none
Trouble deploying a VSTO Word 2010 template (document) solution RRS feed

  • Question

  • Hi,

    again, I'm not sure this one is really a developer question, but again, I know I get the good answers here :-).

    I am having trouble deploying a VSTO Word 2010 template (document) solution. Users get the following certificate error message when they are trying to create a new document based on the template:

    Some facts:

    1. The solution is intended for click-once-deployment
    2. The solution is not signed with any authenticated certificate
    3. It shall run on Windows 7 64-bits
    4. It targets .net Framework 4.0 and is developed with VS 2010
    5. The template will be used with Microsoft Word 2010
    6. The VSTO application is copied to C:\\Program Files (x86)
    7. The document file is copied to the Workgroup Templates folder
    8. The WorkGroup templates folder is a Trusted Location
    9. There is no entry in the registry for
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager
    10. I don't know if the prerequsites (that are stated as prerequsites in the solution) are installed on client computer
    11.  The template has the correct _AssemblyLocation path (EDIT /Peeter)

    As I read it, the above No 6 and No 8 should be sufficient to have the solution working:

    • http://msdn.microsoft.com/en-us/library/bb772072.aspx says: "Although the document itself is trusted by using the trusted locations, additional permissions are needed to trust the customization. You can grant full trust to the customization by using signing the manifests with a certificate, clicking the trust prompt, or installing the Office solution to the Program Files directory."

    Any comments are highly appreciated J,

    Peeter

    Monday, February 18, 2013 9:13 PM

Answers

  • Yeah nah thats not going to work. Even when you copy the published files to the Programs File directory you still havent installed the application the application is installed when the .vsto file is run.  Read the article and its links its got a nice image showing what happens when the .vsto is run.

    As for the signing tab have a read of this article . Signing code or more correctly giving it a strong name gives a component a unique identity which enables amongst other things the component to be placed into the GAC from where it can be referenced by other components.

    You dont have to sign your code and it has nothing to do with Certificates

    Monday, February 25, 2013 11:11 AM

All replies

  • Hi Peeter,

    Thanks for posting in the MSDN Forum.

    Would you please tell me the publish location for further research?

    Have a good day,

    Tom


    Tom Xu [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, February 19, 2013 4:56 AM
    Moderator
  • Hi Tom,

    it is published to a local user folder. Then we

    1) copy the structure to c:\program files (x86)\our sub folder\

    2) change the path in the template(document) to the above in the _AssemblyLocation docprop.

    I see now that I under No 11. above,  I falsely stated _AssemblyName. It should have said _AssemblyLocation.

    /Peeter

    Tuesday, February 19, 2013 8:41 AM
  • Hi Peeter,

    I'm afraid you didn't understand what I mentioned correctly. I need the value which you set in the red circle for the following dialog.

    Have a good day,

    Tom


    Tom Xu [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, February 20, 2013 2:17 AM
    Moderator
  • Hi Tom,

    actually that was the information I gave you, here is a screenshot:

    Then we

    1) copy the structure to c:\program files (x86)\our sub folder\

    2) change the path in the template(document) to the above in the _AssemblyLocation docprop

    /Peeter

    Wednesday, February 20, 2013 8:16 AM
  • Hi pemok,

    Thanks for posting in the MSDN Forum.

    I don't think you need change _AssemblyLocation property. Let's try following scenario:

    Click setup.exe for your click once deployment package.

    copy the template document to place you want to set.(do not change anything)

    double click the template document to see whether it will throw any exception.

    Have a good day,

    Tom


    Tom Xu [MSFT]
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 21, 2013 5:28 AM
    Moderator
  • Hi Tom,

    we have now tried this but it gives exactly the same error message as before, and it happens when executing the setup.exe.

    I understand why it complains about the certificate, but why doesn't it accept Program files (x86) as a trusted location.

    Se below and previous screenshots.

