Application Migration is a separately licensed product from 1E that replaces the Application Mapping feature in Shopping with a much more feature rich solution. Application Migration runs on the Tachyon platform, and depends on Configuration Manager for inventory data, and information about application deployments. The legacy Application Mapping feature requires legacy AppClarity 5.6 which is out of support, but can still be used with Shopping.
When Shopping is integrated with Application Migration, you can optionally use the self-service Shopping OSD Wizard and the WSA Wizard to show the user which applications will be migrated. If self-service Wizards are not required, then task sequences are still able to use Application Migration features without Shopping.
If Application Migration is replacing Application Mapping:
Shopping and Windows Servicing Assistant are licensed separately. Both license keys must be provided when installing Shopping Central server.
If you use Shopping's ConfigMgr integration, you will need the following installation accounts, ConfigMgr security role, and database access.
The user installing Shopping Central or Shopping Receivers requires membership of the Full Administrator security role in Configuration Manager, as described in Accounts needed to install Shopping.
The Receiver service account or group requires the following permissions in Configuration Manager.
These permissions are defined in an XML file and can be imported using the Configuration Manager console to create a 1E Shopping Receivers security role. Each Receiver service account or the Receivers group can then be assigned to this role. This is a one-time only manual procedure prior to installation of the first Receiver. The permissions for the 1E Shopping Receivers role have changed in Shopping 5.6 to include support for client notification. You will need to import one of the following files, depending on your Configuration Manager version:
When a Receiver creates a collection for deploying an application it needs to specify its limiting collection. By default, that is either All Systems or All Users and User Groups. However, these defaults are configurable in the Receiver's config file. Other collections can be mapped if the Shopping RBAC feature is used. If these collections are known, specify them, otherwise select All instances of the objects that are related to the assigned security roles option in the Security Scopes tab. For more information see Role based access control in Shopping.
Shopping Central - the Shopping Central Service account (SVCUSER) must be a member of the Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS) group. This group requires a login with db_datareader rights and execute permission on the
fnGetSiteNumber functions. If the Shopping Central installer has sufficient rights on the Configuration Manager database, then these database rights will be configured automatically during installation.
Shopping Receivers - in all Configuration Manager Site databases, ensure the Shopping Receiver service account has a login with db_datareader rights and execute permission on the
fnGetSiteNumber function. If the Shopping Receiver installer has sufficient rights on the Configuration Manager database, then these rights will be configured automatically during installation.
To prepare for integration with Intune please refer to Enabling Intune integration.
Shopping Intune integration supports the Intune application types that are most useful for Windows clients. Additional application types might be supported in future versions. See Managing Intune applications page for more details.
Device used with Shopping's Intune integration must be Hybrid Azure AD joined in Azure Active Directory (AAD). User accounts (including administrator and service accounts) must be "Windows Server AD" sourced in AAD and must have a global domain suffix (Contoso.com, for example, not Contosocom.onmicrosoft.com). If the accounts are for a local domain, a universal principal name (UPN) can be used.
Shopping Intune integration assumes that user accounts can be uniquely identified by their e-mail addresses. In other words, Shopping end-users accounts do not share e-mail addresses.
You will also need the following Azure Active Directory accounts for these purposes:
|Account Purpose||Member of||Usage||Notes|
|Configuration||Global administrator and Intune administrator AAD roles||During setup and as needed for troubleshooting||This account does the steps described in Enabling Intune integration.|
|Service||Intune administrator AAD role||Ongoing for the Shopping Central service to access AAD user and device details and app deployment status||This is the AAD hybrid account that corresponds to the service account used to run the Shopping Central service.|
|Intune Administrators||Intune administrator AAD role||Ongoing for Intune app management||You might prefer to apply the Intune administrator role to a group and add relevant administrator accounts to the group.|
|Shopping administrators||User and groups setting for the Shopping Console Authentication Client App (see Enabling Intune integration for details)||To access Intune apps from the Shopping console and to trigger on-demand AAD device and user synchronizations|
You might prefer to add a group to the User and groups list and add relevant Shopping administrator accounts to the group.
The Intune administrators and Shopping administrators might all be the same accounts but they do not have to be. Intune administrators could manage the Intune apps but not have Shopping privileges. Shopping administrators could use the Intune apps but not be able to manage them.
