locked
Deploying Trusted Publisher Across Enterprise Domain RRS feed

  • Question

  • Hello,

    I have set up a scenario where I have a domain controller, a deployment server, and a client workstation. The deployment server contains a FullTrust clickonce application signed with a certificate created through the mage tools.

     

    Following the instructions in the article: http://msdn2.microsoft.com/en-us/library/01daf08f.aspx under "Add the Publisher to the Trusted Publishers Store", I created a CTL in the domain policy for this certificate. The CTL is deployed to the client machine, but the certificate is not added to the Trusted Publishers store so the ClickOnce application is not trusted.

     

    Has anyone had experience deploying the certificates for ClickOnce application across an enterprise domain?

     

    Thanks,

     

    David

    Monday, October 1, 2007 6:53 PM

Answers

  • I just found out what is the missing step, you will not belive it...

    Here is a complete guide of the steps I've made until I've made it work (I just finished writing it, let me know if I missed something)

     

     

    Steps to add certificate to the server:

    On the client that we published from:

    1.       Create a temp-key from the VS signing tab.

    2.       Create a certificate file from the pfx file ('cmd', 'certmgr', select the key file and click 'export', select 'do not export private key' and the first export option (DER encoding .CER file).
    This will create a certificate file you can use on the server.

    3.       Copy the .cer file to the server.

     

    On the server

    4.       Open the "Default domain security controller" (from admin tools).

    5.       Expand: 'public key policies' -- > 'trusted root certification authorization authorities'

    6.       Right-click 'export' and select the .cer file, add it to the store (next until the end).

    7.       On the 'software restrictions polices'  group (located below) right-click and 'create new'.

    8.       Click on the 'additional rules' node and select 'new certificate rule', browse for the .cer file and select 'unrestricted' in the bottom combo box.

    Back on the client:

    9.       'cmd' -> 'pgupdate' (to update the group policy).

    10.   Check on the certmgr, you are suppose to see the certificate in the 'trusted locations' tab.

    11.   The application should work without a pop-up screen.

     

    Tuesday, October 16, 2007 5:47 PM

All replies

  • Has anyone tried this, or can anyone comment on the documentation?

     

    Tuesday, October 9, 2007 2:39 PM
  • Hey.

    I'm having the same issue I think I made some progress but it does not work yet.

     

    If I'm adding the certificate to the 'trusted root certification authorities', when I update the group policy on my computer (command - gpupdate), I can see the certificated in my trusted root certification. The problem is, as you know, that it need to be in the trusted publisher tab.

     

    Where do you got stuck? 

     

    Tuesday, October 16, 2007 5:00 PM
  • Hi, thanks for the response.

     

    I'm getting stuck pretty much in the exact same place:

    I create an entry in the Trusted Root Certification Authorities, it will get deployed to the respective client store, and according to the documentation, "you can add trusted publishers to a client's store by creating a new certificate trust list (CTL) with Group Policy". When I create the CTL for the certificate, it gets added to the Enterprise Trust of the Client machine's certificate store, but does not affect the Trusted Publisher. I'm not really sure what to do next.

     

    -David

    Tuesday, October 16, 2007 5:39 PM
  • I just found out what is the missing step, you will not belive it...

    Here is a complete guide of the steps I've made until I've made it work (I just finished writing it, let me know if I missed something)

     

     

    Steps to add certificate to the server:

    On the client that we published from:

    1.       Create a temp-key from the VS signing tab.

    2.       Create a certificate file from the pfx file ('cmd', 'certmgr', select the key file and click 'export', select 'do not export private key' and the first export option (DER encoding .CER file).
    This will create a certificate file you can use on the server.

    3.       Copy the .cer file to the server.

     

    On the server

    4.       Open the "Default domain security controller" (from admin tools).

    5.       Expand: 'public key policies' -- > 'trusted root certification authorization authorities'

    6.       Right-click 'export' and select the .cer file, add it to the store (next until the end).

    7.       On the 'software restrictions polices'  group (located below) right-click and 'create new'.

    8.       Click on the 'additional rules' node and select 'new certificate rule', browse for the .cer file and select 'unrestricted' in the bottom combo box.

    Back on the client:

    9.       'cmd' -> 'pgupdate' (to update the group policy).

    10.   Check on the certmgr, you are suppose to see the certificate in the 'trusted locations' tab.

    11.   The application should work without a pop-up screen.

     

    Tuesday, October 16, 2007 5:47 PM
  • That worked. Thanks!

     

    I'm still wondering about the documentation and why the CTL method didn't work, but at least now the clickonce application can be trusted across my domain without manually manipulating the Client Certificate stores.

     

    Thanks again,

     

    David

     

    Tuesday, October 16, 2007 6:18 PM
  •  

    Yeah, the last step is very wierd, I can not see why it is needed (and all other steps - if you skipped any step, it will not work...)

     

    The ClickOnce has many many problems but the biggest one is that it is so hard to find examples for things that are more complex than the "publish wizard". I've check everywhere around the web, a step-by-step example for doing this action can not be found (the solution I wrote was collected from 5 different articles...).

     

    Hope someone on Microsoft will wake-up about this project.

    Let me know if you have any other problems, this problem is the last (for now) after many other issues I've dealt with (like proxy, download custom authintication and so on....) so I guess I can be called an 'expert' in ClickOnce problems...

     

    Tuesday, October 16, 2007 6:34 PM
  • Hi henry.

     

    I need your help...

    I've tried the same thing all over again and now I'm failiing to see the certificate in the client after adding it to server certified authorties.

     

    Could you repet the steps on the start, until you see the certificate in the client?

     

     

    Wednesday, October 17, 2007 9:21 AM
  •  

    Sorry for the delay, I was out of the area.

     

    Everything seemed fine for me. I added the certficate to the "Trusted Root Authority" under the Public Key Policy on the domain, and created a Certificate rule under the Software Restriction Policies. On the Client I was able to access the ClickOnce app that required FullTrust.

     

    Where are you looking when you say "server certified authorities"?

     

    -David

    Thursday, October 18, 2007 3:58 PM
  • Thanks for your replay. I'm managed to find another solution:

    I'm adding the certificate to each client I'm installing before installing the application- this works as well.

     

    Do you know of a way to install the application without it being deployed after installation (a real 'push-install')?

    Thursday, October 18, 2007 4:03 PM
  • I'm not sure I know what you mean. Are you talking about an alternative to ClickOnce?
    Thursday, October 18, 2007 8:25 PM
  • No, I mean that when you double-click on setup, it install the application and than runs it. I just want it to be installed, without runing it.

     

    Friday, October 19, 2007 9:00 AM
  • Oh ok.

    You can set whether the application should run after install in the deployment manifest. If you open the deployment manifest in MageUI, there is a tab for "Deployment Options". In that page there is a checkbox for "Automatically run application after installation". I believe that the Application Type has to be set to "Install Locally" in order for this option to be applicable.

     

    Friday, October 19, 2007 2:02 PM