locked
"Trust Not Granted" Error - Full Trust WPF Web App on a Corporate Network RRS feed

  • Question

  • I'm trying to create a WPF Web Application, that will ultimately run on a corporate network - in otherwords the XBAP will be executed from a network share.

    When I execute the XBAP from the remote share I get the following exceptions:

    ERROR SUMMARY
     Below is a summary of the errors, details of these errors are listed later in the log.
     * An exception occurred while determining trust. Following failure messages were detected:
      + User has refused to grant required permissions to the application.
     * An exception occurred while downloading the application. Following failure messages were detected:
      + The AssertApplicationRequirements method failed. The application cannot be committed.

    The first thing I did was to create a public/private key pair:
        makecert.exe -sv MyKey.pvk -n "CN=Mine" MyKey.cer

    Then from this I created a PFX Certificate:
        pvk2pfx.exe -pvk MyKey.pvk -spc MyKey.cer -pfx MyKey.pfx -po MyPassword

    I then created a new Windows Presentation Foundation Web Application in Visual Studio 2008.
    Next I set the properties for the application:

    Signing:
        Tick "Sign the ClickOnce manifests"
        Select From File - I select the certificate file I've just made.
        Tick "Sign the assembly"

    Security:
        Tick "Enable ClickOnce Security Settings"
        Check "This is a full trust application"
      
    Publish:
        Publish Location - this is folder on the local hard drive that is shared on the network.

    I build and publish the applicaiton. It works fine on the local machine.


    Move to 'remote' machine on the corporate network.

    Copy and install the certificate file I made earlier and store it in the "Trusted Publishers" folder.

    Browse to the development machines "publish" folder. Double click the XBAP file. I'm presented with the "Trust Not Granted" - "The application cannot be deployed because it is not trusted and possibly unsafe." error. On clicking "Open Error Log" I get the exceptions written above.

    Any help would be appreciated as it's driving me nuts!

    Thanks in advance

    Matt
    Friday, September 12, 2008 12:38 PM

Answers

  • Hi Matt,

    I've solved it.

    -r = Specifies that the certificate will be self-signed.

    This guide helped me "How to Create Temporary Certificates for Development".

    So by adding -r to my original makecert command:
        makecert.exe -sv MyKey.pvk -r -n "CN=Mine" MyKey.cer

    I get a certificate that I can add to the "Trusted Publishers" group and the "Trusted Root Certification Authorities" group.

    Thanks for pointing me in the direction of the "Trusted Root Certification Authorities" group - I'd have never found the answer if you hadn't pushed me in that direction.

    Cheers

    Matt
    • Marked as answer by MattHousley Monday, September 15, 2008 3:04 PM
    Monday, September 15, 2008 3:04 PM

All replies

  • Hi Matt,
        It sounds like you have a good grasp of what's needed to run a full trust .xbap.  This is nice to hear :).  However you left out one step ...  since your certificate is self-generated, it likely doesn't derive from a real Trusted Root Certification Authority.  Thus, you need to ALSO import your .cer to that store on the machines you want to run the client app on, and most likely that will fix your issue. 

    Hope this helps,
    Matt
    SDET : Deployment/Hosting
    Friday, September 12, 2008 9:20 PM
  • Hi Matt,

    Thanks for your advice. However, when I tried it, it didn't work.

    Some more information:
    I'm signing the mamifest with the .pfx file I created (that is to say I don't select it from the store). I sign the assembly with the same .pfx file.

    I publish the XBAP to the network share (which is local to my development machine).

    I install the .cer file on the remote machine.
    I add it to the "Trusted Publishers" group - I can confirm this as I can see it in the list of certificates.
    On your advice I then add the .cer file to the "Trusted Root Certification Authorities" group - I get a success message. However, I can't see the certificate in the "Trusted Root Certification Autorities" group.
    Is this expected behaviour?

    I have tried this on different machines and the result is the same - successfully added to TRCA group - but can't see it in the list (It's obvious to see it as the certificate expires in 2040).

    So I still get the same exception when I try to run the XBAP.

    What am I missing??!!

    Cheers

    Matt

    Monday, September 15, 2008 10:59 AM
  • Hi Matt,

    After further investigation this appears to be a certificate creation issue.

    I've followed this How-To 'XBAP as Full Trust Application' and my application works on the remote machine. When I import the temporary .pfx file I can see it in the "Trusted Root Certification Authorities" group.

    However, this is obviously creating a temporary key (pfx), and distrubuting that - which is a no no. (Somehow in the 'how-to' the key file magically turns into a '.cer' file on the remote machine).

    So my question is "How do I create a certificate that appears in the "Trusted Root Certification Authorities" group?"

    Thanks in advance.

    Matt
    Monday, September 15, 2008 2:25 PM
  • Hi Matt,

    I've solved it.

    -r = Specifies that the certificate will be self-signed.

    This guide helped me "How to Create Temporary Certificates for Development".

    So by adding -r to my original makecert command:
        makecert.exe -sv MyKey.pvk -r -n "CN=Mine" MyKey.cer

    I get a certificate that I can add to the "Trusted Publishers" group and the "Trusted Root Certification Authorities" group.

    Thanks for pointing me in the direction of the "Trusted Root Certification Authorities" group - I'd have never found the answer if you hadn't pushed me in that direction.

    Cheers

    Matt
    • Marked as answer by MattHousley Monday, September 15, 2008 3:04 PM
    Monday, September 15, 2008 3:04 PM
  • I don't get this, I did all the above and my app just refuses te run, I keep getting the not trusted message. I'm getting sick and tired of this. I mean I am a developer, not a system administrator, so Microsoft let me do my job, which is developing. Don't bother me with insignifacant bullshit about security. Since when are you in control of my PC instead of me. It is fine that you have the security options but when I want to shut them down, I want to be able to do that with just a mouse click, I don't want to be bothered, with all kinds of stuff I don't understand, like trusted, certificates and so on.

    maybe I am A bit harge, but I am angry and disappointed, and I am starting to dislike my work this way.

     

    Saturday, December 18, 2010 9:50 PM
  • For my intranet WPF browser apps....

    In the Signing tab, cleared the checkboxes for ClickOnce and Assembly. In the Security tab, Enable and full trust are checked. We get the "not trusted" message, because .Net 4.0 is not installed. Once installed, then on the first run, a run anyway messagebox is displayed. Click to have the app run then it will run.

    It was tough to figure out because you only get one shot per machine. Once it is running, it runs and you cannot duplicate that very first time....   

    HTH.


    • Edited by skeltech1 Thursday, March 24, 2011 9:24 PM typo
    Thursday, March 24, 2011 9:20 PM