The user installing Shopping Central requires the following
The user installing the Shopping Receiver requires the following
Access to the Shopping Central database
The Shopping Central service requires access to the Shopping database. Db_owner permissions are automatically configured during installation of Shopping Central.
Access to the SCCM Site’s SMS Provider
The Shopping Central service requires read-write access to the “SMS Provider” on the SCCM CAS.
During installation of Shopping Central, the installer adds the necessary permissions in the SCCM Admin Console.
Access to the SCCM Site’s database
During installation of Shopping Central, the installer adds the necessary permissions in the SCCM Central SQL database in order for the service to function.
During installation of Shopping Central, the MSI installer adds the necessary permissions in the SCCM Admin Console, but must be added to the local “SMS Admins” group separately.
If the SQL Server is using a non-standard port, the SMSDBPORT switch must be specified during installation, or a SQL Alias used.
The Shopping Central service must be capable of creating mails at the attached SMTP mail gateway or service.
If the SMTP gateway is configured to reject mail from a non-existent sender address, then it is necessary to configure the Shopping service account with an email address.
AD integration groups
The Shopping Central service requires write access to Shopping “AD Integration” groups.
Local Server NTFS
The Shopping Central service has requires NTFS “read” access to the Shopping install folder and “modify” access to the log file folders. This is achieved using the “Users” local group. See section 3.7.17 on page 62.
The Shopping Central service requires AppClarity User permission ‘User can access Integration Services’.
If you use Shopping's ConfigMgr integration, you will need at least one Shopping Receiver.
Each Receiver needs a service account, which can be either a dedicated or shared domain user account or Network Service
We recommend restricting the account with Deny logon locally
The Receiver is installed on each ConfigMgr Site server, and the service account must have local admin rights on the Site server
at the very least it must have read access to the binaries, and full permissions to the Receiver log folders
if you upgrade the Shopping Receiver with a different service account, it must have
Read/Write permissions to
Must have permissions in the Configuration Manager Console and its SQL database, depending on the version of Configuration Manager, as described above in Microsoft System Center Configuration Manager requirements.
Installation of Shopping Central requires details of the Receiver service account or an AD Security group containing Receiver service accounts, so that Receivers can access the Central web service:
A key design decision is whether Shopping Receivers should use a single shared service account, individual service accounts, or Network Service. Either way, to allow new accounts to be added or existing accounts to be changed more easily, we recommend you include the Receiver accounts in an AD Security Group and use this group when granting access to each of the following:
Access to Shopping Central Web Services
The Shopping Receiver services connect to the Shopping Central Web Site using HTTP and are validated against the (RECEIVERACCOUNT) account/group specified during installation of the Shopping Central.
Using a group is recommended in order to simplify configuration and grant access to necessary objects. This is described in section 3.7.9 below.
Access to the associated SCCM Site’s SMS Provider
The Shopping Receiver service requires read-write access to the “SMS Provider” on the associated SCCM Site servers. This is achieved by creating a “1E Shopping Receivers” role for the (RECEIVERACCOUNT) group as described in section 3.4.3 on page 46.
Access to the associated SCCM Site’s SQL Server
During installation of Shopping Receivers, the installer grants db_datareader permissions in the SCCM SQL database in order for the Receiver service to function.
If the SQL Server is using a non-standard port, the SMSDBPORT switch must be specified during installation, or use a SQL Alias instead.
Local Server NTFS
The Shopping Receiver service has requires NTFS “read” access to the Shopping install folder and “modify” access to the log file folders. This is achieved using the “Users” local group.
|AD security groups must be Universal if more than one trusted domain is involved, but can be Universal or Global if only one domain is involved. If your AD domain functional level is Windows 2000 server mixed mode then the AD security groups must be domain Global.|
Three separate AD groups are required to enable access to the Shopping Admin Console and optionally support the Shopping Console node security feature.
|You cannot use the same group to serve all three roles, these must be handled using three separate groups. Any attempt to use the same group for more than one role will result in the installation failing with database errors and rolling back.|
The Shopping Console node security feature is enabled by default, but can be disabled in the Shopping Console settings panel. If the Shopping Admin Console Node Security feature is to be used, then the Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS) group must have Modify permissions in Active Directory to manage membership of itself and the other two Shopping Access groups in the table below. You can permission each group, or permission an OU which contains the groups.
