How to securely publish a Click Once application

  • Thread starter Thread starter Rodney
  • Start date Start date
R

Rodney

I want to provide a small Click Once application to a small number of
selected users, when the application is published on an otherwise public web
server (I don't want everyone to have access to my application).

My first solution was to setup a virtual directory (the publish location)
with "Anonymous Access" turned off - setting up a special username and
password for it which I give to my selected users.

The users then 'log on' to the initial install page, and install the
application. However, subsequent running of the application should check
for any updates - but because the update location doesn't allow anonymous
access, the application fails to log on and assumes that its offline, so
continues to use the initial version, never downloading any updates.

What am I missing? How can you securely publish a Click Once application to
a public website?
 
I'm in the process of trying to do ClickOnce deployment/updates using forms
authentication. That way you can still have the website use anonymous access
for the updates
I will post back my results.
I have not been able to find anything via google where anyone talks about
this or gives examples.

I have also done an in-house only deployment using Integrated
Authentication. I wrote up how I did this along with gotchas on my blog.
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
be sure to see the "Update about 2 hours later" at the bottom of the post .

julie lerman
 
just a quick update.

I'm stuck on the problem of the .exe and .application files not being
protected by ISAPI. So even with using forms auth to get to the publishing
page working properly, it is possible to browse directly to the setup.exe
and app.application files without being authenticated.

I have tried to map those extensions, but htere is something not working
with that process - even for a .GIF file.

I'll be back...

julie
 
fyi: this is the official word (from the msdn documentation) on deploying
click once securely:
"Therefore, if you are deploying offline applications (ClickOnce deployments
in which you enable The application is available offline as well (launchable
from Start menu) on the Publish page), any authentication scenario besides
Windows NT authentication is unsupported. An acceptable solution would be to
allow any user to install the application, but have the client application
authenticate the user by means of Web services at activation."

I will, however, figure out how to do it with forms authentication! :-)
 
I think I've got it worked out. I'm still just having one problem that is
unrelated - the server won't server up exe files over the web. I'm having
the I.T. guys see if the ISA Server is responsible.

So...

I shifted things around in the site to make life easier.

I created a folder called protected and copied the folders, the manifests
and the setup.exe into there.

I marked that folder to deny all anonymous users. Then to ensure that the
non asp.net files (eg app.application, setup.exe) would participate in forms
authentication, I added a mapping. See "Securing Non-ASP.NET Files" in this
quickstart page:
http://www.asp.net/QuickStart/aspnet/doc/tipstricks/default.aspx

It's not deployed yet, but looks like it's doing what I want.

Let me know how this works for you.

Julie
 
Rodney

an additional test showed that sticking everything in a protected folder
made setup unhappy. I fiddled around with it and in the end, we must leave
the folder hierarchy in tact.

Forms authentication, deny all anonymous users and the mime setting to add
non-asp.net apps to the forms authentication protection looks like the right
combination.

still testing

julie
 
I realize I left out a key part of the quote. The reason WHY they don't
support forms authentication.

"However, ClickOnce uses persistent cookies; these present a security risk
because they reside in the Internet Explorer cache and can be hacked."
 
Back
Top