SCCM 2012 Application Catalog Cross-Forest (trusted) / Cross-Domain (trusted)

Do you know the Application Catalog from SCCM 2012? This web based (silverlight) software shop provides applications to users. A user can search applications and install them directly from the portal.

If the user accounts are not in the same domain as the Application Catalog Server, you have to authorize the “domain users” of the user domain on the Shop Server (otherwise you receive the message, that the website cannot be located).

On the SCCM Server with the role “Application Catalog web service point” and “Application Catalog website point” (recommended by Microsoft to install both roles on the same server), go to the following folder:


(This folder is used by default, when installing the role without changing the options)


In the Properties of this folder on the tab “Security”, add the “Domain Users” of the user domain.

You need the following rights:

Read & Execute
List folder contents


Unfortunately, this folder is not fully inherited! You will still receive a login popup… add the needed domain users at least to the folder following folders:

C:\Program Files\SMS_CCM\CMApplicationCatalog\Content\Images\AppIcons
C:\Program Files\SMS_CCM\CMApplicationCatalog
C:\Program Files\SMS_CCM

Take care, the shop website needs to be in the trusted sites of the Internet Explorer. You can configure this in the Client setting.

Good luck!


  1. Ryan

    I followed these steps and am still receiving the login popup when launching the application center.

    • Chris Greuter

      Hi Ryan

      Unfortunately I’ve checked again and yes, there is still the Login popup. The shop is working without entering login Information (on every popup just click ESC)… but it’s not nice 😦 –> I’ll check again and let you know as soon as I have a solution!

    • Chris Greuter

      Now it worked… I’ve changed the blog. The problem was, that the folder SMS_CMM is not inherited throug all directories… after giving the right permissions to the folder “AppIcons” it worked… looking forward to your feedback if it works for you too…

  2. Ryan

    Unfortunately after granting access to the AppIcons folder I am still receiving the popup. Here is my scenario: CM12 and computer objects in domain A. User accounts in domain B and domain C. I have granted both domain user groups to the AppIcons and SMS_CCM folder and both to the Users local security group (noticed that you removed that section…is it not needed then?). I also verified that the shop site is a trusted site via the client.

    • Chris Greuter

      I’ve checked once more and reinstalled everything… you need to add the domain users with read permissions to the following folders:

      C:\Program Files\SMS_CCM\CMApplicationCatalog\Content\Images\AppIcons
      C:\Program Files\SMS_CCM\CMApplicationCatalog
      C:\Program Files\SMS_CCM

      Kind regards

  3. Ryan

    We are in business now!!! Thanks for all the great info. This has been a good help.

  4. Ryan Holt

    Looks like you do not need to grant permissions to the SMS_CCM folder, only the CMApplicationCatalog folder. Additionally, the AppIcons folder needs it as well.

    Thanks for sharing!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s