|
|
Comments and Discussions
|
|
 |
|
Hi,
I thinking of using the strong name solution to the security problem my app is having because it is being deployed in a shared network server.
I create the strong name, added to my assembly file, and now plan on creating code group on the network server.
2 questions:
Do I need to reboot network server after I make code group change?
Do I still need to create a MSI script to be run on each client server?
Thanks in advance,
mccalla
|
|
|
|
|
Sorry I am just responding now. I did not get the notification when you posted your question.
I would guess you have already figured out the answers to you questions.
You asked:
Do I need to reboot network server after I make code group change?
No, there is no need to reboot the network server after the code group change.
Do I still need to create a MSI script to be run on each client server?
Yes, each client needs to trust the strong name so it will have the proper trust level when it accesses something on the network share.
Ben
|
|
|
|
|
We have a web application,from there we want to invoke an exe.So it results in the same security error.Even though we had done this the security problem occurs.Any Solutions???
C.Babu
|
|
|
|
|
Most of the time, if you still get the security error it is one of two things.
First, you didn't create the msi script correctly.
Second, you don't have admin rights on the PC that you ran the MSI script on.
My guess is that you don't have admin rights on the PC you ran the MSI script on. You don't get any indication that the MSI script didn't work. It just runs, but when you are not the admin it can't do anything since you don't have rights.
I hope that helps.
Thanks,
Ben
|
|
|
|
|
Hi there,
I've followed the process as you've described, created the code group, then created the MSI, and ran the MSI on a machine with administrator rights, and the could see the entry in the security.config file, and the application on the network share ran perfectly.
Then I ran the MSI on a machine without administrator rights. I received no errors when the installation ran. The applicatition on the share still failed with a security error, and when I checked the security.config file on this machine, there was no entry for the new code group to be found.
Should I expect this to work?
|
|
|
|
|
Hello,
When you run the MSI script on the PC you must run it as an admin. Otherwise the script really doesn't do anything. There are some active directory ways of pushing out msi scripts to all PC's. A Network admin would probably have a better idea how to do that. Hope that helps.
Ben
|
|
|
|
|
Thanks for putting this together Ben. Definitely helps. Figured I'd add an extra piece to the puzzle for anyone interested.
This piece of code (which I cannot claim for myself) allows you to programmatically add your new codegroup to the machine policy settings. If you host your app on a server, throw this into a simple app and run it on each workstation using your method of choice.
Dim publicKey As Byte() = {0, 36, 0, 0, 4, 128, 0, 0, 148, ..., 41, 17, 223, 92, 180, 207, 31, 78, 6, 193}
Dim machinePolicyLevel As PolicyLevel = Nothing
Dim ph As System.Collections.IEnumerator = SecurityManager.PolicyHierarchy()
While ph.MoveNext()
Dim pl As PolicyLevel = CType(ph.Current, PolicyLevel)
If pl.Label = "Machine" Then
machinePolicyLevel = pl
Exit While
End If
End While
If machinePolicyLevel Is Nothing Then
Return
End If
Dim codeGroup As CodeGroup
Dim machineCodeGroupRoot As CodeGroup
For Each codeGroup In machinePolicyLevel.RootCodeGroup.Children
If codeGroup.Name = "My Group" Then
MsgBox("Permissions Exists")
Return
End If
Next codeGroup
Dim permSet1 = New NamedPermissionSet("FullTrust")
Dim key As New StrongNamePublicKeyBlob(publicKey)
Dim membership1 = New StrongNameMembershipCondition(key, Nothing, Nothing)
Dim policy1 As New PolicyStatement(permSet1)
Dim codeGroup1 = New UnionCodeGroup(membership1, policy1)
codeGroup1.Description = "This is a description."
codeGroup1.Name = "My Group"
machinePolicyLevel.RootCodeGroup.AddChild(codeGroup1)
SecurityManager.SavePolicy()
Enjoy! And I too am a born again Christian who has accepted Christ as my Savior and He is the ONLY way to Heaven. Thanks for being bold Ben!
|
|
|
|
|
Thanks for posting this code. I am sure there is an assumption that the user running this code is an Admin on the box. It is nice to know another way of doing things.