    Article http://msdn.microsoft.com/en-us/library/vstudio/bb772072.aspx says:

    "Although the document itself is trusted by using the trusted locations, additional permissions are needed to trust the customization. You can grant full trust to the customization by using signing the manifests with a certificate, clicking the trust prompt, or installing the Office solution to the Program Files directory."

    And those requirements are fulfilled.

    /Peeter

    • Edited by pemok Friday, February 22, 2013 1:33 PM Update
    Friday, February 22, 2013 10:40 AM
  • I have also added the following keys to the registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel]
    "MyComputer"="Enabled"
    "LocalIntranet"="Enabled"
    "TrustedSites"="Enabled"

    What more can I check/do?

    /Peeter

    Friday, February 22, 2013 1:37 PM
  • Do I need to buy a certificate that is distributed with the solution? It is a VSTO 2010 Word Document solution.

    Any comments are highly appreciated as I'm stuck,
    Peeter

    Sunday, February 24, 2013 7:03 PM
  • Hi,

    I understand your frustation with this as I have just gone through something similar.

    A certificate is needed as you have already discovered but for it to be recognised as a valid the issuer of the certificate must be trusted and this is only accomplished by the Certificate Authority. Creating a certificate yourself through Visual Studio or some other means will not work.

    Here's the spill from Certificates help.

    Using the Certification Path tab, you can view the path from the
    selected certificate to the certification authorities (CAs) that issue the
    certificate.

    Before a certificate is trusted, Windows must verify that the certificate
    comes from a trusted source. This verification process is called path
    validation.

    Path validation involves processing public key certificates and their issuer
    certificates in a hierarchical fashion until the certification path terminates
    at a trusted, self-signed certificate. Typically, this is a root CA certificate.
    If there is a problem with one of the certificates in the path, or if it cannot
    find a certificate, the certification path is considered a non-trusted
    certification path.

    A typical certification path includes a root certificate and one or more
    intermediate certificates. By clicking View Certificate, you can also
    learn more about the certificates for each CA in the path

    So your certificate needs to be issued by a Certificate Authority otherwise it wont be trusted. How do you do this well in my environment the Infrastructure & Security guys created a certificate from our internal Certificate Authority store.

    When deploying your solution the certificate needs to be placed into the Certificates - Current User -> Trusted Publishers -> Certificates path.

    Opening your certificate you should be able to trace the certificate path up through the chain. The Certificate Authority who issued your certificate will be placed in either the Certificates - Current User -> Intermediate Certificate Authorities -> Certificate path or the Certificate - Current User -> Trusted Root Certification Authorities -> Certificates path depending on how many levels of Certificate Authorities you have.

    To view the certificates installed on your machine

    Start -> Run dialog - enter mmc

    File -> Add or Remove Snapins - select Certificates

    Hope this helps

    Monday, February 25, 2013 3:44 AM
  • Hi,

    thank you for your kind interest in my problem.

    Is it really so that a VSTO 2010 Word Document solution needs a certificate bought from a Certificate Authority to work? That is never mentioned in Microsofts guides how to deploy such a solution.

    Furthermore I have previosly successfully created and deployed VSTO 2010 Word Application solutions without having to buy any certificates. There were NO problems with any certificate errors. Those solutions are installed via a setup project in the solution. Does that make any difference compared to the VSTO 2010 Word Document solution, where I copy published folders and files into the Program Files folder?

    Is there a difference in security between a  VSTO 2010 Word Document solution and a VSTO 2010 Word Application solution? Both solutions mentioned above are installed into the Program files folder.

    /Peeter

    Monday, February 25, 2013 9:33 AM
  • You've raised two points: 1 Certificate Authority , 2 VSTO 2010 Word Document Add-In vs VSTO 2010 Word Application Add-In.

    1. Certificate Authority: any certificate you use whether purchased from an external Certificate Authority or one created by your internal Certificate Authority must be recognised by your environment as being valid i.e. not a fake

    For this to occur the Certificate Authority must be valid within your environment. Have a look at the certificates on your machine and go up the chain until you get to a Certificate Authority.

