none
Outlook add-ins are automatically marked as untrusted RRS feed

  • Question

  • We have a product that contains a few add-ins which integrate with Outlook using VSTO.   On most machines everything works well when the addins are deployed and installed.  On very few machines sometimes when Outlook loads up the add-ins are automatically marked as untrusted and are never loaded.  When I attempt to load them manually through the Trust Center the dialog box states that an error occurred when loading the add-ins.   I have traces in my add-in which print out the first line when the add-in is loaded and no trace files are even generated by any of the add-ins.  This error mus be occurring before our code is even invoked.   We have about three add-ins and all are marked as untrusted at the same time.   I could never get them to be installed within Outlook no matter what I do.   What is happening here?  

    A few things I've found are:

    1.  If the system is reimaged everything works fine.

    2.   For a good machine where everything works fine if I disconnect the network cable and try to start Outlook I get the same behavior and the outlook add-ins become untrusted.  I'm thinking maybe on the bad machines it's just not able to connect to something across the network?   Can someone elaborate on what may be happening here?  Does Outlook try to validate the add-in by connecting to a time server or something of that nature? 

    Thanks!   

     

    Monday, May 16, 2011 6:47 PM

Answers

  • HI,

    then on this two machines I would check if there is a Proxyclient installed.

    Or they have a wrong DNS-Server entry or a wrong gateway. Sounds like a Network misconfiguration.

    Also try ipconfig /flushdns on a commandline

    Timestamping is only used at installation as I know.

    However - I had an AddIN deployed to a customer signed with a valid certificate, but not timestamped.

    The certificate was valid for 1 Year.

    After the certificate has been expired, the already installed addins continue running, but the AddIn couldn't get installed on new machines.
    From then I make sure I timestamp AddINs I release to customers.

    Just my expirience.

    When the CA-Servers can't be reached, it's almost a Network misconfiguration.

    Check, Gateway, DNS, Traceroute, Proxysettings, Proxyclient, some Admins deny access to Microsoft-Server, they want to make sure that clients can't download updates etc.

    Hope that helps...

    Greets - Helmut 

     


    Helmut Obertanner [http://www.obertanner.de] [http://www.outlooksharp.de]
    • Marked as answer by Bruce Song Friday, May 27, 2011 7:42 AM
    Wednesday, May 18, 2011 5:45 AM
    Answerer

All replies

  • Hi alex,

     

    Are your solutions digitally signed? If so, a trust chain verification will be attempted when the add-in is loaded and if there is no network connectivity, the CA server cannot be reached, and the digital signature/certificate chain fails to be validated. That written, the chain should be walked every time the solution is loaded. More on what to check there if it seems that the dsig might be at fault.

     

    --

    Chris


    Monday, May 16, 2011 9:23 PM
  • Hi Chris,

    Thanks, yes all our add-ins are digitally signed with a Verisign certificate.  Hmm... maybe the the CA server cannot be reached from that one specific machine.  By any chance do you happen to know what server I can ping to check if verisign is reachable? 

    Thanks,

    Alex

    Monday, May 16, 2011 9:28 PM
  • Hi, when you disconnect the Network-Cable, the CA-Servers can not be reached.
    A workaround is to disable the "Check for Certificate Revocation" in Internet-Explorer settings.

    However - this could lead to a executing a software that is signed by a invalid certificate (malware?)

    Question:

    You said that you have signed your addin's. Are they Time-Stamped? If not, you can't install the Add-ins on a machine after the certificate has been expired.

    Greets - Helmut


    Helmut Obertanner [http://www.obertanner.de] [http://www.outlooksharp.de]
    Tuesday, May 17, 2011 5:46 AM
    Answerer
  • Thanks Helmut,

    The problem however, occurs all the time on one or two specific machines.  All other machines are working perfectly fine. 

    Our add-ins are not time stamped but I'm not sure how that will help since time stamping requires connecting to a CA server to ensure the addin was built when the certificate was still valid.  So if for some reason on these one or two machines they are not able to reach the CA server for validation (even when the add-ins are timestamped) the add-ins will continue to be untrusted...correct?  

    Alex

    Tuesday, May 17, 2011 3:36 PM
  • HI,

    then on this two machines I would check if there is a Proxyclient installed.

    Or they have a wrong DNS-Server entry or a wrong gateway. Sounds like a Network misconfiguration.

    Also try ipconfig /flushdns on a commandline

    Timestamping is only used at installation as I know.

    However - I had an AddIN deployed to a customer signed with a valid certificate, but not timestamped.

    The certificate was valid for 1 Year.

    After the certificate has been expired, the already installed addins continue running, but the AddIn couldn't get installed on new machines.
    From then I make sure I timestamp AddINs I release to customers.

    Just my expirience.

    When the CA-Servers can't be reached, it's almost a Network misconfiguration.

    Check, Gateway, DNS, Traceroute, Proxysettings, Proxyclient, some Admins deny access to Microsoft-Server, they want to make sure that clients can't download updates etc.

    Hope that helps...

    Greets - Helmut 

     


    Helmut Obertanner [http://www.obertanner.de] [http://www.outlooksharp.de]
    • Marked as answer by Bruce Song Friday, May 27, 2011 7:42 AM
    Wednesday, May 18, 2011 5:45 AM
    Answerer
  • Thanks Helmut!  Will try that. 

     

    Wednesday, May 18, 2011 6:30 PM
  • Hi Alexkfh,

    Have you tried Helmut's workaround and resolved your problem yet? If you still have any concern on the thread, feel free to follow up.

    Best Regards,




    Bruce Song [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, May 23, 2011 9:11 AM
  • Hi eveyrone, I have the same problem than Alexkfh with my customers. Only few of them have their add-ins disappear apparently after an update of windows and sometime just by closing the computer for the week-end. We installed an error log but it was never triggered when the add-in is deactivate. The add-in is not digitally signed and my customers have Outlook 2003. If you know about the solution please let me know here.

    Best regards,

    --

    David

    Thursday, July 28, 2011 8:06 PM
  • Hi eveyrone, I have the same problem than Alexkfh with my customers. Only few of them have their add-ins disappear apparently after an update of windows and sometime just by closing the computer for the week-end. We installed an error log but it was never triggered when the add-in is deactivate. The add-in is not digitally signed and my customers have Outlook 2003. If you know about the solution please let me know here.

    Best regards,

    --

    David

    Hi David

    The problem for us turned out to be that the add-ins were also some how registered in HKLM.   We're not sure how they got there because nothing in our code deploys to HKLM.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins

    After deleting our add-ins in this registry area the add-ins loaded and worked properly.

    Alex

     

    Thursday, July 28, 2011 8:17 PM