In Christ,
Ben
|
|
|
|
|
Yes, you are correct. An admin will need to run this. Thanks for clarifying that. We're a pretty large installation and we'll probably push this out via SMS or however the windows admins will want to do it. 
|
|
|
|
|
Great article!
For people using VS 2005, there is actually now an easier way to sign an Assembly.
Just open the property window for the project, and click on the the Signing tab. Then select "Sign the assembly", and choose the key file from the dropdown list.
There is are also options for specifying a password for the key file and for delayed signing on this tab.
Just thought I would mention this..
|
|
|
|
|
I'm glad you mentioned this. Thought I'd add my 2 cents regarding what I found. It appears that there is a number of differences with the security between 2003 and 2005. Using a couple highly simplistic apps, the one's created with 2003 would not run at all (without adding security), but the 2005 apps would. For example, I had an app that I created in VB.NET 2003 which had two forms containing some buttons and text boxes and that was it. I compiled it and attempted to run it from a shared network drive. It failed to run (debug stated it was failing at the end of sub new(). Interesting. Then I converted it to 2005 and attempted to run it from the same network drive. It actually ran. Very interesting. (I hope I explained that ok).
So what does this mean? Probably not much, but thought I'd share it with you. M$ definitely has revamped a lot of the security settings in 2005/2.0. I'm still going to have to stick with 2003 since we don't have framework 2.0 on all clients. However, I'm having to write to a temp file on the client, so I'm going to have to have a codegroup anyway.
Blessings,
Mark
|
|
|
|
|
Hi everyone
I'm totally new to .Net and the company I work for are now making the move from vb6 to vb.Net. The code using the OpenFiles.exe sound more or less like what we need but it's a little over the top for me at this moment.
Basically I want to create a textfile log of all shared files accessed (over the network), when, for how long and by whom. So far your code is the closest I got to a solution.
Any suggestions or useful links I can follow?
Thanks!
woNTioD - 3vlndl3
|
|
|
|
|
Well, unfortunatly the openfiles.exe will only tell you that someone is in the files. You would probably need to write something that kept track of when the user first accessed the file and when they got out.
If you install the openfiles service on the network file share it will start to produce an XML file (which is a .net dataset) every minute that contains who is in what file. They overwrite after 60 minutes. The client app I wrote to go with it reads in the xml file and displays it.
So if you want to know when someone started looking at a file and how long they had it open, you would have to write some code that would process the xml file outputs and write out the correct txt files you need.
Sorry if this wasn't very helpful, I suppose sooner or later you will have to dig in and learn .net.
Ben
|
|
|
|
|
Why would you mix religion with technology in your article.
How lame would it sound if i put the following at the end of every one of my emails.
On a personal note I am a born again Muslim, if anyone has any questions about what it means to have a right relationship with Allah or if you have questions about who Mohammed is, send me an e-mail. spiritual_solicitor@inyourface.com My relationship with Allah gives purpose and meaning to my life, because of course, my relationship with my wife, kids, family, friends, and peers isn't enough.
|
|
|
|
|
Dear Anonymous,
Thanks for your note. I am sorry if my personal bio offends you. Still I make no excuses for it. The whole point of having a personal bio is so that you get to know someone a bit better. I can honestly say that as much as I enjoy programming, my relationship with God is so much more important. Yes even more then my wife, kids, friends. And you are correct that I believe that as much as I love and care for (wife, kids, friends) they can never satisfy me the way my relationship with God does.
Let me ask you this. If you found the Truth and it changed your life, wouldn't you want to share it with others? How could you keep your self from sharing what has happened in your life. I have always from an early age needed to know what is life all about? What is my purpose? I can tell you that only by a right relationship with God have I come to know True Peace and fulfillment. I can't help but say something so that others may know this same joy.
