Julie
Sat Feb 11 10:34:11 CST 2006
Rodney
an additional test showed that sticking everything in a protected folder
made setup unhappy. I fiddled around with it and in the end, we must leave
the folder hierarchy in tact.
Forms authentication, deny all anonymous users and the mime setting to add
non-asp.net apps to the forms authentication protection looks like the right
combination.
still testing
julie
"Julie Lerman" <jlerman@thedatafarm.com> wrote in message
news:%23OxKMDeLGHA.648@TK2MSFTNGP14.phx.gbl...
>I think I've got it worked out. I'm still just having one problem that is
>unrelated - the server won't server up exe files over the web. I'm having
>the I.T. guys see if the ISA Server is responsible.
>
> So...
>
> I shifted things around in the site to make life easier.
>
> I created a folder called protected and copied the folders, the manifests
> and the setup.exe into there.
>
> I marked that folder to deny all anonymous users. Then to ensure that the
> non asp.net files (eg app.application, setup.exe) would participate in
> forms authentication, I added a mapping. See "Securing Non-ASP.NET Files"
> in this quickstart page:
>
http://www.asp.net/QuickStart/aspnet/doc/tipstricks/default.aspx
>
> It's not deployed yet, but looks like it's doing what I want.
>
> Let me know how this works for you.
>
> Julie
>
>
> "news.microsoft.com" <RodneyL@Mailinator.com> wrote in message
> news:%230CD5mcLGHA.3468@TK2MSFTNGP10.phx.gbl...
>> Hi Julie - thanks for the info at your two blog posts:
>>
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=1b54b38b-a0be-4cda-a94f-7ed24183608c
>> Have you had any luck with a Forms Authentication solution yet?
>>
>>
>> "Julie Lerman" <jlerman@thedatafarm.com> wrote in message
>> news:%23QZ1XLLLGHA.2416@TK2MSFTNGP15.phx.gbl...
>>> fyi: this is the official word (from the msdn documentation) on
>>> deploying click once securely:
>>> "Therefore, if you are deploying offline applications (ClickOnce
>>> deployments in which you enable The application is available offline as
>>> well (launchable from Start menu) on the Publish page), any
>>> authentication scenario besides Windows NT authentication is
>>> unsupported. An acceptable solution would be to allow any user to
>>> install the application, but have the client application authenticate
>>> the user by means of Web services at activation."
>>>
>>> I will, however, figure out how to do it with forms authentication! :-)
>>>
>>>
>>> "Julie Lerman" <jlerman@thedatafarm.com> wrote in message
>>> news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
>>>> just a quick update.
>>>>
>>>> I'm stuck on the problem of the .exe and .application files not being
>>>> protected by ISAPI. So even with using forms auth to get to the
>>>> publishing page working properly, it is possible to browse directly to
>>>> the setup.exe and app.application files without being authenticated.
>>>>
>>>> I have tried to map those extensions, but htere is something not
>>>> working with that process - even for a .GIF file.
>>>>
>>>> I'll be back...
>>>>
>>>> julie
>>>>
>>>>
>>>> "Julie Lerman" <jlerman@thedatafarm.com> wrote in message
>>>> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>>>>> I'm in the process of trying to do ClickOnce deployment/updates using
>>>>> forms authentication. That way you can still have the website use
>>>>> anonymous access for the updates
>>>>> I will post back my results.
>>>>> I have not been able to find anything via google where anyone talks
>>>>> about this or gives examples.
>>>>>
>>>>> I have also done an in-house only deployment using Integrated
>>>>> Authentication. I wrote up how I did this along with gotchas on my
>>>>> blog.
>>>>>
http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>>>> be sure to see the "Update about 2 hours later" at the bottom of the
>>>>> post .
>>>>>
>>>>> julie lerman
>>>>>
>>>>> "Rodney" <RodneyL@Mailinator.com> wrote in message
>>>>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>>>>I want to provide a small Click Once application to a small number of
>>>>>> selected users, when the application is published on an otherwise
>>>>>> public web
>>>>>> server (I don't want everyone to have access to my application).
>>>>>>
>>>>>> My first solution was to setup a virtual directory (the publish
>>>>>> location)
>>>>>> with "Anonymous Access" turned off - setting up a special username
>>>>>> and
>>>>>> password for it which I give to my selected users.
>>>>>>
>>>>>> The users then 'log on' to the initial install page, and install the
>>>>>> application. However, subsequent running of the application should
>>>>>> check
>>>>>> for any updates - but because the update location doesn't allow
>>>>>> anonymous
>>>>>> access, the application fails to log on and assumes that its offline,
>>>>>> so
>>>>>> continues to use the initial version, never downloading any updates.
>>>>>>
>>>>>> What am I missing? How can you securely publish a Click Once
>>>>>> application to
>>>>>> a public website?
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>