make a configuration change in the next task.
  9. Open SQL Server Management Studio and navigate to Databases > CM_PS1 > Security > Users
  10. Double-click the 1ETRN\svc_ShoppingReceiver user (this user was added to the ConfigMgr database by the Shopping Receiver installation) to view its properties
  11. In the Database User – 1ETRN\svc_ShoppingReceiver dialog box, select the Membership page on the left and observe that this user has been assigned only the db_datareader role on the ConfigMgr database
  12. In the Database User – 1ETRN\svc_ShoppingReceiver dialog box, select the Securables page. Note that the user has been granted Execute permissions on the fn_GetAppState and fn_GetSiteNumber scalar functions
  13. Click OK to close the user properties dialog box
    14. You may have observed that the Shopping Receiver folders, service and registry keys all include the version number in their name. This is to allow side-by-side upgrade from previous versions where a new instance of Shopping Central is being implemented alongside an existing instance of an earlier version.

Configure the Default Limiting Collection

The Shopping Receiver is responsible for creating ConfigMgr objects (collections and deployments) and placing computers and users into appropriate collections to allow software to be deployed. By default, the Limiting Collections for all the collections created by the Shopping Receiver is 'All Systems' and 'All Users and User Groups'. In many environments, this is not a desired configuration.
In this task, we will modify the default limiting collection for computer collections.

1ETRNCM

  1. Return to the Shopping.Receiver.exe.config file
  2. Locate the <appSettings> section and observe the values in RootDeviceCollectionId and RootDeviceCollectionName
  3. Replace the RootDeviceCollectionId value with PS10000B
    4. Be sure to input the collection name and ID exactly as they are in the console. The ID is with 4 zeros. If these values are not inputted correctly, the Shopping Receiver will fail to create objects in ConfigMgr.
  4. Replace the RootDeviceCollectionName value with Lab Workstations
  5. Save and close the file
  6. Restart the 1E Shopping Receiver+ 5.6.0 service
    7. All collections created by the Shopping Receiver will now use Lab Workstations as the limiting collection. This methodology can be used to prevent certain machines (servers for example) from getting software inadvertently deployed to them by not allowing them to be members of the Shopping deployment collections

Deploy the 1E Client

Previous versions of Shopping used the Shopping Agent to enable the Shopping website to retrieve information about the user's PC. In an effort to reduce the number of agents customers need to deploy, 1E is in the process of combining existing agent functionality into a single agent, which happens to be the Tachyon Agent. With Shopping 5.6, the functionality of the Shopping Agent and the new Windows Servicing Assistant (WSA) functionality has been implemented as a module of the 1E Client. The 1E Client must be installed on all PCs from which users will access the Shopping portal. This integration requires specific client machine identification so that Configuration Manager knows the correct client deployment target. 

In this exercise, we will use the 1E Agent Endpoint Installation Solution Accelerator to create the ConfigMgr deployment objects and deploy the 1E Client to all ConfigMgr clients.

Prepare to Deploy the 1E Client

1ETRNCM

  1. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Tools and download the 1EClientDeploymentAssistant.v1.4.0.27.zip to C:\Temp\ and right click and extract all of the contents
  2. Browse to the C:\Temp\1EClientDeploymentAssistant.v1.4.0.27 folder and double-click on 1EClientDeploymentAssistant.exe to launch the wizard
    3. You might have to change the resolution of the remote computer session to fit the wizard to the screen depending on the size of your display.
  3. On the Welcome page, click Next to continue
  4. Accept the license terms on the License Terms page and click Next
  5. On the ConfigMgr Connection page, with Local ConfigMgr Site Server selected, click Connect. When the status changes to Connected, click Next
  6. On the General Settings page, Set the fields to contain the following and then Click Next
    7. 1E License File: Browse to C:\Temp\1EClientDeploymentAssistant.v1.4.0.27\1EClientDeploymentAssistant.v1.4.0.27\ and select Licenses.txt
    1E ActiveEfficiency Server URL: http://1etrnap.1etrn.local/activeefficiency
    Application Content Source: \\1etrndc\ConfigMgrSource\Software
    Package Content Source: \\1etrndc\ConfigMgrSource\Software
    Distribute Content: Check
    Distribution Point Group: All Distribution Points
  7. On the Agent Selection page, deselect all items except 1E Client 4.1.0.267 and click Next
  8. On the 1E Client 4.1.0.267 page, verify that the limiting collection is set to Lab Workstations and click Next to continue
  9. On the Tachyon Settings page, verify that Enable Shopping Module and Edge Windows App browser support are ticked and also ensure that Shopping Web URL has http://appstore/shopping/ address is entered. Click Next to continue


