Microsoft One-Click Installer - User Never Prompted for Trust - excel

I wrote an Excel add-in for a client that does some custom things for 5 users. I wrote it with VS2012 and the interop assemblies for Excel 2010. I published the add-in with the MS one-click publisher, zipped up the contents, and sent it to these 5 users. They are (seemingly) only able to install the add-in at random. Some users have been successful, while others get an error message. Some more info:
The users that are not successfully installing are never being
prompted to trust the install. It takes them right to to the error
message.
I signed the code with just a local dev cert. I didn't use a
verisign certificate or anything like that. I didn't figure that it would do anything, because their local file system is never allowing it to get to the prompt.
First I made a batch file to configure the registry for inclusion
list security. This did nothing.
I haven't been able to replicate the error on any other PC, whether
it's on my local network or not.
My guess is that they've got something in their security policy that prohibits access to these one-click installer files. Any ideas which one?
Here is the error message:
System.Security.SecurityException: Customized functionality in this application will not work because the certificate used to sign the deployment manifest for ThisAddin or its location is not trusted. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustPromptKeyInternal(ClickOnceTrustPromptKeyValue promptKeyValue, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInTrustEvaluator.VerifyTrustUsingPromptKey(Uri manifest, DeploymentSignatureInformation signatureInformation, String productName)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn() The Zone of the assembly that failed was:MyComputer

We faced similar problem when an Add-In was developed and signed by certificate issues by a Domain A, and any user from the domain was able to install it. The add-in was published on a web site: http://host.org/apps/addin/setup.exe
Later people from Domain B also decided to use the Add-In, but the only thing they saw was the message about Trusted locations and Contact your admin.
Solution was trivial: open Internet Explorer, add http://host.org into trusted sites.

I was in a pinch for time, so I exported the developer certificate and had them install it on their machines.

Related

Open an Access file without the security warning message [duplicate]

i have a shared access application, i created an accde file for 32-bit machine, when user open the application he/she getting a security warning
is there any way to disable this message from appearing to the users
thank you
You have to set their computer to be a trusted source. In order to get around this issue, you will need to create a Digital Certificate. Digital Certificates are good only on the computer they are created on, so if this database will be used on multiple computers then each one will have to create a Digital Certificate.
To do this, you will need to perform the following tasks:
Click on Start -> All Programs -> Microsoft Office -> Microsoft
Office Tools -> Digital Certificate For VBA Projects (If you don’t
have this, you will need to contact your IT Dept.)
Enter a Certificate Name. Make it obvious like MyProgramName and Click OK
Open the Access database which contains the security warning you want to bypass
Go into the Design View of any Module
Click on Tools -> Digital Signature
Choose your Digital Certificate you created in Step 2
Save and close the database
Re-Open the database. You will now be prompted with a different Security Warning that states the file has been digitally signed.
Check off the “Always trust files from this publisher…” box and click the Open button
All subsequent times you enter this database, you will not be prompted with a security warning.
Note - I wrote the above for our company based on Office 2003. If you're using a more recent version, the instructions may vary somewhat.
other way is following:
click on file and then options
click on trust center and then trust center settings on the right
then click on trusted locations and add new location
browse for the location and save.
that's it.. done.. now no more warnings..
That is a standard warning to indicate the file you are opening has web links and macros.
If you trust the file, just say OK or “Allow”
You can control if this message is displayed: Office button > Excel Options button > Trust Center > Trust Center Settings button (I have no idea why they have this extra button, DUMB DESIGN! )
More Information can be found here
I have an Access database that processes other Access databases. I get OP's error when connecting to one of the other Access databases. To fix the issues, I opened the other Access database and clicked Enabled Content. Then, the Access database is trusted and OP's error doesn't occur when connecting to that Access database from another Access database.
You can create a registry key that will add the directory as a trusted location and will not show the warning anymore. What's nice about this method is that you can easily automate this to happen on the computers where you deploy your app. See method #2 or #3 in this blog: http://www.accessrepairnrecovery.com/blog/fix-microsoft-access-security-notice
And in case the blogs ever gets removed, here is the important bits:
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location20] “Path”=”C:\Database\”
“Description”=”My Database location”
Explanation about the key:
– The number “14.0” is the version of MS Office. You can change the numbers that represent the version you are executing.
– The “Location20” is a unique name that you assign. 20 can be any number that is not previously used. Other programs include default MS Access wizards, already have used other numbers. But if you want to make more than one path as trusted location, then each location must end up with different number.
– The “C:\Database\” is the physical path that you want to set to be as Trusted Location. You can place any path that you choose here.
By copy and pasting the above coding into a text file and save it with a name such as RemoveSecurityWarning.reg, you can then run the file into your PC’s registry just by making double click on the file.
The best way is to add the location of the document or the document itself to the Trusted Locations in Registry (if you use only Access runtime on client machines, there is no way to add it through the Office application, like you would do in Excel).
Here is the answer:
Adding Trusted Location to Access Run Time
You would need to create a new Location key and add the necessary Path (and Description) strings inside with the appropriate location of your file. This way the nag dialog will be gone and you won't need to worry about certificates.
Shared may mean it is located on a network share. It is not advisable to add a network location to the Trusted locations and you would need to set the additional flag AllowNetworkLocations to 1. I would advise you to copy the Access modules to the user computers, which would also make things better with the speed I believe.
If anybody else have this problem, it happened to me, with a shared file on a network environment, and the simplest solution was to install Microsoft Office service pack 2, even better is having automatic updates for Office turned on. You can find it here.

