Authenticated access to Clickonce install.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I would like to limit access to a Clickonce install, hosted on a Http://
Internet site, to only authenticated users. These user's are outside my
orginization. Therfore logged-in identities and ACLs not options for me.

Two questions: Are there any pitfalls to this type of deployment scenerio,
and how would I implement such functionality?

Thanks for any and all feedback.
 
Hi Kenneth,

If you want to control which deployments each user can access, you should
not allow anonymous access to ClickOnce applications deployed on a Web
server. Rather, you would allow users access to the deployments you have
installed based on a user's identity (using Windows NT authentication).

If you deploy to an environment without Windows NT authentication, a
possible solution could be to attempt using ASP.NET form-based
authentication to authenticate the user.

However, ClickOnce does not support forms-based authentication because it
uses persistent cookies; these present a security risk because they reside
in the Internet Explorer cache and can be hacked. Therefore, if you are
deploying ClickOnce applications, any authentication scenario besides
Windows NT authentication is unsupported.

You can enable Windows Authentication for the web site of the ClickOnce
application using IIS manager.
Are there any pitfalls to this type of deployment scenerio
Click to expand...

As I have mentioned above, the only pitfall to this type of deployment is
that only Windows NT authentication is supported.

Sincerely,
Linda Liu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks Linda, you've confirmed the ASP.NET form scenerio that I 'm leaning
toward.

As a follow up, the authentication model I want to use is as follows:
1. Customer contacts service for access key.
2. Access key is generated and emailed to customer.
3. Customer accesses and installs code.
4. Access key becomes invalid.

My question now becomes: how, if at all, is the hacking risk you identified
changed or possibly eliminated? If the risk still exists, would you explain
more specifically the details of the risk?

Thanks

--
Kenneth Lemieux
Project Engineer
Whelen Engineering Co., Inc.
 
Hi Kenneth,

Thank you for your prompt response and detailed feedback!

I do more reading and get more information about ClickOnce authorization.

ClickOnce only support Windows authorization internally so far. But
there're some workarounds in the case that we can't use Windows
authorization, e.g. custom authorization, using query string parameters and
etc.

There's a good article discussing this topic in the 'Limiting Access to
ClickOnce Applications' section. The following is the link of this article:

http://msdn2.microsoft.com/en-us/library/aa480721.aspx

Hope this helps.

If you have any question, please feel free to let me know.

Sincerely,
Linda Liu
Microsoft Online Community Support
 
Hi Kenneth,

How about the problem now?

If you have any question, please feel free to let me know.

Thank you for using our MSDN Managed Newsgroup Support Service!

Sincerely,
Linda Liu
Microsoft Online Community Support
 
Back
Top