views:

1364

answers:

4

How can I protect a ClickOnce deployed application with a password? Do I have to change the IIS settings of the web or is there a way to do it programmatically? I'm using Visual Studio 2005 (.NET 2.0).

If I have to use web credentials, are auto-updates of the application still possible?

Would be great if you could provide some sample code or detailed instructions for administering IIS.

Thank you!

+1  A: 

I'm not sure it can be done. I may be wrong, but I didn't think that would work. Apart from anything else, even if your user puts in their credentials to get the .application, the runtime then does separate downloading, for which it needs anonymous access.

If you want to protect the client so much, you may have to come up with a different way of deploying it.

Marc Gravell
A: 

A ClickOnce installer is just a couple installer files sitting out on your web server, right? So then, you can just implement some sort of directory security on those files. You can do this on a couple different levels I believe; for example IIS permissions or (if your users are on your domain) NTFS permissions.

Also, IIS permissions (everything actually?) should be able to be setup programatically.

Aaron Axvig
Thanks for your answer. Maybe I wasn't all that clear. I know I can set some directory security settings. But how can I tell ClickOnce *inside my application* to use the credentials?
splattne
+3  A: 

I found a possible solution by myself in this MSDN article: ClickOnce Deployment and Security.

ASP.NET Form-Based Authentication

If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnce applications deployed on a Web server. Rather, you would enable users access to the deployments you have installed based on a user's identity (using Windows NT authentication).

If you deploy to an environment without Windows NT authentication, a solution could be to try using ASP.NET form-based authentication to authenticate the user. However, ClickOnce does not support forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows NT authentication is unsupported.

Passing Arguments

An additional security consideration occurs if you have to pass arguments into a ClickOnce application. ClickOnce enables developers to supply a query string to applications deployed over the Web. The query string takes the form of a series of name-value pairs at the end of the URL used to start the application:

http://servername.adatum.com/WindowsApp1.application?username=joeuser

By default, query-string arguments are disabled. To enable them, the attribute trustUrlParameters must be set in the application's deployment manifest. This value can be set from Visual Studio and from MageUI.exe. For detailed steps on how to enable passing query strings, see How to: Retrieve Query String Information in a ClickOnce Application.

You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they are safe. Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands.

Note: Query-string arguments are the only way to pass arguments to a ClickOnce application at startup. You cannot pass arguments to a ClickOnce application from the command line.

splattne
A: 

The only solution I've ever seen is here: Click Once Forms Auth

We've run into the same problem with trying to secure an application. The one problem with the solution above that I've noticed is that the cookie information is in the URL, which means if someone theoretically intercepted the URL, they could use it to also download the application. Other than that, it seems like a viable solution.

Bob