Do Office Add-ins always require Internet access to work?

Let's take Excel for example. In Excel 2016, when I select an add-in in the STORE, after clicking on Trust It, will the code (.html, .js files) of the add-in be downloaded or installed on my machine?
In other words, have the add-ins under MY ADD-INS been already installed on my machine, such that i could load and run them without Internet (if an add-in does not send or receive special data to or from Internet)?
I am asking this question, because i want to know if a basic add-in always requires Internet access to work.
As Eric mentions, Office add-ins are indeed web based. However, to add a bit to his answer:
While you definitely need a one-time access to fetch the manifest and the original HTML/JS/CSS files, if your add-in is not using license checking (it's free) and does not require web services, you should be able to make a website that uses standard offlining techniques to load with no internet connection after the first time.
I tried it out real quick with pointing a manifest at http://html5demos.com/offlineapp. After loading it once and then disconnecting my internet, I was still able to load that page.
Hope this helps,
~ Michael
Yes, the new Office add-ins are web-based. They are all defined - and installed - by a manifest file which specifies the URL location of the web source files. These are always hosted on the provider's web server and are not cached for offline use. The licensing system used by most add-ins (the ones that aren't free) requires a connection to the provider's web server which in turns needs to verify the user's license against the Office Verification Licensing Service. If offline use was enabled users could use a trial license in perpetuity without the provider being aware.

IIS Cannot Get Access to an Excel File for Users, But is OK for Me. Why?

