Redirecting to ClickOnce application fails

Hello,



We have implemented a few years ago a "zero touch" deployed smart client
application for .NET 1.1.

We ported now this application to .NET 2.0 and deploying it with ClickOnce.
Because we have still .NET 1.1 clients around, we made a small ASP.NET
startup application that checks host header values and redirects
(Response.Redirect(...)) to the .application file in case the client has
.NET 2.0 installed. Otherwise it will launch the old smart client on a web
page.

This all works fine as long as we start the ASP.NET startup page (let's call
it StartClient.aspx) from within Internet Explorer. If we put a link to the
startup page into an e-mail or just on the desktop launching the ClickOnce
client with this link fails with a "Cannot Start Application" message box.
The details say:



SOURCES

Deployment url :
https://myserver/Client/StartClient.aspx



ERROR SUMMARY

Below is a summary of the errors, details of these errors are
listed later in the log.

* Activation of https://myserver/Client/StartClient.aspx
resulted in exception. Following failure messages were detected:

+ Downloading
https://myserver/Client/StartClient.aspx did not succeed.

+ The remote server returned an error: (403)
Forbidden.



The deployment url is the startup page and not the .application manifest
file as we would expect. When checking IIS logs, we can find first a request
to StartClient.aspx, second a request to
https://myserver/ClickOnceClient/MyApp.application (the manifest), and a
third request back to StartClient.aspx.

This third request doesn't happen when we access the aspx page from within
Internet Explorer (where, as mentioned before, everything works as
expected).



It seems like it only partially redirects when launching from a hyperlink in
a document.



Thanks for your help in advance,



Jürgen

v-lliu
Tue Jun 10 22:42:48 CDT 2008

Hi Juergen,

I performed a simple test based on your description but didn't reproduce
the problem on my side.

In my test, the deployment URL is
http://myserver/ClickOnceTest/ClickOnceTest.application

I use a .asp page to redirect to the deployment URL. The content of the

Jürgen
Wed Jun 11 02:27:51 CDT 2008

Hello Linda,

I tried your simple asp file and found the problem. It works as long as
there is anonymous access enabled. Once I turn on any authentication it
fails. For some reason the click once application launcher goes back to the
asp page without being able to authenticate.
Unfortunately we do need SSL authentication to protect our application. Is
there a way to prevent the application launcher to access the asp page? How
does the application launcher know about the original asp page?

Thanks for your help so far,

Jürgen

v-lliu
Thu Jun 12 04:34:18 CDT 2008

Hi Juergen,

Thank you for your quick reply!

I performed a test disabling Anonymous access to the ClickOnce application
but enabling Integrated Windows authentication through IIS.

The result is that when I double click the shortcut to the ASP file on the
desktop that redirects to the ClickOnce application deployment file, the
ClickOnce application is launched properly.

Note that ClickOnce application only support Integrated Windows
authentication so far. Please enable Integrated Windows authentication for
your ClickOnce application to see if the problem is solved.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

Jürgen
Thu Jun 12 05:56:37 CDT 2008

Hello Linda,

The ClickOnce application is running with anonymous access in our case. Just
the starting web page (StartClient.aspx) needs to run with SSL Certificate
authentication. We cannot use Windows Integrated Authentication, because the
application is running over the internet.
The problem is that the application launcher requests the StartClient.asp
page (with the contents you've had in the previous message) a second time
after the initial redirect.
When I dump the "ApplicationDeployment.CurrentDeployment.ActivationUri"
after the application starts (without any authentication) I get:
- for IE started:
http://myserver/clickoncetest/clickoncetest.application (as expected)
- for e-mail link started:
http://myserver/client/StartClient.asp

That is wrong and doesn't make sense. I guess if the ActivationUri would be
right, it would not go back to the original asp page a second time and then
all the authentication trouble would go away.
Is there something I can do to get this ActivationUri fixed when started
from an e-mail link?

Thanks,
Jürgen

v-lliu
Fri Jun 13 01:51:38 CDT 2008

Hi Juergen,

Thank you for your prompt response!

What authentication do you enable on the StartClient.asp?

If you don't redirect to the ClickOnce application deployment file from
within the StartClient.asp, can you browse the StartClient.asp properly via
a link in email or a shortcut on desktop?

The ApplicationDeployment.CurrentDeployment.ActivationUri property gets the
URL used to launch the deployment manifest of the application and is a
readonly property. So we cannot set this property to a "correct" URL to fix
the problem.

Since all you need is a user authentication at the StartClient.asp level, a
workaround is to let users input user name and password on the
StartClient.asp and submit to the server. If the user name and password is
correct and the client machine has .NET 2.0 installed, redirect to the
ClickOnce application deployment manifest.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Jürgen
Fri Jun 13 03:03:40 CDT 2008

Hi Linda,

> What authentication do you enable on the StartClient.asp?

We do need to use SSL client certificate mapping, but for testing Basic
authentication is sufficient to demonstrate my problem.

> If you don't redirect to the ClickOnce application deployment file from
> within the StartClient.asp, can you browse the StartClient.asp properly
> via
> a link in email or a shortcut on desktop?

