In this lab, you will install all Shopping Central components on the 1ETRNAP server along with the Shopping Receiver on the 1ETRNCM server. In addition, the Shopping agent will be installed on all PCs using ConfigMgr.
Prepare the environment
In this exercise, you will prepare the lab environment with the necessary configuration and components required by Shopping.
Always refer to the latest product documentation (http://help.1e.com) for details of pre-requisites and system requirements for the version of Shopping you are installing.
Understanding Shopping Users and Groups
Several components of Shopping are run with the identity of either a defined user account or a special system account (such as Network Service). Beyond the accounts used by the system, there are also roles within Shopping that define the level of access that users of the system have. These roles are assigned to AD security groups and users are added into these groups to assign them the associated role. In this task, you will review the accounts and groups that need to be created or designated for Shopping.
The installation of the various Shopping components requires specific permissions. Whichever user performs the installation of the various components requires the permissions specified below.
To install the Shopping Central server components, the installer account requires the following:
In this lab, the 1ETRN\AppInstaller account will be used to install the Shopping Central components and has already been configured with all the necessary permissions to do so, as specified in this section.
- Local admin rights on the server that Shopping Central is being installed on
- SQL Server sysadmin rights on the Shopping Database server
Best practice is to create the Shopping2 database prior to running the installer, so the database and log files can be created at the correct size on suitable drives. If the database has already been created, the user performing the Shopping Database installation needs db_owner rights on the Shopping2 database.
- Local admin rights on the ConfigMgr server that Shopping will connect to
- SQL Server sysadmin rights on the ConfigMgr Primary site database server that Shopping Central will connect to (the CAS in multi-site hierarchy) in order to create a SQL Login for the Shopping Central service account (this is then added as a user to the ConfigMgr database)
- Must be a member of the local SMS Admins group on the ConfigMgr server as the installer adds ConfigMgr security rights (through WMI) for the Shopping Central Service account
- Must be configured as a Full Administrator in ConfigMgr
- Must have a minimum of "Write Member" security right on the Full Shopping DB Admin Access and SMS / ConfigMgr Database Access AD groups defined during installation either through the UI or the installer properties SHOPPINGCONSOLEADMINUSERS and SHOPPINGCONSOLESMSUSERS.
To install the Shopping Receiver, the installer account requires the following:
In this lab, the 1ETRN\SCCMAdmin account will be used to install the Shopping receiver component on 1ETRNCM and that account has the necessary rights to do so. No additional configuration is required.
- Local admin rights on the ConfigMgr Primary site server where the Receiver is being installed
- Must be a member of the local SMS Admins group on the ConfigMgr server and a member of the Full Administrators role in ConfigMgr as the installer adds ConfigMgr security rights (through WMI) for the Shopping Receiver Service account
In production environments, the ConfigMgr administrator will usually be asked to install the Shopping Receiver component. This simplifies things (in the majority of cases) as no additional accounts need to be created and no additional rights need to be granted to install the Shopping Receiver.
Shopping Central Service account
The Shopping Central Service security principal is a Domain User specified during Shopping Central installation (through either the installer UI or using the SVCUSER and SVCPASSWORD installer properties).
In this lab environment, you will use 1ETRN\svc_ShoppingCentral as the Shopping Central Service account.
This account requires the following permissions and configuration. Items marked * are configured by the Shopping Central installer.
On the Shopping Central server
- Log on as a service user right*
On the Shopping database
- Access to the Shopping database is managed through Database Roles (db_ShoppingConsoleAdmin and db_ShoppingConsoleUser). The installer adds the Shopping Central service user to Full Shopping DB Admin Access group, which in turn is associated with the db_ShoppingConsoleAdmin role in the Shopping database
On the ConfigMgr Primary site server (or CAS)
- db_datareader role on the ConfigMgr database*
The Shopping Central Service account will be added to the SMS/ ConfigMgr Access group defined during installation, either through the installer UI or through the installer property SHOPPINGCONSOLESMSUSERS. This group is in turn added to the db_datareader role in the ConfigMgr database. All this is taken care of by the installer, which is why the Installer Account requires "Write Member" permissions on the AD group and sysadmin role on the ConfigMgr database server.
In Active Directory
- Requires an email account to be defined in the Email attribute of the user. This email account is used to send system emails to administrators
- If Shopping AD Integration is to be used to manage self-service of AD group membership, the Shopping Central Service account must have write access to the AD groups which are to be managed by Shopping
In this lab, the groups to be managed through Shopping are contained in a specific OU, to which the Shopping Central Service has Full Control permissions on all descendant group objects.
If a Group Policy that enforces the Access this computer from the network local user rights setting is applied to the ConfigMgr Primary Site server that Shopping Central integrates with, this policy must be updated to include the Shopping Central service (i.e. enabling the Shopping Central service to access the ConfigMgr server remotely). If no such policies are applied to the ConfigMgr server, there is no requirement to create one (default settings for a Server grant this user right to Everyone and Users).
Shopping Receiver Service account
The Shopping Receiver Service runs on each ConfigMgr Primary Site and primarily manages the creation of Collections and Deployments on the local site.