I wish you a blessed Ramadan and pray that as you seek God, He will reveal to you who Isa truly is, Son of God and Savior.
Ben
|
|
|
|
|
I've tried this with a small Managed C++ console app. I could never get the importing of the strong name to work. I allways get a error complaining about an invalid assembly. However running:
sn -v myprog.exe
Says the assembly is valid!
Has anyone else run into this?
Thanks.
Nigel Atkinson
"Land a'hoy!" * CRASH * "I should av said that sooner eh?" - Eckles, The Goon Show
|
|
|
|
|
First I should tell you up front that my C++ skills leave something to be desired. So take my advise for what it is worth, which is pretty much just guessing. Anyway, I was guess that the part of the C++ code where you attach the strong name key to the C++ assembly isn't quite working. There you have it my best guess.
Ben
|
|
|
|
|
|
I am glad you figured the strong named key thing out. I am sure your hard work will benefit others. Thanks for letting us know what happened.
Ben
|
|
|
|
|
I have developed a Windows.Forms.UserControl, which is embeded in a Web page in Internet Explore. To work this control properly I have to create a group in Runtime Security Policy and give this group a permission set with granted 'Allow calls to Unmanaged Code' and 'Assert any permission that has been granted' permissions. When the Membership Condition is set with URL condition type, my control works as expected. But the case isn't the same when I have used the Strong Name condition type. IE just not activate the control, without any error messages or exceptions. In order to sign my assembly with strong name, I have created key pair with 'sn -k keypair.snk' command line, and added '[assembly: AssemblyKeyFile(@"..\..\keypair.snk")] line to my source code. After that I have verified the signature with 'sn -f ' comman line and it has told me that my assembli is valid. Can anybody explain me what is wrong?
|
|
|
|
|
First I will tell you straight up that I don't know the answer. Still I have some thoughts. Even though the assembly has a strong name you still need to create a code group where the strong name key is marked as trusted. Next it seems that every user that might access the page that uses that control may need to have that code group installed. If it is not running there then the web server itself would probably need the code group for the assembly to be marked at trusted.
Anyway, those are my thoughts. I hope they help you find the solution.
Ben
|
|
|
|
|
Ben, thanks for the replay,
I have found the solution in
http://www.dotnet247.com/247reference/msgs/18/92236.aspx
Namely, adding the attribute
[assembly: AllowPartiallyTrustedCallers()] in AssemblyInfo.cs of my Control has resolved the problem. Really I don't know exactly why. Not yet.
Georgi
|
|
|
|
|
I am new to vb.net but have written apps in vb6 which run from a central server. However have tried both part 1 and 2 suggestions without success. The debugging routine always points to the line which accesses an ini file. This file lives in the same folder on the server as the .exe
I need to use ini files to allow other users to easily edit settings. The registry is not an option.
What else do I need to do?
|
|
|
|
|
I guess first I need to ask if you are working on your local pc? If you are then you need to double check the code group you set up. You probably have an error. You may not have set full trust. You might have not put a * in the network path name.
Now if it is working on your local PC, but not on a users PC. The issues I have seen are:
.net framework not loaded on a users PC. Load the .net framework.
They ran the MSI script, but it didn't add the code group. This usually happens when the user does not have admin rights to their own PC. Someone with admin rights must run the MSI script for them. You can use the RUNAS. I have also seen where after running the MSI script the User needs to log out and then log back in again.
I hope that is helpful.
Ben
|
|
|
|
|
thanks for the speedy reply
I cannot get it to work from a network drive back to my development laptop as well as to another client PC. All systems have the .net framework.
In the code group I used file://ip address/folder/* and also tried file://ip address/folder/applicationname.exe
I have full access to the network folder as I copy the .exe there.