If the Shopping Console node security feature is not used, then the groups should have the following membership. The names in brackets are the Shopping Central installer properties, which are referenced elsewhere in this documentation.
|Shopping AD Group||Members||Member of||Notes|
Shopping Full Database Admin Access (SHOPPINGCONSOLEADMINUSERS)
Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS)
Shopping Limited Database Admin Access (SHOPPINGCONSOLEUSERS)
These are accounts or groups that have administrator rights in the Shopping Admin Console and web portal.
In addition to the Shopping Access groups, you need three further role-based security groups. Shopping allows these groups to be to be specified as individual domain user accounts, but then you are restricted to only these users being administrators, and using the Shopping Admin Console Node Security to manage additional user accounts. If your organization prefers to manage access rights through AD or other identity managements system, then you should use groups and disable the Shopping Admin Console Node Security feature.
|Shopping AD Group||Members||Member of||Notes|
Shopping Administrators (ADMINACCOUNT)
Reporting Managers (REPORTSACCOUNT)
Licensing Managers (LICENSEMGRACCOUNT)
As Shopping makes extensive use of automated email processing, the accounts and groups must have email addresses defined in AD. Where groups are used, the member accounts must also have email addresses defined in AD.
When configuring an AD security group to have an email address, this does not mean it has to be changed to a Distribution group type; it must remain as a Security group type.
During a Shopping Central installation, you must provide details for a Receiver Account. Instead of specifying an account, we recommend you specify an AD Security group, which contains individual Receiver service accounts. See Shopping Receiver service account.
During a Shopping Central installation, you must provide details for an Active Directory Server. This can be an AD domain controller or an actual domain name. By default, Shopping performs AD queries using the global catalog, in which case you can specify the Active Directory Server as the domain name or nominate a domain controller server that is a global catalog server.
If the global catalog is not available or not required (for example, in a single domain environment) then select a domain controller with the primary domain controller (PDC) emulator FSMO role if it is well connected. The PDC emulator is the preferred domain controller because it manages account and group changes for the domain. If the PDC emulator role is transferred, then update the Active Directory Server setting in the Admin Console settings.
Shopping does not support mixed domain AD Groups, i.e. AD Groups in one domain that contain AD users, computers or groups from another domain. To use AD Groups with Shopping, ensure that the Groups and the objects it contains belong to the same domain. Nested OUs, up to 5 levels deep, are supported but it does not support Groups within OUs.
Shopping supports implementations that span multiple domains. During installation, Shopping must be pointed at a Configuration Manager server which is used as its main contact. A Shopping Receiver must be installed on that server and on all other Configuration Manager site servers that Shopping interacts with. The Shopping Central and Shopping Receiver components may be installed on different domains but you must configure the DNS settings as follows:
Shopping is designed to cater for two types of multi-forest Active Directory configurations: root-level forest trusts and external trusts. Each trust type has different requirements for where Shopping components must be installed, and rules that must be followed when creating Shopping accounts and groups.
The AD forests may be single or multi-domain. Multi-domain considerations are decribed in Multi-domain configurations.
For both trust types, Shopping components are installed as follows:
When a root-level forest trust is used, install Shopping Central (Web, API and service) on the root domain of the forest. This is the forest where the Configuration Manager site used by Shopping as its central site is located. In this scenario, all domains in the trusted forest is accessible, in addition to all the domains in the local forest.
When an external trust is used, install Shopping central on the domain where the external trust originates. This is the forest where the Configuration Manager site used by Shopping as its central site is located. Shopping supports external trusts where these exist one-level down from the forest root domain. In this scenario, only the external trusted domain is accessible, in addition to the domains in the local forest.
Though Shopping supports the dual-forest domain scenarios illustrated above, there are specific restrictions on the configuration of groups to be used with Shopping and certain implications associated with the way that the domain and trust relationships work with it.
The Shopping Website is created under its own website using its own HTTP binding, it is not created under the default website. The Shopping Website binding uses a host header to differentiate its HTTP port from the default website. The host header is normally specified as the FQDN of the Shopping DNS Alias, which all users and computers accessing the Web Portal and Shopping API must use. Therefore choosing a suitable name for the DNS Alias is perhaps the most important design decision you will make.
Ensure that all clients using the Shopping system are able to correctly resolve the DNS Alias using their DNS lookup methods. This is typically why the FQDN of the DNS Alias is used.