By default, the Shopping Receiver Service will use the local computer's NETWORK SERVICE security principal. It is best practice to create a Domain User account and use this for all Shopping Receivers. If there is an absolute requirement to use different accounts for different Primary sites (this scenario includes using the default NETWORK SERVICE account on each Receiver), it will be necessary to create a Shopping Receivers group, which will be used to grant the necessary security rights to securable objects that the receiver needs to access.
Note that this user (or group if multiple accounts are used) must be specified first during the Shopping Central installation, either through the installer UI or using the RECEIVERACCOUNT installer property as the Central Service uses this as a means of authorizing the receiver that is connecting to it.
For each Receiver installation, the account user name and password must also be provided to install the service, through either the UI or the SVCUSER and SVCPASSWORD installer properties.
In this lab environment, you will use the 1ETRN\svc_ShoppingReceiver account as the Shopping Receiver service account.
The Shopping Receiver account requires the following permissions. Items marked * are configured by the Shopping Receiver installer.
On each ConfigMgr Primary Site
- Log on as a service user right*
- Membership of the local SMS Admins group* (required for access to the SMS Provider)
- The following ConfigMgr Security Rights are required
Configuration Policy Full
Distribution Point Read
Distribution Point Group Read
Global Condition Full
Status Messages Read
Task Sequence Package Read
The ConfigMgr security rights will be applied using an imported security role that is preconfigured with the appropriate rights.
- db_datareader role on the ConfigMgr database
- EXECUTE permission on the ConfigMgr database scalar functions fn_GetAppState and fnGetSiteNumber
The EXECUTE permission on the two functions above will be granted by the installer.
On every workstation
- To support Policy Refresh or allowing a user to request an application for a computer more than once ('re-shopping'), the Shopping Receiver Service account (or Shopping Receivers group if multiple accounts are used) must be added to the local Administrators group on each workstation on which these features are to be used. This is because these features require the Receiver service to interface directly with the Configuration Manager client through WMI
In order to allow for the Receiver Service account to be changed in future, it is good practice to create a global group in AD that contains the Receiver Service account and add this to the local Administrators group on all workstations using a Restricted Groups group policy.
Management Accounts and Groups
Before installing Shopping, you must define a Shopping Admin account or group in AD that will be used the first time you open the console (additional users can be added through the console).You also need to define AD groups that will be assigned to the Report Viewer and License Manager roles in the Shopping console.
Shopping Admin account/group
The Shopping Admin account or group specified during the Shopping Central Service installation (either in the UI or by the ADMINACCOUNT installer property) is initially the only security principal that has visibility of all nodes in the Shopping Admin Console and the Administration tab in the Shopping Web Portal.
During the Shopping Central installation, the Shopping Admin account (or group), is also added to the Full Shopping DB Admin Access and SMS/ConfigMgr Access groups (detailed later in this section) to provide the necessary access to the Shopping and ConfigMgr databases to perform all admin tasks.
This account (or group) must have a valid email account defined in AD.
Use a group, with an associated email Distribution List (DL) rather than a single account, as this enables Shopping administrators to be easily managed though AD group membership.
Shopping Report Viewer account / group
The Shopping Report Viewer account or group defined during the installation of the Shopping Central Service (using either the UI or the REPORTSACCOUNT installer property) is granted permissions necessary to view the Shopping reports by the Shopping Central Service installer. Only this user (or members of the group) will see the Reporting tab on the Shopping Web Portal.
Use a group rather than a single account, as this enables access to Shopping's reporting features to be easily managed though AD group membership.
In this lab environment, the Shopping Report Viewer group is 1ETRN\Shopping_ReportViewers.
Shopping License Manager account / group
The Shopping License Manager account or group defined during the installation of the Shopping Central Service (using either the UI or the LICENSEMGRACCOUNT installer property) receives e-mail notifications when application license thresholds are reached. This user or group must therefore have a valid email address defined in Active Directory.
Use a group with an associated email DL rather than a single account to enable targeting of license notifications to be easily managed though AD group membership.
Database Access groups
When a user of the Shopping Console requires access to either the Shopping database (to manage Shopping objects) or the Principal ConfigMgr Site database (to look-up Sites, Packages and Programs), they are granted access through SQL Database Roles defined (and created during the Shopping Central installation) in the respective databases. The three AD groups described below are associated with these SQL Database Roles.
Full Shopping DB Admin Access group
This group, specified during the Shopping Central Service installation using either the UI or the SHOPPINGCONSOLEADMINUSERS installer property, is associated with the db_ShoppingConsoleAdmin Database Role in the Shopping database.
The db_ShoppingConsoleAdmin database role is granted full permissions on all objects presented through the Shopping Admin Console. This allows members of the Full Shopping DB Admin Access group to manage Node Security, allowing them to define the users and groups that can access each of the nodes in the Shopping Console.
The specified Shopping Admin account / group is added to the Full Shopping DB Admin Access group during installation of the Shopping Central component.
The Full Shopping DB Admin Access group in this lab is 1ETRN\ShoppingConsole_Admins.
Limited Shopping DB Admin Access
This group, specified during the Shopping Central Service installation using either the UI or the SHOPPINGCONSOLEUSERS installer property, is associated with the db_ShoppingConsoleUser Database Role in the Shopping database.
The db_ShoppingConsoleUser role has restricted permissions in the Shopping database necessary for managing Approvers and User and Computer Categories.
