3

I'm getting TrustNotGrantedException thrown for some specific users of our VSTO word addin.

These users have the certificate installed correctly.

The exception is being thrown when the app checks for updates: 

try
{
    ApplicationDeployment.CurrentDeployment.CheckForUpdate()
}
catch(TrustNotGrantedException ex)
{
    Log(ex);
}

The stack trace is logged as follows: 

User has refused to grant required permissions to the application.

   at System.Deployment.Application.ApplicationTrust.RequestTrust(SubscriptionState subState, Boolean isShellVisible, Boolean isUpdate, ActivationContext actCtx, TrustManagerContext tmc)    at System.Deployment.Application.DeploymentManager.DetermineTrustCore(Boolean blocking, TrustParams tp)    at System.Deployment.Application.DeploymentManager.DetermineTrust(TrustParams trustParams)    at System.Deployment.Application.ApplicationDeployment.CheckForDetailedUpdate(Boolean persistUpdateCheckResult)    at System.Deployment.Application.ApplicationDeployment.CheckForUpdate()    at iReport.iReportAddIn.CheckForUpdates()

Has anyone experienced this or knows how to prevent this in the code or with any workarounds?

Edit:

I have read through this blog post on the issues and it seems like it could be an issue with CAS Permissions for the problem users.

I'll try and give a problem user access to the update URL using this and will follow up in a bit, although I would much prefer to be able to prevent this in the code instead of fixing individual client machines. Something like:

caspol -m -ag 1 -url "http://machinename/application/*" FullTrust -exclusive on

Edit2:

Using caspol.exe worked! Does anyone know a way to prevent this from happening in the code? Or can anyone explain why it could only be happening to select users?

Edit3:

I'm going to try add 

<system.web>
  <!-- level="[Full|High|Medium|Low|Minimal]" -->
  <trust level="Full" originUrl=""/>
</system.web>

to the app.config

Edit4:

Adding full CAS trust to the app.config didn't help. Can anyone show me if its possible to achieve what CASPOL is doing in code?

Edit5:

If it isn't possible to do this in code, is there a easy way to run the CASPOL command as part of the clickonce install?

woggles
  • 7,444
  • 12
  • 70
  • 130
  • that depends on the environment... which permissions the user running the app has (admin / non-admin / restricted)... any special setting in a domain / AD environment, perhaps some Group Policy etc. – Yahia Aug 27 '11 at 05:45
  • @Yahia Its going to be a tricky to narrow that down unfortunately - I do know that the users experiencing issues were all admins on their local machines, though. Thanks for the comment:) – woggles Aug 27 '11 at 05:52
  • Are you sure that the correct tag is system.web? I think it might be something else for Word add-ins, because it is not web. – Ramon Snir Sep 06 '11 at 08:54
  • I am not sure! It was part of autocomplete in the app.config – woggles Sep 06 '11 at 08:59
  • 1
    Look at the documentation (maybe in MSDN?). If I remember right from Office 2003, you really do need to add some trust tag, but I doubt it is in system.web. – Ramon Snir Sep 06 '11 at 09:52

1 Answers1

0

In recent versions of Windows, downloaded files are flagged as blocked and have security restrictions imposed on them that can cause breakage when consumed by other apps due to the sandboxing.

The implementation uses NTFS alternate streams. If the file is blocked you can tell by right clicking on the file, viewing properties and seeing the unblock button. Clicking unblock removes the stream and releases the extra security restrictions.

It can also be removed using sysinternals streams.exe. Test whether this is your issue by downloading your plugin on a Windows 7 machine, and then install without unblocking to see if it reproduces the issue.

TheCodeKing
  • 19,064
  • 3
  • 47
  • 70