    10. Enable Shopping Integration : Enables support for the 1E self-service portal and Windows Servicing Assistace, Any previous Installation of Shopping Agent will be removed when Tachyon Agent starts. 
    Shopping Central URL : It should be set to the URL for the Shopping website. The Shopping website uses a host header, for which a DNS allias was defined earlier 
    http://appstore/shopping/ The Tachyon Shopping module uses a loopback mechanism that enables the browser to make calls to the Shopping Agent via the local computer. The Tachyon Shopping module contacts the Shopping Central website to get the appropriate URL to use for the local loopback mechanism and the URL is no longer locally configured, as was the case for the previous Shopping Agent Installer. 
    Enable Edge/Windows App Support: If users are likely to access the Shopping web site using Microsoft Ede or other Metro Browsers.
  10. Click Next on the Nomad Client Settings Page and arrive on the Summary page, once the list is finished compiling, take a moment and review the actions that are about to be taken. When ready, click the Create button


    11. If Shopping Integration is enabled, when the 1E Client starts it will attempt to automatically remove any previous installations of the 1E Shopping Agent.
  11. The actions will be recorded as they are completed on the Progress page. When the Status changes to Successful, you may review the completed actions and click Next when ready
  12. Click Finish on the Completion page to close the wizard

Observe the Results of Running the 1EClientDeploymentAssistant Wizard

Once we have run the Client Deployment Assistant wizard, we will look at the objects that were created in the ConfigMgr console.

1ETRNCM

  1. In the ConfigMgr console, select the Assets and Compliance workspace and click on Device Collections
  2. Note that the 1E Client 4.1.0.267 - Required collection has been created and has zero members at this point
  3. Click on the Deployments tab at the bottom of the page and note that the 1E Client 4.1.0.267 application has been deployed to the collection
  4. In the Software Library workspace, expand Application Management and select Applications
  5. Note the 1E Client 4.1.0.267 application has been created and the content has been distributed to the distribution point

Deploy the 1E Client to Lab Workstations

Now that all the required components are created in the ConfigMgr console, we simply need to add our desired targets to the 1E Client 4.1.0.267 - Required collection and force a machine policy update cycle to deploy the Tachyon Agent.

1ETRNCM

  1. In the ConfigMgr console, go to the Assets and Compliance workspace and select Devices
  2. Multi-select the 1ETRNW71, 1ETRNW72, 1ETRNW73, 1ETRNW101 and 1ETRNW102 computers
  3. Right-click on any of them, select Add Selected Items > Add Selected Items to Existing Device Collection
  4. Select the 1E Client 4.1.0.267 - Required collection and click OK
  5. Click on Device Collections, select the 1E Client 4.1.0.267 - Required collection and refresh the view until the Member Count shows 5
  6. Right-click on the 1E Client 4.1.0.267 - Required collection, select Client Notification and choose Download Computer Policy

Validate the 1E Client installation on each client

After a few minutes, complete the following tasks to ensure the 1E Client is installed and functioning.

1ETRNW71

  1. Log on as 1ETRN\user
  2. Open Programs and Features from Control Panel and verify that the 1E Client is installed
    3. Might take a minute or two after policy refresh for the application to install. Hit F5 after a minute to refresh the view. If you don't see it after a few minutes, manually run computer policy on the client.
  3. Open the Services applet from the desktop and note the 1E Client service running
  4. Open the 1E.Client.log file in C:\ProgramData\1E\Client

  1. Search for the following in the log file: module.shopping.loopbackexemptionenabled and note that it is set to true
  2. Note the line above it, showing the URL to the Shopping API

Lab Summary

We started this lab identifying the key users and groups that Shopping uses both internally and for administration. We reviewed the permissions and security rights that these specific users and groups require, and which of these are normally configured by the Shopping Central and Receiver installers.
We learned how to use a DNS alias, combined with HTTP Redirection, to enable Shopping to be accessed using an easily remembered URL. You also understand therefore why it is necessary to define a Service Principal Name for the HTTP service class on the alias address.
We prepared the environment for the installation of Shopping. We installed the Shopping Central service on the application server, and then installed the Shopping receiver on the ConfigMgr Primary site server.
Lastly, we deployed the 1E Client to our lab workstations. The 1E Client allows for the proper identification of the machine/user accessing the Shopping portal. It is also used for WSA orders.

Next Page

Ex 3 - Shopping 5.6 - Exploring the Shopping User Interfaces