The Limited Shopping DB Admin Access group in this lab is 1ETRN\ShoppingConsole_Users.
Definition of Sites and Applications in the Shopping Console require read access to the Principal ConfigMgr site database. This is provided through membership of the SMS / ConfigMgr Access group specified during the Shopping Central installation using either the UI or the SHOPPINGCONSOLESMSUSERS installer property. The specified group is associated with the db_datareader Database Role on the Principal ConfigMgr site database.
The SMS / ConfigMgr Access group in this lab is 1ETRN\ShoppingConsole_SMSUsers.
By default, as users or groups are granted access to a node within the Shopping console, the console adds these users or groups (under the context of the logged on user) to the relevant database access groups according to the access required for that particular node. This requires the Full Shopping DB Admin Access group to be granted full permissions on itself and the other two groups when they are first set up in AD.
This automatic group management can be disabled in the Console Settings by setting the Admin Console Manages Groups setting to False. If this is done, users and groups will need to be manually added to the appropriate groups before they attempt to use the Shopping Console. The table below lists the Admin Console Nodes and the group memberships that provide access to them.
Full Shopping DB Access group
Limited Shopping DB Access group
SMS/ConfigMgr DB Access group
Ensure users and groups have email AD attribute set
Shopping uses email as the primary notification method. It is therefore important that all users that interact with Shopping, as well as some of the special accounts and groups identified in the previous task, have a valid email address defined in Active Directory.
|Log on to 1ETRNDC as 1ETRN\Administrator and start Active Directory Users and Computers|
|Review the following users and groups and ensure they have the specified email address defined in the General Properties tab|
As Shopping is used by most users throughout an organization, it is good practice to use an easily remembered DNS alias for the Shopping Central Web Server. This alias is then defined as the Host Header for the Shopping web site in IIS. This not only makes it easier for users to remember the site name, but also allows the web site to be moved to a different server in the future if required.
Create a DNS Alias
In this lab environment, the chosen DNS alias is APPSTORE.
|Log into 1ETRNDC as 1ETRN\Administrator|
|On 1ETRNDC select DNS from the Start page|
|In DNS manager, expand 1ETRNDC > Forward Lookup Zones and select 1ETRN.LOCAL|
|Select the Action menu and select New Alias (CNAME)…|
|In the Alias name field, type APPSTORE|
|Click the Browse… button next to Fully qualified domain name (FQDN) for target host, browse to 1ETRNDC > Forward Lookup Zones > 1ETRN.LOCAL, select 1ETRNAP. The new Resource Record dialog should look like the figure below. Click OK|
|Select OK to complete the New Resource Record wizard|
|From a command prompt, ping appstore. Ensure it returns 10.0.0.4(1ETRNAP)|
Review Windows Features, Roles and Role Services
1ETRNAP has IIS configured as required to support ActiveEfficiency up to this point in the lab exercises. The Shopping Central Server components will also be installed on 1ETRNAP and has an additional role service that is required.
In most production environments, Active Efficiency and Shopping would not be hosted on a single server. This configuration is suitable for small lab environments.
|Open Server Manager on 1ETRNAP|
|Select Add roles and features in the Configure this local server section of the Dashboard page|
|Click Next on the Before You Begin page|
|Click Next on the InstallationType page|
|Click Next on the Server Selection page|
|In the list of roles on the Server Roles page, scroll down and expand Web Server (IIS) and then Web Server|
|Expand Common HTTP Features and select HTTP Redirection and click Next|
|Click Next on the Features page|
|Click Install on the Confirmation page and close the wizard when complete|
Create Service Principal Name (SPN)
The Shopping Website Application feature creates the Shopping Application Pools in IIS that use the NETWORK SERVICE identity. Connection to the web application is made through an HTTP service class request on the DNS address of the host. However, because the Shopping web site is not part of the default web site, it requires a separate Host Header and corresponding DNS alias to distinguish it from the Default Web Site on the same server.
It is therefore necessary to define the host (1ETRNAP) as the security principal for the HTTP service class on the address APPSTORE.1ETRN.LOCAL, so that when clients request a connection to http://appstore.1etrn.local, Kerberos identifies 1ETRNAP as the actual security principal for that service. This is done by defining a Service Principal Name (SPN) as follows.
|Log on to 1ETRNDC as 1ETRN\Administrator|
The 1ETRN\Administrator account is the Domain Admin account. Service Principal Names are attributes of the security principal in AD, so it doesn't actually matter which computer you perform this task on, as long as the user you are logged on as has full permissions on the security principal (in this case the 1ETRNAP computer account) that you are trying to update.
|Open a command prompt and type the following command. This will list all Service Principal Names currently held by the 1ETRNAP computer|
|The results should appear as below. Note that SPNs have already been defined for …..|
|To add an SPN to 1ETRNAP for the DNS name APPSTORE , run the following commands|
SETSPN -S HTTP/APPSTORE 1ETRNAP
SETSPN -S HTTP/APPSTORE.1ETRN.LOCAL 1ETRNAP
Setting SPNs for both APPSTORE and APPSTORE.1ETRN.LOCAL allow connections using either the host name or the FQDN.
|To verify the update, run the following command again|
|The results should now include the SPNs for the APPSTORE DNS address|
If the NETWORK SERVICE identity of the Shopping Application Pools is replaced with a domain user account, the SPN must be added to that user object rather than the computer account of the Shopping web site, e.g. SETSPN -S HTTP/APPSTORE <domain>\<user>
Create ConfigMgr Administrative User for the Shopping Central Service
One of the features of Shopping, OS Filtering, provides the ability to filter the applications presented to users based on operating system criteria such as Operating System Version (Windows 7 vs. Windows 10) or Operating System Architecture (32-bit vs. 64-bit). If an application installation will fail because of operating system related prerequisites, it doesn't make sense to display these applications to users in the Shopping portal.
