Re: How to securely publish a Click Once application

I think I've got it worked out. I'm still just having one problem that is
unrelated - the server won't server up exe files over the web. I'm having
the I.T. guys see if the ISA Server is responsible.

So...

I shifted things around in the site to make life easier.

I created a folder called protected and copied the folders, the manifests
and the setup.exe into there.

I marked that folder to deny all anonymous users. Then to ensure that the
non asp.net files (eg app.application, setup.exe) would participate in forms
authentication, I added a mapping. See "Securing Non-ASP.NET Files" in this
quickstart page:
http://www.asp.net/QuickStart/aspnet/doc/tipstricks/default.aspx

It's not deployed yet, but looks like it's doing what I want.

Let me know how this works for you.

Julie


"news.microsoft.com" <RodneyL@xxxxxxxxxxxxxx> wrote in message
news:%230CD5mcLGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Hi Julie - thanks for the info at your two blog posts:
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=1b54b38b-a0be-4cda-a94f-7ed24183608c
Have you had any luck with a Forms Authentication solution yet?


"Julie Lerman" <jlerman@xxxxxxxxxxxxxxx> wrote in message
news:%23QZ1XLLLGHA.2416@xxxxxxxxxxxxxxxxxxxxxxx
fyi: this is the official word (from the msdn documentation) on deploying
click once securely:
"Therefore, if you are deploying offline applications (ClickOnce
deployments in which you enable The application is available offline as
well (launchable from Start menu) on the Publish page), any
authentication scenario besides Windows NT authentication is unsupported.
An acceptable solution would be to allow any user to install the
application, but have the client application authenticate the user by
means of Web services at activation."

I will, however, figure out how to do it with forms authentication! :-)


"Julie Lerman" <jlerman@xxxxxxxxxxxxxxx> wrote in message
news:e55qBwsKGHA.208@xxxxxxxxxxxxxxxxxxxxxxx
just a quick update.

I'm stuck on the problem of the .exe and .application files not being
protected by ISAPI. So even with using forms auth to get to the
publishing page working properly, it is possible to browse directly to
the setup.exe and app.application files without being authenticated.

I have tried to map those extensions, but htere is something not working
with that process - even for a .GIF file.

I'll be back...

julie


"Julie Lerman" <jlerman@xxxxxxxxxxxxxxx> wrote in message
news:Oo6lSzmKGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
I'm in the process of trying to do ClickOnce deployment/updates using
forms authentication. That way you can still have the website use
anonymous access for the updates
I will post back my results.
I have not been able to find anything via google where anyone talks
about this or gives examples.

I have also done an in-house only deployment using Integrated
Authentication. I wrote up how I did this along with gotchas on my
blog.
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
be sure to see the "Update about 2 hours later" at the bottom of the
post .

julie lerman

"Rodney" <RodneyL@xxxxxxxxxxxxxx> wrote in message
news:OCEZPDRKGHA.604@xxxxxxxxxxxxxxxxxxxxxxx
I want to provide a small Click Once application to a small number of
selected users, when the application is published on an otherwise
public web
server (I don't want everyone to have access to my application).

My first solution was to setup a virtual directory (the publish
location)
with "Anonymous Access" turned off - setting up a special username and
password for it which I give to my selected users.

The users then 'log on' to the initial install page, and install the
application. However, subsequent running of the application should
check
for any updates - but because the update location doesn't allow
anonymous
access, the application fails to log on and assumes that its offline,
so
continues to use the initial version, never downloading any updates.

What am I missing? How can you securely publish a Click Once
application to
a public website?











.

Relevant Pages

  • Re: Fax Alerts
    ... Server" and choose Properties. ... Click the Authentication button. ... Anonymous access ... Granted SBS Server External IP Address ...
    (microsoft.public.windows.server.sbs)
  • SharePoint Anonymous Access Problem
    ... I have used the Server Admin username/password, ... Access control and turning off Enable anonymous access and unchecking ... Authentication to Basic Authentication ...
    (microsoft.public.sharepoint.portalserver)
  • Re: HTTP 401.3 error: Please help - Urgent.
    ... Is this really WHAT IS CAUSING AUTHENTICATION ... PROBLEMS in my server? ... > was that several critical windows updates were pushed by our network ... > Does this have anything to do with the IUSR_Machinename account? ...
    (microsoft.public.inetserver.iis)
  • Re: Forms Based Auth & Anon. Pub Folder Access
    ... > We've enabled Forms based Authentication on our Ex2k3 server for OWA. ... I need to allow Anonymous access to some calendars in the Public ... virtual server that doesn't have Forms based auth enabled, ... on just a virtual directory, so that the authentication access for another ...
    (microsoft.public.exchange.admin)
  • Re: WebDav Component....urgent
    ... it is looking for NTLM authentication, ... configure anonymous access in the web site properties ... I used> wfetch in the server itself as it is a test server. ... >>> I used a script to install a Windows 2000 server with ...
    (microsoft.public.inetserver.iis.security)
Loading