Yes, I can.

> The ApplicationDeployment.CurrentDeployment.ActivationUri property gets
> the
> URL used to launch the deployment manifest of the application and is a
> readonly property. So we cannot set this property to a "correct" URL to
> fix
> the problem.

From what source is the ClickOnce app launcher constructing this
ActivationUri? Is there something I can do to the redirect response to get
this ActivationUri right?

> Since all you need is a user authentication at the StartClient.asp level,
> a
> workaround is to let users input user name and password on the
> StartClient.asp and submit to the server. If the user name and password is
> correct and the client machine has .NET 2.0 installed, redirect to the
> ClickOnce application deployment manifest.

This is exactly what I want to do, but with SSL client certificates (that's
what our clients are using for the .NET 1.1 client for several years now).
It just doesn't work, because the app launcher thinks the asp page is the
application manifest, when started from the e-mail link. So it tries to load
it a second time (not sure why this is necessary), but now it is obviously
not able to provide the SSL certificate. So the app launcher is failing to
start the application.

Here is my IIS log when started from within IE:

2008-06-13 07:45:17 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
401 2 2148074254
2008-06-13 07:45:32 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80
juergen 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
302 0 0
2008-06-13 07:45:32 W3SVC1 192.168.80.21 GET
/ClickOnceTest/ClickOnceTest.application - 80 - 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
200 0 0
--> 2008-06-13 07:45:33 W3SVC1 192.168.80.21 GET
/ClickOnceTest/ClickOnceTest.application - 80 - 192.168.80.43 - 200 0 0

Here is the IIS log when started from the desktop:

2008-06-13 07:59:27 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
401 2 2148074254
2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80
juergeb 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
302 0 0
2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET
/ClickOnceClient/Mortara.ECGWarehouse.FormsClientViewer.application - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
200 0 0
--> 2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43 - 401 2 2148074254

Thanks for your help so far,

Jürgen

v-lliu
Mon Jun 16 04:35:44 CDT 2008

Hi Juergen,

Thank you for your prompt response!

If you redirect to another ASP page instead of the ClickOnce application
deployment manifest from the StartClient.asp and enable SSL client
certificates for the StartClient.asp, can you redirect successfully when
you double-click shortcut to the StartClient.asp URL on desktop?

I searched and found the an MSDN document discussing server and client
configuration issues in ClickOnce deployments. It points out that we need
to set the "Automatic prompting for file downloads" setting to Enable for
Internet Web pages to activate a ClickOnce application programmatically
using Active Scripting. For detailed information, see the "Activating
ClickOnce Applications Through Browser Scripting" section of the following
document:
http://msdn.microsoft.com/en-us/library/ms228998.aspx

I will also consult this issue in our internal discussion group and as soon
as I get any hint, I will update it to you.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

v-lliu
Wed Jun 18 05:59:28 CDT 2008

Hi Juergen,

Is there any progress on the problem?

I have consulted this issue in our internal discussion group but haven't
got a reply until now.

I will go on research on this issue. As soon as I get any hint, I will
update it to you. I appreciate your patience!

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

v-lliu
Tue Jun 24 04:17:39 CDT 2008

Hi Juergen,

Sorry for my delayed response!

I received a reply from our internal discussion group.

When we go directly to StartClient.asp from IE, IE will redirect to server
that has .application file. At that time, IE checks mime type of

Jürgen
Wed Jun 25 09:16:46 CDT 2008

Hello Linda,

I can't follow all the details of the explanation.
Shell seems to open IE first, based on the .asp extension. This attempt
doesn't result in a 401, because I can select the certificate within the
started IE window. Maybe IE gives control back to Shell because of the
returned MIME type, but somehow Shell misses then the redirection.

Thanks for your help, we'll need to find a different solution.

Jürgen

v-lliu
Wed Jun 25 22:39:13 CDT 2008

Hi Juergen,

Due to the complexity and lengthy troubleshooting in this issue, I would
like to have a Product Support Professional from Microsoft CSS work with
you to resolution. Please note that there will be no cost to you for this
support incident.

To expedite creation of the support incident, please e-mail me with the
following information(to v-lliu@microsoft.com):

o Customer Name
o Customer email address
o Company Name, if applicable
o Best times to reach you, and your time zone.
o Microsoft Support Contract Information, if applicable
o Complete Address
o Daytime Telephone Number
o Operating System(s) In Use
o Operating System Language, especially if not US English
o Application Language, especially if not US English
o Any additional telephone number(s), in case you cannot be reached at your
primary telephone number.

After I receive an e-mail from you with the requested information, I will
create a support incident for you. Then, one of our support professionals
will contact you to establish a mutually convenient time to work on this.

Thank you again for your patience in working on this issue in the community.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

v-lliu
Mon Jun 30 06:03:41 CDT 2008

Hi Juergen,

How about the problem now?

I haven't received your email with your detailed contact information until
now. If you'd like us to create a support incident for you to address the
problem, please send the required information to me (v-lliu@microsoft.com).

Thank you for your patience in working on this issue in the community.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.