Because the information required to filter applications based on operating system criteria resides in WMI, the Shopping Central Service will need to be granted permission to access WMI remotely.
In this task, you will grant the Shopping Central Service these rights by adding them as an administrative user with Read access to ConfigMgr objects in WMI. This will support the OS Filtering exercise later in the labs.
|Log into 1ETRNCM as 1ETRN\SCCMAdmin. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.5 Course Content\ download and copy MiscFiles.zip to C:\Temp right click and extract all. Then from the MiscFiles folder copy the 1E Shopping Central Service Security Role.xml file to C:\Temp|
Ensure the right XML file is being copied, there are two in the folder, we will use the second one during the Shopping Receiver installation.
|Launch the ConfigMgr console. In the Administration workspace of the ConfigMgr console, expand Security and select Security Roles|
|Right-click on Security Roles and choose Import Security Roles|
|Browse to C:\Temp and double-click on the 1E Shopping Central Service Security Role.xml file and observe that 1E Shopping Central Service now appears in the list of Security Roles|
The 1E Shopping Central Service Security Role was created using the same permissions that are granted to the Read-only Analyst Security Role. The Shopping Central Service does not have rights to make any changes to ConfigMgr – only to read information.
|Right-click on Administrative Users in the Administration pane and select Add User or Group|
|Click on the Browse… button and enter svc_ShoppingCentral as the object name and click Check Names|
|Click OK when the name resolves|
|In the Assigned security roles section, click the Add… button|
|Select 1E Shopping Central Service and click OK|
|Click OK to close the Add User or Group dialog box|
By adding the Shopping Central Service account as an Administrative User in the ConfigMgr console, it also adds the account to the local SMS Admins group that has access to WMI remotely.
Add Receiver Service Account to local Administrators on all workstations
As you learned in the Exercise Prepare the environment (Shopping Receiver Service account ) the Shopping Receiver account requires local admin rights on client workstations in order to support the Policy Refresh and Reshopping features. The best way to configure local administrative rights for the Shopping Receiver service account / group is to add the account to the local Administrators group on workstations using Group Policy (Restricted Groups).
In this lab environment, there is a policy already defined that adds the Workstation Admins group to the local Administrators group on workstations only. In this task, you will add the Shopping Receiver service into the Workstation Admins group, thereby implicitly adding it to the local Administrators group on all workstations.
|On 1ETRNDC, start Active Directory Users and Computers from the Start menu|
|Locate the svc_ShoppingReceiver account in the Users container and double-click it to open the svc_ShoppingReceiver Properties|
|Select the Member Of tab, click Add…, enter Workstation Admins and click OK|
|Click OK to close the svc_ShoppingReceiver Properties dialog box, then close Active Directory Users and Computers|
Install Shopping Central
In this exercise, you will install all Shopping Central components onto 1ETRNAP.
Install Shopping Central on Application Server
|On 1ETRNAP and log in as 1ETRN\AppInstaller. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.5 Course Content\Shopping.v22.214.171.1247 and copy ShoppingCentral.msi to C:\Temp|
|Start a command prompt (Run as administrator) and switch to the C:\Temp directory|
|Run the following command to start the installation wizard|
msiexec.exe /i ShoppingCentral.msi /l*v ShoppingCentral-Install.log
|On the Welcome page click Next|
|On the Shopping Prerequisite page, ensure all the checks passed and click Next|
|Accept the license agreement and click Next|
|On the Installation Type page, select Complete Install and click Next|
|On the Customer Information page, input an Organization name. Copy and paste the license key from 1E Shopping - Course Content\Shopping 5.5 Course Content\License.txt by launching the SkyTap Shared Drive shortcut on the desktop into the Shopping License Key: field and click Next|
WSA is out of scope for this course, so we will leave that blank.
|On the Custom Setup page, ensure all features are selected for installation and click Next|
|On the Database Server page, leave the server as (local) and the Database Name as Shopping2 and click Next|
|On the 1E ActiveEfficiency Server page, enter 1ETRNAP as the name of the ActiveEfficiency Server and click Next|
|On the Active Directory Integration page, type 1ETRNDC.1ETRN.LOCAL and click Next|
This can be either the name of a domain controller or the fully qualified domain name.
|On the Service Account page, in the User name field, type 1ETRN\svc_ShoppingCentral and in the Password field, type Passw0rd|
|In the field for the receiver service account, type 1ETRN\svc_ShoppingReceiver and click Next|
The Shopping Receiver service connects to the Shopping Central Web Site using HTTP. The Shopping Central installer checks that this is a valid account (or group) during installation of Shopping Central.