    The Certificate Authority can issue certificates and you can use them within your solution, once the solution is installed on a machine the machine will interrogate your solutions certificate and see who issued it. If it can find the issuer within its Trusted certificate authorities it will honour it if it cant it will report it as a fake and prompt the user to install or not.

    So no you dont have to buy a certificate if your environment has a Certificate Authority it can use to create a certificate.  But if you do buy a certificate from a Certificate Authority then that certificate authority must be in your Trusted certificate authorities.

    2. VSTO Document Add-In vs Application Add-In

    When you create an Application Add-In you typically also create an MSI Installer project that packages up your solution into a nice setup.exe and msi file.

    In order to run the setup.exe or msi file it must be run under the context of Administrator and as we know an administrator has all the priviledges to perform any operation.

    Well if we have all the permissions then a Certificate is not required to validate the solution. So no certificate is required.

    So now you may be wondering why dont I create a MSI Installer project to deploy my Document Add-In well you could and there are some threads on the web were they discuss how to do this. Some of them valid and some not valid for Office 2010

    But do keep in mind that an Application Add-In makes use of the registry and a Document Add-In does not, even if you specify registry settings in the MSI Installer it will not use them.

    Well thats my understanding of it.


    • Edited by Arthur V_ Monday, February 25, 2013 10:12 AM
    Monday, February 25, 2013 10:11 AM
  • Thanks a million again,

    do you know if it should make any difference running a setup that installs the the VSTO 2010 Word Document solution to the Program Fils folder, to copy the published folders and files into the Program Files folder?

    /Peeter

    Monday, February 25, 2013 10:21 AM
  • Um are you saying that an MSI Installer project will copy your deployment & application manifest to the Program Files folder ?

    This wont install your solution, the user will have to navigate to the directory and run the .vsto file to install your solution.

    Have a read of this Securing Office Solutions it will give you a good rundown and leave you scratching your head.

    If your aim is to get around the certificate issue then the simplest solution would be to change your Document Add-In to be an Application Add-In and go down the MSI Installer path.

    But thats not always possible is it.

    Monday, February 25, 2013 10:47 AM
  • Thanks again,

    I meant that when deploying another Application add-in via a setup.msi created by a setup project in the solution there are no issues. That solution is installed to the Program Files folder.

    The Document Add-in solution I'm having troble with is puplished to a local folder on my computer and manually copied to another users Program Files folder. The document itself however can be located anywhere - it has a document property (_AssemblyLocation) that points out the location of the .vsto manifest file.

    When opening the document it displays the certificate error.

    SO the Document-Add solution is in a trusted location - Program Files. Why doesn't it work?

    There is a checkbox in VS Project/Signing tab not to sign the manifest. What does that mean?

    /Peeter

    Monday, February 25, 2013 10:59 AM
  • Yeah nah thats not going to work. Even when you copy the published files to the Programs File directory you still havent installed the application the application is installed when the .vsto file is run.  Read the article and its links its got a nice image showing what happens when the .vsto is run.

    As for the signing tab have a read of this article . Signing code or more correctly giving it a strong name gives a component a unique identity which enables amongst other things the component to be placed into the GAC from where it can be referenced by other components.

    You dont have to sign your code and it has nothing to do with Certificates

    Monday, February 25, 2013 11:11 AM
  • Arthur, thanks for all your support in this.

    I have finally succeeded in deploying the solution onto another users computer.

    The trick was to add a setup project to the solution which creates an installer package. I don't know what the installer does to make the diffence compared to install it manually by copying the published files to a program files folder.

    So if the goal is to deploy a solution onto your users computers you dont have to deal with certificate issues, you create a setup project.

    Peeter

    Tuesday, February 26, 2013 8:18 AM
  • Glad you got it to work Peeter

    Have a great day

    Tuesday, February 26, 2013 8:40 AM