Skip to main content

Installing App Portal / App Broker

App Portal / App Broker 2025 R1

To install the App Portal / App Broker web site, perform the following steps.

note

You need to be an administrator to run this installer. To run as an administrator, you can right-click the installer file and select Run as administrator from the context menu.

Starting with App Portal 2013, your deployment technology is no longer specified during installation. Instead, you specify your deployment technology connection settings on the Deployment tab of the Settings view, as described in the App Portal / App Broker Administration Guide.

To install the App Portal / App Broker web site:

  1. To start the App Portal / App Broker installer, launch AppPortalSetup_2025_R1.exe
    note

    If OLE DB Driver 18 for SQL Server 18.3.0.0 (x64) is not already installed on your machine, you will be prompted to install it before installation will begin. As this is a prerequisite, click Install.

  2. The Welcome panel opens. Click Next.
  3. Click Next. The License Agreement panel opens.
  4. Read and accept the license agreement and click Next to continue. The Destination Folder panel opens.
  5. Accept the default destination or click Change and select a different location. Click Next to continue.
  6. Click Next. The Database Server panel opens.
info

Only Windows authentication is supported when connecting to the App Portal SQL Server database. Therefore, the account running this installer needs DBO permissions to that SQL Server.

If the Microsoft Entra ID is chosen as IAM, Windows Authentication is not supported and uses Active Directory Integrated Authentication with Trust Server Certificate enabled.

  1. Enter the name of the database server that you are installing to or select it from the list.

    • If you are using a specific database instance (other than the default instance), enter the database server and SQL instance in the following format:

      <SERVERNAME>\<INSTANCE>
info

Do not use (Local) as a database name.

  1. In the Name of database catalog field, enter the name of the new App Portal database that will be created by this installer, or click Browse to select an existing catalog.

  2. Click Next to continue.

  3. If you are creating a new database catalog, a message appears stating that a new database catalog will be created. Click OK to continue. The Logon Information panel opens.

  4. A user account is required to interact with Active Directory and SQL. This same account will be used for the App Portal service. The account requires administrative rights on clients to make use of the remote policy execution and to rerun advertisements. In the User name field, enter user account information in Domain\Username format, along with a Password.

    note

    Enter the credentials that App Portal will use to communicate with System Center Configuration Manager and other deployment technologies, SQL Server, Active Directory, and clients. This must be the same account, so it is recommended that you use a devoted service account. This account must also have administrator rights on all client machines.

    note

    If Microsoft Entra ID user (Domain\Username) is provided in the User name field, uncheck the checkbox Validate account and password to avoid user validation. Please note Domain can be dummy.

  5. Click Next to continue. The App Portal Settings panel opens.

  6. In the Select Authentication Type drop down field, select one of the following:

    • Windows Authentication

    • If you select Windows Authentication, follow the steps described in points 14 to 21 to proceed with the process.

    • Single Sign-On

    • If you select Single Sign-On, enter the following details in the respective panel.

      • In the Microsoft Graph URL field, enter the Microsoft graph URL.
    note

    By default, this field value is pre-populated with the value - https://graph.microsoft.com. This field can be configured with country specific Intune Government URL.For example, for US government the URL will be https://graph.microsoft.us.

    • In the Azure Authentication URL field, enter the azure authentication URL.
    note

    By default, this field value is pre-populated with the value https://login.microsoftonline.com This field can be configured with country specific Intune Government URL. For example, for US government the URL is https:// login.microsoftonline.us.

    • In the Tenant ID/Tenant Name field, enter the Tenant ID or the Tenant name.

    • In the Client ID field, enter client ID.

    • In the Client Secret field, enter client secret.

    • In the Principal ID field, enter the principal ID.

    • The check box Validate the access role permissions for Microsoft Entra ID is checked by default. This checks if the required role permissions are provided and valid to access the Microsoft Entra ID.

    • After entering the above details, click Next. A popup will appear with the following messages

      • If the Validate the access role permissions for Microsoft Entra ID check box is selected, a popup will appear with the message: EntraID configuration settings are valid. Required permissions are successfully validated.

      • If the Validate the access role permissions for Microsoft Entra ID check box is not selected, a popup will appear with the message: EntraID configuration settings are valid.

    • Click OK to continue. In the next Single Sign-On Configuration details panel, enter the following details:

      • In the Client ID field, enter the Client ID provided by your identity provider platform.

      • In the Client Secret field, enter the client secret provided by your identity provider platform.

      • In the Authorization end point field, enter URL provided by your identity provider platform.

      • In the Call back Url field, enter the following URL:

    • http://YOURAPPPORTALSERVER/esd/oauth2SignOn.aspx?MethodToInvoke=CallBack

      • In the Scope field, enter URL provided by your identity provider platform.

      • In the Profile end point field, enter URL provided by your identity provider platform.

      • In the Token end point field, enter URL provided by your identity provider platform.

    • After entering the above details, click Next. Click OK and agree the confirmation dialog that appears.

    • Follow the steps described in points 14 to 21 to proceed with the process.

  7. In the DNS Alias (A-Record) field, enter one of the following:

    • If you have already created a DNS alias for the identity of the site, enter it in this field.
    note

    If you enter an alias, it needs to already be created on your DNS servers. The App Portal installer will not create it for you.

    note

    If you specify an alias, a DNS A-RECORD for that alias must be created in order to access the App Portal site. It is important that the alias be an DNS A-RECORD, and not a CNAME record.

    • If you do not want to use an alias, you can accept the default value, which is the server machine name.
    note

    If you specify the server machine name, you do not need to create a DNS A‑RECORD because one already exists for the server.

note

If you specify the server machine name, you do not need to create a DNS A‑RECORD because one already exists for the server.

After installation, you can edit the DNS Alias value on the General tab of the Site Management > Settings > Web Site view.

  1. In the AD Global Catalog Server field, confirm or enter the server value.

    note

    If Single Sign-On Authentication is selected, AD Global Catalog Server field will be empty.

  2. In the SMTP Server fields enter the name of the SMTP Server that will be used for relaying email.

    note

    You may need to configure the SMTP server internally to accept relay from this server’s IP address.

    note

    You can also enter the mail settings after installation on the Site Management > Settings > Email view.

  3. In the SMTP Account field, enter the SMTP account name.

  4. For the Computer Discovery Method, select one of the following options to specify the method to use for discover the active machine visiting the App Portal site:

    • WebExtensions—If WebExtensions is selected, an administrator must ensure that the respective WebExtensions installer has been deployed and installed on each user's machine. A link to the installer is provided in the description provided next to the Primary computer discovery method field.

    • Reverse DNS—Uses the reverse DNS zones in Active Directory (if present) to look up the computer name by IP address.

    note

    If you select Reverse DNS, every computer in your DNS will be discovered, not just those in SCCM. It only searches the Active Directory DNS, so if you have other DNS providers, it will not work.

  5. Click Next. The Ready to Install the Program panel opens.

  6. Click Install to begin the installation. When installation is complete, the Completed panel opens.

  7. Click Finish to close the installer.

note

Check and ensure that the ASP.NET State Service is running, and the startup type is set to Automatic mode.