The recommended approach in production environments is to add the Receiver service account to an AD group and specify the group rather than the actual account. This allows for future changes to the Receiver service account, adding the new account into the defined group rather than having to reconfigure Shopping.
|On the Exchange or SMTP Server page, type 1ETRNDC.1ETRN.LOCAL and click Next|
For this lab, a simple SMTP application has been installed on 1ETRNDC to enable the sending of email via Shopping. In a production environment, this should be the fully qualified domain name of the SMTP server where Shopping will send emails.
|On the SMS / System Center Configuration Manager Integration page, enter the name of the Principal ConfigMgr site server, in this case 1ETRNCM.1ETRN.LOCAL and click Next|
The Principal ConfigMgr site is the site where the Packages to be offered through Shopping are defined. This is typically the Central site in ConfigMgr 2007 and the CAS (if installed) in ConfigMgr 2012. However, if you are using ConfigMgr 2007 and have Packages defined on primary sites below the Central site (e.g. on Regional Primary Sites), Shopping Central may need to be configured to use this site. In these scenarios, it is often necessary to create multiple Shopping environments – one for each Regional primary site.
|On the Admin Console Node Security page, enter the following information and click Next|
Full Shopping DB Admin Access: 1ETRN\ShoppingConsole_Admins
Limited Shopping DB Admin Access: 1ETRN\ShoppingConsole_Users
SMS / ConfigMgr Access: 1ETRN\ShoppingConsole_SMSUsers
Refer to the Database Access groups information for details of these groups
|On the Shopping Management Accounts page, enter the following information and click Next|
Admin account: 1ETRN\Shopping_Admins
Reports access account: 1ETRN\Shopping_ReportViewers
License manager account: 1ETRN\Shopping_LicenseManagers
Refer to the Management Accounts and Groups section for more details of these groups.
|On the Website Configuration page, in the Host Header field, type APPSTORE and click Next|
If a non-standard port is used, the Shopping URL will need to have the port appended to the end. e.g. If port 8081 is used, then the host header for this example would be http://appstore:8081.
|On the Shopping URL prefix page, ensure that http://appstore is displayed and click Next|
|On the Ready to Install the Program page, click Install|
|Click Finish to close the setup wizard once complete|
Review the installation
In this task, you will observe the changes made by the Shopping Central installer.
|Open Windows Explorer and browse to C:\Program Files (x86)\1E\Shopping. Note the following subfolders:|
This is the Shopping Administrator Console
This is the Shopping Central Service and includes workflow integration components for integration with 3rd party systems
This folder contains all the binary files used to configure the Shopping SQL database. Using compiled code to manage the SQL configuration enables Shopping to be easily patched using Windows Installer patches (MSP).
This folder contains the Shopping website and Shopping API components
|From the Start screen start Internet Information Services (IIS) Manager, expand 1ETRNAP > Sites and observe the Shopping website|
|Select Application Pools (just above Sites) and note that there are two application pools for Shopping (Shopping Pool and ShoppingAPI Pool) and that they are configured to run with the identity of NETWORK SERVICE|
|Start the Registry Editor (from the Start screen, start typing regedit and click regedit.exe when it appears in the search results) then navigate to HKLM\Software\1E\ShoppingCentral. Note that this only contains licensing information which is hashed|
|In the Registry Editor, navigate to HKLM\Software\Wow6432Node\1E\ShoppingCentral. Note that this contains basic information regarding the installation|
|Open the Services console (from the Start screen) and identify the 1E Shopping Central service. Ensure this service is running|
|Open Microsoft SQL Server Management Studio (from the Start screen) and expand the Shopping2 database. Note that the installer has created objects (tables, views, stored procedures etc)|
|In the Security node of the Shopping2 database, navigate to Roles > Database Roles and note that the db_ShoppingConsoleAdmin and db_ShoppingConsoleUser roles have been created by the Database feature installation. View the properties of both and note that the group ShoppingConsole_Admins is added to the ShoppingConsoleAdmin role and that ShoppingConsole_Users is added to the ShoppingConsoleUser role|
|Browse to C:\ProgramData\1E\ShoppingCentral. This is where you will find the ShoppingCentral diagnostic log. Double-click ShoppingCentral.log to open it. Review the log entries focussing on service startup tasks|
|From the Start screen, start typing Shopping. When Shopping Administration appears in the search results, right-click it and select Pin to Taskbar (you'll be using this a lot, so let's make it easy to get to)|
|Now click Shopping Administration on the Start screen. Ensure that the Shopping Admin Console opens without errors and note the different nodes available in the left-hand pane. We'll come on to each of these throughout this course|
|Ensure the Shopping web page opens successfully. There won't be much of interest on it currently, but the Home page should load without errors|
Configure HTTP Redirection
Now, the URL to connect to Shopping is http://appstore/shopping. HTTP Redirection (a Web Server (IIS) Role Service - see earlier task) can be used to simplify this to http://appstore.
|Open Internet Information Services (IIS) Manager and select the Shopping web site|
|In the main center pane with all the icons, double-click the HTTP Redirect icon in the IIS section (you may need to scroll down to see it)|
|Check the Redirect requests to this destination option and enter ../shopping|
|Check the Only redirect requests to content in this directory (not subdirectories) option|
By default, IIS will apply the redirection to all sub-sites (/Shopping and /ShoppingAPI in this case). This would cause any attempts to load the page to enter an infinite loop as /Shopping would redirect to itself! In some cases, even if this option is selected, you may find the subdirectories still have the redirection applied. To be sure, check the HTTP Redirect settings on the /Shopping and /ShoppingAPI subdirectories and ensure redirection is DISABLED on these.