I have double checked and full trust is set and I have admin rights on my laptop.
mike
|
|
|
|
|
I have not tried to use an IP address in the file path. I don't see why it would make any difference. I do know that it took a while to figure out that the format needed to be file://SERVER/Folder/*
Normally if you were accessing a file or folder from an internet browser you would have three slashes. file:///, but that does not work. So I would try replacing the ip address with the server name and see if it makes a difference. One other thing, the network folders are marked as shared directories.
Good luck.
Ben
|
|
|
|
|
Been away for a few days so only got back to retrying this morning.
The folders were shared. I added a strong name to the assembly.
No joy.
So in the end I ran on the client PCs the .NET Framework Wizard and used the Trust Assembly option. Selecting the .exe on the server (network drive) the Wizard showed it as untrusted. Changed the option to trust and it now works. 
Thanks for the help.
mike
|
|
|
|
|
Well, I am glad you got it working anyway. Too bad I not just next door, or I would drop in and see if I could help you figure out what is going on with marking the network share as fully trusted. At least you got it working. Have a good day.
Ben
|
|
|
|
|
Great article - I've used the strong name method and found it works well. Makes rolling out a new version much earier.
However, I recently developed an app that uses a 3rd party component (the Janus GridEx) and found that although my app would start, it would throw an exception as soon as a window containing a grid object opened.
If I changed the security policy to use URL (rather than strong name) then it worked ok.
Didn't investigate it much further but I guess it would mean that I'd have to add a code group for the strong name of the grid (and any other components that my app used). Does this sound right or am I missing something?
Mike
|
|
|
|
|
Mike,
I believe you are correct. It is common that a 3rd party component would have a strong name and then would need to be marked as trusted as well.
Ben
|
|
|
|
|
You said you had written an app that can do this on the server. Can it do it if it is a peer-to-peer and do you have any examples or suggestions on how to do this?
Thanks
jinksk
|
|
|
|
|
I am not sure what you mean by peer to peer. If it is an application that resides on a server then it will work. I haven't tried it, but I am pretty sure it could work with a desktop as well. I am in the process of writing the article along with full source code example. Currently I am hoping it will be ready for next week to post it on this site.
Ben
|
|
|
|
|
You wrote:
"I have written an app that allows you to see all the files on a network server and who has those files open."
Do you have any examples or suggestions on how to do this? We need to do something VERY similar to what you have done and we need all the guidance we can get. No one here has been using .NET for more than 8 months and unfortunately, that's me! 
Any web sites or books you can suggest would be appreciated.
WeTheUncaringLeadByTheUnknowing
jinksk
|
|
|
|
|
Unfortunately, I just sort of figured it out by digging through microsoft's site. Like I said in my other response, I hope to have the article finished next week and posted to this site.
Ben
|
|
|
|
|
Hi,
Thx for this clear article. I have also played with "Smart client" and i've found a problem when you try to launch a .NET EXE from IE (http://mydomain/myprogram.exe), even if you declare it with a strong key. IE can host your program if you add a specific attribute in Assembly.cs : [assembly: AllowPartiallyTrustedCallers]
Regards
Xavier
Andeol - Sophia Antipolis France
|
|
|
|
|
Hello,
I played with that as well. It seemed you needed to go into your browser and mark that http://mydomain/ as a trusted site for that to work properly. At least that is how I remember it. It was a while ago that I played with that. Thanks for you comment.
Ben
|
|
|
|
|
Thanks so much. Got my '5'.
-Kevin Buchan
|
|
|
|
|
|
|
 General  News  Suggestion  Question  Bug  Answer  Joke  Rant  Admin
Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.
|
Using MSI or a Strong name to store .NET apps on a network server (Part 2).
| Type | Article |
| Licence | CPOL |
| First Posted | 7 Jun 2005 |
| Views | 76,290 |
| Bookmarked | 33 times |
|
|
Submit an article or tip
Post your Blog
as the process is almost identicle as VB and C#. 