I have a program running as a service in IIS in Windows Server 2008 R2. The program has no problem creating a report in Excel. The problem occurs when it tries to get access to the Excel the that it has just created. This gives the users a 80070005 error right at this line of code:
Excel.Application excelSS = null;
excelSS = new Excel.Application(); <-- Error
Because at that point, the program has not tried to get access to the Excel file just yet, I believe the problem is not related to lack of access rights to the file. I believe the problem may have to do with locating the Excel program. This may have to do with the fact that the Excel is 32-bit and the Windows operating system is in 64-bit. I am not sure.
The strange thing is that I have no problem viewing the Excel report through IIS. Another IT guy also has no problem doing this. But normal users all have this problem trying to do the exact same thing. This all points to the high probability that this problem is related to "access rights". If it has to do with the setup of Excel, I would assume that everyone including me would have the same problem. This is very puzzling.
I have already tried all the tips that I can find in Internet:
Confirm that the Application-Pools in IIS uses IIS APPPOOL\DefaultAppPool user account.
Add a "Desktop" folder in system32 and in SysWOW64 under config\systemprofile and make sure the IIS APPPOOL\DefaultAppPool user account has read/write access to those folders.
Run DCOM-Config, and assign local access/launch/activation rights to IIS APPPOOL\DefaultAppPool under COM-Security. And make sure both 32-bit and 64-bit DCOM-Config get these settings.
Because of the fact that the users use "Windows Authentication" to run the program in IIS, I also make sure that the users can use their own user account to get access to the folder in IIS server that stores the Excel file.
I even go as far as adding IIS APPPOOL\DefaultAppPool to local admin user group.
The only tip that I cannot try is the fact that I cannot find "Microsoft Excel Application" listed in DCOM-Config program (Component Services --> Computers --> My Computer --> DCom Config). I am supposed to add launch/activate access rights to IIS APPPOOL\DefaultAppPool to "Microsoft Excel Application" in that list. But somehow "Microsoft Excel Application" is not in the list. I have tried looking for it in DCOM-Config in both System32 and SysWOW64 folders. This "seems" like where the problem is. But I am not sure about this because of the fact that I have no problem viewing the Excel report using my user account. If there was something wrong with the settings in Excel, I would think that none of us could view the Excel report.
I didn't have this problem when I had that program in Windows Server 2003 R2 - 32bit, or in Windows XP 32-bit.
I understand the issue about Microsoft want people not to use Office Automation in Windows Server 2008. And Microsoft wants people to use XML or something like that. But I also understand that people have tried this and can work around this. Because I am not the developer of that program, I really don't want to start changing that program. Therefore, I would like to be able to get the existing program to work.
Please help. Thanks in advance.
Jay Chan
Turned out this problem has to do with access rights. Seem like ASP.NET was running under the user's authentication (not surprising because I have set the web service to use "Windows Authentication"). And the user doesn't have permission to run Excel directly at the server. The solution is to use a special domain user account: (1) Assign the special user account as the local admin, (2) Assign the special user account as the "Specific user" for "ASP.NET Impersonation" for the web service.
I have a feeling that the special user account was somehow embedded in that specific web service. Therefore, the fix that I mentioned above may or may not work for other people. Unfortunately I don't know if this is true or not because I was not the developer of that web service. And I cannot find any where in the web service mentioning anything related to that specific user account.
I am glad that this is fixed.
Jay Chan

How to Publish InfoPath (which is fulltrusted having codebehid code ) in sharePoint?

I created one InfoPath form which is having C# code and i gave security option is 'full trusted' to access infopath object model,and it should be open with Browser.finally i published the Infopath form to SharePoint(by using admin-approved) site.
But when i'am trying to open, it is not opening and giving an error that is 'InfoPath can not create a new or blank form InfoPath can not open the form,To fix this problem,Contact your System administrator'
and in error show details its giving following message.
'The form template is trying to access files and settings on your computer. InfoPath cannot grant access to these files and settings because the form template is not fully trusted. For a form to run with full trust, it must be installed or digitally signed with a certificate'.
please give me a solution.
Unfortunately, if you are using any file system calls in your C# code then you will have to keep the fully trusted setting. As the error message says, any fully trusted form has to be either installed or have a certificate associated with it to run. Infopath is really just a glorified webpage when it runs on a users machine - you wouldn't want a webpage to run unsecurely and have full rights to the machine without the user knowing it.
You should only need full trust if the form accesses LOCAL resources (indivdiual hard drives). If you don't include C# libraries for file/directory access then domain trust should be sufficient and the form will work fine. (Database access, webservices, etc are not local and will work under domain level).
In the Form Setting change the browser enabled documents as "Display as Web Page".
it resolved the issue :)

Weird yellow bar pops-up: 'Microsoft Data Access - Remote Data Services

When I access my site from any computer, I see this warning popping up:
"This web site wants to run the following add-on: 'Microsoft Data
Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If
you trust the web site and the add-on and want to allow it to run,
click here..."
I am guessing this is some kind of virus or something. I would like to know how to remove this from my site.
Id be very concerned if this is on your own server.
I found the following blog post that warns on the issue: http://msmvps.com/blogs/hostsnews/archive/2007/09/13/can-you-spot-the-fake.aspx but doesn't provide any way of removing it.
I'd recommend making sure both the server and the client are up to date on Windows Updates, and then installing a good virus scanner.

Resources