|Click Apply (in the Actions list on the right)|
|Open Internet Explorer (if the Shopping site is already open, close and reopen the browser) and browse to http://appstore to confirm the redirection is working and the shorter URL can be used|
Increase Shopping Central logging level
In order to use the Central Service log file to monitor processes throughout this course, you will now increase the level of detail that is written to the ShoppingCentral log.
|On 1ETRNAP browse to C:\Program Files (x86)\1E\Shopping\CentralService|
|Make a backup copy of ShoppingCentral.exe.config|
The lab environment has been modified so that file extensions are displayed, but this may not be the case in many production environments. In the default Windows Explorer view (with file extensions hidden), ShoppingCentral.exe.config will appear as ShoppingCentral.exe, and ShoppingCentral.exe appears as ShoppingCentral.
|Right-click on ShoppingCentral.exe.config and select Edit to open the file in Notepad|
|Search for the text <level value="INFO"/> in the <log4net> section of the file|
|Replace the word INFO with ALL and save the file|
If the ShoppingCentral service fails to start, an error was made when editing the file.
Reduce the Cache Duration for user access to the portal
When a user launches the Shopping portal from a given computer for the first time, Shopping will evaluate the applications that are available to the user based on the User Categories associated with that the user and Computer Categories associated with that the computer. Rather than performing this evaluation every time the user logs on to the Shopping portal, the information is cached, along with the last logon time for that particular user and computer combination. If the Shopping portal is launched within 15 minutes of the last time the user launched Shopping from the same computer, the available applications will reflect whatever was cached at that earlier time.
As we will be making many changes to categories throughout this course, we do not want to be waiting around for up to 15 minutes before we see the effect of these. In this task, you will reduce this duration down to 1 minute to make things move a bit faster.
This behavior is designed to balance performance on the Shopping Central server. While it is fine to reduce this in a small lab environment, this should not be modified in a production environment unless advised by 1E support.
|Open Microsoft SQL Server Management Studio, select the Shopping2 database and click New Query in the toolbar|
|Enter the following query and click !Execute in the toolbar. You should see (1 row(s) affected) in the Messages tab|
Update tb_Preference set PreferenceValue=1 where PreferenceName='Cache Duration'
The tb_Preference table stores all the settings that you see in the Settings node in the console. Cache Duration is defined as a hidden setting so it can only be changed directly in the database.
|Restart the 1E Shopping Central service for the logging info and cache duration changes to take effect|
|If the ShoppingCentral service fails to start, an error was made when editing the config file|
Install the Shopping Receiver
In this exercise, you will install the Shopping Receiver Installer components onto 1ETRNCM.
Create Shopping Receiver security role in ConfigMgr
The Shopping Receiver service account requires the ConfigMgr permissions defined on page . 1E provide an XML file that can be imported to create a ConfigMgr Security Role with all the required permissions. In this task, you will import the security role definition and then add the Shopping Receiver service account to the new role.
|Log on to 1ETRNCM as 1ETRN\SCCMAdmin|
|Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.5 Course Content\MiscFiles and copy 1E Shopping Receivers Security Role.xml to C:\Temp|
|Open the Configuration Manager Console from the Start screen|
|Select the Administration workspace and expand the Security node|
|Right-click Security Roles and select Import Security Role|
|In the Import Security Role dialog box browse to C:\Temp\1E Shopping Receivers Security Role.xml and click Open|
|Right-click the Administrative Users node and select Add User or Group|
|In the Add User or Group dialog box, click Browse… then enter svc_ShoppingReceiver and click OK|
|Click the Add… button to the right of the Assigned security roles list, select 1E Shopping Receivers from the list of roles and click OK|
Do not get the receiver and central roles/users mixed up!
|Click OK to close the Add User or Group|
Install the Shopping Receiver on ConfigMgr Primary Site
In this task, you will install the Shopping Receiver Service on the ConfigMgr Primary site server.
|Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Shopping - Course Content\Shopping 5.5 Course Content\Shopping.v126.96.36.1997 and copy ShoppingReceiver.msi to C:\Temp|
|Start a command prompt (run as administrator) and switch to the C:\Temp directory|
|Type the following to start the Shopping Receiver install wizard|
msiexec.exe /i ShoppingReceiver.msi /l*v ShoppingReceiver-Install.log
|On the Welcome page click Next|
|Accept the license agreement and click Next|
|On the Destination Folder page, click Next|
|On the Register Service Account page, select This Account and in the user name field, type 1ETRN\svc_ShoppingReceiver and in the password field type Passw0rd, then click Next|
|On the Policy Refresh page, ensure Native is selected and set the Policy Refresh delay to 30 seconds then click Next|
Policy refresh triggers the ConfigMgr agent to perform a 'Machine Policy Retrieval & Evaluation Cycle' to accelerate the delivery of the deployed program or application. With policy refresh enabled, Shopping is able to deliver applications immediately after the approval process has been completed. Policy Refresh can be invoked directly via the Shopping Receiver (native) or by integration with 1E WakeUp. The Policy refresh delay allows ConfigMgr to process the Collection update and policy assignment before getting the client to check for the new policy. While 10 seconds is usually sufficient time, in this lab we increase the delay to 30 seconds to allow for performance of the virtual ConfigMgr server.
|On the Default Advanced Client Flags page, select Default and click Next|
The Receiver installer allows you to enter default settings that will be used when it creates a Deployment in ConfigMgr. These settings are especially useful if integrating Shopping with 1E Nomad. The following options are available:
Default – Uses the default deployment options for ConfigMgr.