In DNS, you can create a CNAME or Host (A) record. The example below uses a CNAME alias of SHOPPING for the host server ACME-SRV6.ACME.LOCAL which results in a host header FQDN of SHOPPING.ACME.LOCAL. In this case, the server's FQDN suffix is the same as the Alias FQDN's suffix, but they do not need to be the same.
When installing Shopping Central, the installer setting IISHOSTHEADER is used to configure the HTTP binding on the Shopping Website, and the Console settings for the Web URL and API URL. The Web URL setting is used in Shopping emails.
It is possible to manually add additional HTTP bindings to the Shopping Website. For example you can install using the server's DNS Alias FQDN, and then manually add a second HTTP binding for the DNS Alias without the suffix. This would allow users to access the Shopping Portal using either name.
Service Principal Names (SPN) are attributes of AD accounts. Servers and service accounts are able to automatically create and update their own SPNs if they have AD permissions. Normally server accounts have these permissions by default, therefore if a service is using Network Service built-in account, there is no need to create any SPN. However, user accounts typically do not have permission and you need to create or update the SPN manually using an account that does have the rights, such as a domain administrator account. You can create an SPN by editing the attribute directly in the AD service account object, or use the SetSPN utility. More information about SPNs can be found in Microsoft's knowledge base.
SPNs must exist for the HTTP host header for the following accounts:
The following is a example of how to create SPNs for the Shopping Central service account (assuming that the IIS application pools for Shopping have been configured to run as the Shopping Central service account, this is considered a non-typical configuration ).
setspn -s http/shopping ACME\svc_ShoppingCtrl setspn -s http/shopping.acme.local ACME\svc_ShoppingCtrl
The following is a example of how to create SPNs for the Shopping Central application pools. If the IIS application pools for Shopping use Network Service, then specify the server's machine account. (this would be the most common configuration)
setspn -s http/shopping ACME-SRV6 setspn -s http/shopping.acme.local ACME-SRV6
To determine if SPNs exist for the Shopping Central service account and Network Service on the server itself:
setspn -l svc_ShoppingCtrl setspn -l ACME-SRV6
More complex scenarios can be configured which requires in-depth knowledge of IIS, SPN and DNS configuration and are beyond the scope of this documentation.
You can use -a or -s with setspn. -s checks for an existing SPN before assigning a new one.
The following roles, role services and features must be installed/enabled as a minimum. The Name column is the reference used in PowerShell commands.
In the case of .NET Framework features we refer to 4.X in the Display Name, as X may be different depending on the server OS. The PowerShell Name always uses 45 instead of the actual version.
The following roles, role services and features should be removed/disabled.
The following PowerShell commands can be used to install relevant IIS roles and features on Windows Server 2012 R2 and later, and record the server configuration in a file.
Do this even if IIS is already installed because it will ensure all the required features and roles are installed.
SQL Server Native Client 11.0 is referenced in database connection strings as SQLNCLI11. It provides a suitable ODBC (OLE DB) driver that supports TLS 1.1/1.2 necessary for the MSI installer, and is not required for .NET Framework applications.
Also known as SQL Server 2012 Native Client you can download the installer (
sqlncli.msi) from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=50402, and then install the Client Components feature. This version supports SQL Server 2012, 2014, 2016 and 2017.
You can confirm the driver is installed using the ODBC Data Sources utility, as shown opposite.
If TLS 1.0 is disabled and you attempt to install without SQL Server Native Client 11.0 then the installer will fail with
Error 27502. Could not connect to Microsoft SQL Server ... SSL Security error.
If you are using a remote computer for any of the following, you must configure MSDTC on the Shopping Central server as well on the remote computer
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC] "FallbackToUnsecureRPCIfNecessary"=dword:00000000 "AllowOnlySecureRpcCalls"=dword:00000001 "TurnOffRpcSecurity"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security] "NetworkDtcAccess"=dword:00000001 "NetworkDtcAccessClients"=dword:00000001 "NetworkDtcAccessAdmin"=dword:00000000 "NetworkDtcAccessInbound"=dword:00000001 "NetworkDtcAccessOutbound"=dword:00000001 "NetworkDtcAccessTransactions"=dword:00000001 "NetworkDtcAccessTip"=dword:00000000 "XaTransactions"=dword:00000001 "LuTransactions"=dword:00000000