Adding Codegroup for a control hosted on website to .Net Runtime Policy

 

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.


Action

When a web application that has a control embedded in it; in order to instantiate the control the .Net Runtime Security needs to be configured on the client machine to allow fulltrust for the control to be loaded.  One method to achieve this is to re-direct the client to a page that has a link to download a .vbs file locally that will execute on the client machine and make this configuration change without having the user interact with the .Net Framework Configuration tool. The execution sets up a code group for the control (with a membership condition : Site, permission set : Full Trust and the site name corresponding to the server where the .vbs file was downloaded from) and then adds the codegroup to the security policy.


Result

In Windows XP environment – the downloaded .vbs file can be executed which sets runtime security settings correctly without user interaction.

But In Windows Vista – the .vbs file will NOT execute – even if the user logged in is part of the administrators group. One work around is  to :
1.  Save the file locally ,
2.  Execute the vbs file  in command line which is opened to run as administrator .
3.  This is be design of Vista security where any system changes need to be explicitly run as administrator.


Cause

The reason the control cannot instantiate is because .Net security policy prevents code downloaded from the Internet from running with fulltrust.  The user must enable the code to run on the local machine via the caspol.exe command line or the .Net Framework configuration wizard.  The vbs script is used to minimized user interaction.

In order to run caspol on Vista machine the script needs to run in an administrator command prompt.  This is a security feature in Vista so the script needs to run with explicit elevated administrator trust.


Resolution

The script below shows how such a vbs file should look like and also how the verb “runas” can be passed to either the ShellExecute API or to its COM equivalent, the ShellExecute method of Shell.Application, will prompt for elevation for administrator login to enable elevated trust for the script to run.

Follow the instructions given below:
1.Create a new .vbs file using a text editor.
2.Copy the following sample code.

Set obj = CreateObject(“Shell.Application”)
strCasPolExe = objShell.ExpandEnvironmentStrings(“%windir%\Microsoft.NET\Framework\v” + strVer + “\caspol.exe”)
strCommandLine =  <“command to be passed to run “>
obj.ShellExecute strCasPolExe, strCommandLine, “”, “runas”, 0

3.Save the .vbs file.
4.Double Click the .vbs file to run it.

This will run the CASPOL with administrative privilege.


More Information

There is one other way to  configure .net runtime policy on clients machine, by  creating an msi and adding custom action to it using Orca tool.

More info on Code Access Security
http://msdn2.microsoft.com/en-us/library/930b76w0(VS.71).aspx (http://msdn2.microsoft.com/en-us/library/930b76w0(VS.71).aspx)


DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.



APPLIES TO
Microsoft .NET Framework 3.0
Microsoft .NET Framework 2.0 Software Development Kit
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.5
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 1.1

——————————————–

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

 


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image