Always download from DP – The package is always downloaded from the distribution point. This should be used when integrating with 1E Nomad.
Always run from DP –The package is always run from the distribution point (only applicable to legacy Packages).
|On the Ready to Install the Program page, click Install. When the installation completes, close the setup wizard|
Review the installation
In this task, you will review the effects of the Shopping Receiver installation.
|Run regedit.exe and navigate to HKLM\Software\Wow6432Node\1E\Shopping.Receiver.v5.5.0. Note that this contains basic information regarding the installation|
|Open the Services console from the Start menu and identify the 1E Shopping Receiver+5.5.0 service|
|Browse to C:\ProgramData\1E\Shopping.Receiver\v5.5.0. This is where you will find the Shopping Receiver diagnostic log. Double-click Shopping.Receiver.log to open it in CM Trace and ensure the Shopping Receiver service started successfully without any errors|
|Browse to C:\Program Files (x86)\1E\Shopping\Shopping.Receiver.v5.5.0. This folder contains the Shopping Receiver binaries that interact with ConfigMgr|
|Double-click Shopping.Receiver.exe.config to open it in Notepad and observe the configurable settings for the Shopping Receiver service in the <appSettings> section. Many of these settings were specified in the Install wizard|
|Search for level value="Info"|
Leave this file open, we'll be returning to it to make a configuration change in the next task.
|Open SQL Server Management Studio and navigate to Databases > CM_PS1 > Security > Users|
|Double-click the 1ETRN\svc_ShoppingReceiver user (this user was added to the ConfigMgr database by the Shopping Receiver installation) to view its properties|
|In the Database User – 1ETRN\svc_ShoppingReceiver dialog box, select the Membership page on the left and observe that this user has been assigned only the db_datareader role on the ConfigMgr database|
|In the Database User – 1ETRN\svc_ShoppingReceiver dialog box, select the Securables page. Note that the user has been granted Execute permissions on the fn_GetAppState and fn_GetSiteNumber scalar functions|
|Click OK to close the user properties dialog box|
You may have observed that the Shopping Receiver folders, service and registry keys all include the version number in their name. This is to allow side-by-side upgrade from previous versions where a new instance of Shopping Central is being implemented alongside an existing instance of an earlier version.
Configure the Default Limiting Collection
The Shopping Receiver is responsible for creating ConfigMgr objects (collections and deployments) and placing computers and users into appropriate collections to allow software to be deployed. By default, the Limiting Collections for all the collections created by the Shopping Receiver is 'All Systems' and 'All Users and User Groups'. In many environments, this is not a desired configuration.
In this task, we will modify the default limiting collection for computer collections.
|Return to the Shopping.Receiver.exe.config file|
|Locate the <appSettings> section and observe the values in RootDeviceCollectionId and RootDeviceCollectionName|
|Replace the RootDeviceCollectionId value with PS10000B|
Be sure to input the collection name and ID exactly as they are in the console. The ID is with 4 zeros. If these values are not inputted correctly, the Shopping Receiver will fail to create objects in ConfigMgr.
|Replace the RootDeviceCollectionName value with Lab Workstations|
|Restart the 1E Shopping Receiver+ 5.5.0 service|
All collections created by the Shopping Receiver will now use Lab Workstations as the limiting collection. This methodology can be used to prevent certain machines (servers for example) from getting software inadvertently deployed to them by not allowing them to be members of the Shopping deployment collections
Deploy the 1E Client
Previous versions of Shopping used the Shopping Agent to enable the Shopping website to retrieve information about the user's PC. In an effort to reduce the number of agents customers need to deploy, 1E has combined existing agent functionality into a single agent, which happens to be the 1E Client. With Shopping 5.5, the functionality of the Shopping Agent and the new Windows Servicing Assistant (WSA) functionality has been implemented via the 1E Client. The 1E Client must be installed on all PCs from which users will access the Shopping portal. This integration requires specific client machine identification so that Configuration Manager knows the correct client deployment target.
In this exercise, we will use the 1E Client Deployment Assistant to create the ConfigMgr deployment objects and deploy the 1E Client to all ConfigMgr clients.
Prepare to Deploy the 1E Client
|Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1ETools and download copy 1EClientDeploymentAssistant.v188.8.131.52.zip to C:\Temp\ then right click and extract all|
|Browse to the C:\Temp\1EClientDeploymentAssistant.v184.108.40.206 folder and double-click on 1EClientDeploymentAssistant.exe to launch the wizard|
You might have to change the resolution of the remote computer session to fit the wizard to the screen depending on the size of your display.
|On the Welcome page, click Next to continue|
|Accept the license terms on the License Terms page and click Next|
|On the ConfigMgr Connection page, with Local ConfigMgr Site Server selected, click Connect. When the status changes to Connected, click Next|
|On the General Settings page, enter the following information which are appropriate for the lab environment. Then click Next|
|1E License File: Browse to c:\temp\1EClientDeploymentAssistant.v220.127.116.11 and select the License.txt file downloaded previously|
1E ActiveEfficiency Server URL: http://1etrnap/ActiveEfficiency
Application Content Source: \\1etrndc\ConfigMgrSource\Software
Package Content Source: \\1etrndc\ConfigMgrSource\Software
Distribute Content: Check
Distribution Point Group: All
|On the Agent Selection page, deselect all items except 1E Client 18.104.22.1687 and click Next|
|On the 1E Client 22.214.171.1247 page, set the limiting collection to Lab Workstations and click Next to continue|
|On the Tachyon and other client Settings page, verify that Enable Shopping Module and Edge Windows App browser support are ticked and also ensure that Shopping Web URL has http://appstore/shopping/ address is entered. Click Next to continue|
Enable Shopping Integration : Enables support for the 1E self-service portal and Windows Servicing Assistace, Any previous Installation of Shopping Agent will be removed when Tachyon Agent starts.
Shopping Central URL : It should be set to the URL for the Shopping website. The Shopping website uses a host header, for which a DNS allias was defined earlier
http://appstore/shopping/ The Tachyon Shopping module uses a loopback mechanism that enables the browser to make calls to the Shopping Agent via the local computer. The Tachyon Shopping module contacts the Shopping Central website to get the appropriate URL to use for the local loopback mechanism and the URL is no longer locally configured, as was the case for the previous Shopping Agent Installer.
Enable Edge/Windows App Support: If users are likely to access the Shopping web site using Microsoft Ede or other Metro Browsers.
|Click next on the Nomad client settings page. On the Summary page, once the list is finished compiling, take a moment and review the actions that are about to be taken. When ready, click the Create button|
If Shopping Integration is enabled, when the 1E Client starts it will attempt to automatically remove any previous installations of the 1E Shopping Agent.
|The actions will be recorded as they are completed on the Progress page. When the Status changes to Successful, you may review the completed actions and click Next when ready|
|Click Finish on the Completion page to close the wizard|
Observe the Results of Running the 1EClientDeploymentAssistant
Once we have run the 1EClientDeploymentAssistant, we will look at the objects that were created in the ConfigMgr console.
|In the ConfigMgr console, select the Assets and Compliance workspace and click on Device Collections|
|Note that the 1E Client 126.96.36.1997 – Required collection has been created and has zero members at this point|
|Click on the Deployments tab at the bottom of the page and note that the 1E Client 188.8.131.527 – Required application has been deployed to the collection|
|In the Software Library workspace, expand Application Management and select Applications|
|Note the 1E Client 184.108.40.2067 application has been created and the content has been distributed to the distribution point|
Deploy the 1E Client to Lab Workstations
Now that all the required components are created in the ConfigMgr console, we simply need to add our desired targets to the 1E Client 220.127.116.117 – Required collection and force a machine policy update cycle to deploy the Tachyon Agent.
|In the ConfigMgr console, go to the Assets and Compliance workspace and select Devices|
|Multi-select the 1ETRNW71, 1ETRNW72, 1ETRNW73, 1ETRNW101 and 1ETRNW102 computers|
|Right-click on any of them, select Add Selected Items > Add Selected Items to Existing Device Collection|
|Select the 1E Client 18.104.22.1687 – Required collection and click OK|
|Click on Device Collections, select the 1E Client 22.214.171.1247 – Required collection and refresh the view until the Member Count shows 5|
|Right-click on the 1E Client 126.96.36.1997 – Required collection, select Client Notification and choose Download Computer Policy|
Validate the 1E Client installation on each client
After a few minutes, complete the following tasks to ensure the Tachyon Agent is installed and functioning.
|Open Programs and Features from Control Panel and verify that 1E Client is installed|
Might take a minute or two after policy refresh for the application to install. Hit F5 after a minute to refresh the view. If you don't see it after a few minutes, manually run computer policy on the client.
|Open the Services applet from the desktop and note the 1E Tachyon Agent service running|
|Open the 1E Client.log file in C:\ProgramData\1E\Client|
|Search for the following in the log file: module.shopping.enabled and note that it is set to true|
|Note the line above it, showing the URL to the Shopping API|
We started this lab identifying the key users and groups that Shopping uses both internally and for administration. We reviewed the permissions and security rights that these specific users and groups require, and which of these are normally configured by the Shopping Central and Receiver installers.
We learned how to use a DNS alias, combined with HTTP Redirection, to enable Shopping to be accessed using an easily remembered URL. You also understand therefore why it is necessary to define a Service Principal Name for the HTTP service class on the alias address.
We prepared the environment for the installation of Shopping. We installed the Shopping Central service on the application server, and then installed the Shopping receiver on the ConfigMgr Primary site server.
Lastly, we deployed the 1E Client to our lab workstations. The 1E Client allows for the proper identification of the machine/user accessing the Shopping portal. It is also used for WSA orders.
Ex 3 - Shopping 5.5 - Exploring the Shopping User Interfaces