Re: Appl. Security Problems
From: Steve B. (SteveB_at_discussions.microsoft.com)
Date: 06/03/05
- Next message: Nicole Calinoiu: "Re: Remoting Problem"
- Previous message: Valery Pryamikov: "Re: Bad Data CryptographicException when RSA decrypting"
- Next in thread: Nicole Calinoiu: "Re: Appl. Security Problems"
- Reply: Nicole Calinoiu: "Re: Appl. Security Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Jun 2005 07:55:30 -0700
Nicole,
I thought I should let you what happened in discussions with MS. It’s a bit
confusing to follow but below is one of my replies which I hoped solved the
problem. MS replied to my questions - if interested in Q's let me know
Note: are we running out of posting space
Steve
******************
From: Steve
I think success but, in a slightly different way. I divided your e-mail
into Parts I and II (see below)
Part 1 (MS suggested trying URL vice strong name)
My share: file:////\\servername\pub\* or file:////\\ servername \pub\BIP\*
Initially I tried this and received the error message: "Windows cannot
access the specified device, path or file may not have the appropriate
permissions to access item".
Part II (MS - try the strong name with his MS VS solution)
No comments - except that I still get the Import error message
My Solution ??
In my original message to MS Help and, while driving home yesterday, I
thought about why does the exe and dll's only run on my machine and that of
the other user's machine only (lets call him user1). So, this morning I
right clicked on the the exe and dll's on the shared pub drive and went to
the file properties -> security tab. To my surprise the names for user1 and
myself and, a couple of other people, had Full Control check marks next to
them, while the item "Everyone" had only partial control check marks. So, at
this point, I gave the "Everyone" line item Full Control check marks. I then
tested two typical users with Parts I and II and they both parts WORKED! - no
error message. The exe ran and also linked to the ADONet dll(s)
However, this success raises a couple of more Questions
1. What did I do when I gave Everyone Full Control of BIP exe and dll's? I
don't have a problem with it and I think it's a good thing that all users
have full control. I'm just wondering how user1 and I got full control? My
IT person?
2. Did this procedure of giving Full Control really solve my problem? Why?
Or, is it just understood policy?
3. Can you point somewhere I can learn about the security tab? Does the
security tab settings override .Net CAS settings (doesn't seem right and
that's why I never thought of it)? I guess I'm confused at the interfacing
between CAS and the security tab
4. Should I use the URL method (file://..server...\Pub\BIP\*) in Part I or
the Strong Name method in Part II for the BIP program security policy? The
programmer in me says to use the Strong Name method but the URL method is
quick and easy plus I'll be creating more ADONet dll's in future (have 60
users). Or, does Part I incorporate Strong Names anyways? The BIP program
will never be deployed except to the local Pub share (doing regular VS
Release compile outputs to \\... \Pub\BIP\)
5. Very important question - How do I set security policy level for the BIP
program itself without ever going to each individual machine and setting BIP
security policy? Can I do something like set policy at the Enterprise level?
"Steve B." wrote:
> Nicole,
>
> Thank You Nicole for sticking with me
>
> I’ve created one new key for the VS solution IAW the MS Know. Base article
> below but with the USA holiday coming up this weekend I won’t be back in the
> office till next Wednesday so I can’t try if it works
>
> If it doesn’t I’ll institute the measures you suggest and let you know the
> result after that I’ll have to go for MS help. The non-profit is the US
> military.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;815808
>
> Steve
>
>
> "Nicole Calinoiu" wrote:
>
> > "Steve B." <SteveB@discussions.microsoft.com> wrote in message
> > news:23BE341C-E989-4BE1-9033-F7733697C534@microsoft.com...
> > <snip>
> > > What's my next step/your recommendation? (recreate keys?)
> >
> > As long as the keys are valid, they can't be causing the problem. If you
> > want to simplify things and use a new key that's shared across the three
> > projects, go ahead, but this won't address any potential client
> > configuration issues.
> >
> >
> > > Are there obvious machine configurations (not fruitless) I can check?
> >
> > There are too many candidates for blind troubleshooting. Since things seem
> > to be in a bit of a muddle, I'd recommend taking a step back and checking if
> > things are really working as you seem to think on your development machine
> > before going looking for problems on the other clients. If you're up for
> > this, here are the steps I'd take:
> >
> > 1. Back up your compiled assemblies (the EXE and both DLLs) and your CAS
> > policy files (or even safer, then entire
> > <windows>\Microsoft.NET\Framework\<version>\CONFIG directory) to some
> > location off your machine.
> >
> > 2. Delete all local debug and release mode compiled copies of your EXE and
> > DLLs, including any copies in the GAC.
> >
> > 3. Reset your CAS policy. (See the "To reset all policy levels" topic at
> > http://msdn.microsoft.com/library/en-us/cptools/html/cpconNETFrameworkAdministrationToolMscorcfgmsc.asp
> > if you're not sure how to do this.)
> >
> > 4. Recompile your three assemblies in release mode.
> >
> > 5. Replace the assemblies in your network distribution folder with the
> > newly compiled copies, then deleted the local copies from your development
> > machine. If any copies ended up the GAC (for example, due to a build
> > event), delete these as well.
> >
> > 6. Attempt to run the EXE from the network folder. Do you see the expected
> > SecurityException?
> >
> > 7. Attempt to create new code group(s) based on strong name membership
> > condition(s) for trusting the assemblies, loading them from the network
> > folder.. Do you encounter any problems?
> >
> >
> >
> > > How can I raise this up a step (note: I work for non-profit group)
> >
> > The various support options available from Microsoft are listed at
> > http://support.microsoft.com/. I suppose that some might cost less for a
> > non-profit, but I have no personal experience in this area.
> >
> >
> >
> > >
> > > Steve
> > >
> > >
> > > "Nicole Calinoiu" wrote:
> > >
> > >> "Steve B." <SteveB@discussions.microsoft.com> wrote in message
> > >> news:F7803F8D-061B-4245-AC72-0607D655475F@microsoft.com...
> > >> >I was thinking (just ideas):
> > >> > - Why does the trust assembly wizard give an error message (" Unable
> > >> > to
> > >> > load [path to dll]") when I identify the dll but it works for the
> > >> > execute
> > >> > file
> > >>
> > >> If this works for the EXE, then perhaps there's some problem with the DLL
> > >> itself. Do you get the exact same result for both DLLs? Are the DLLs
> > >> located in the exact same directory as the EXE?
> > >>
> > >>
> > >> > - What about the location(s) of the assembly file key (path) to my
> > >> > harddrive
> > >>
> > >> Not relevant. The key file is not used anymore after the assemblies are
> > >> signed at compile-time.
> > >>
> > >> > - should it be the network? (see earlier post for C: path)
> > >>
> > >> Absolutely not. In fact, the key you use to sign your production
> > >> assemblies
> > >> probably shouldn't even be stored on your development machine. See
> > >> http://msdn.microsoft.com/library/en-us/dnnetsec/html/strongNames.asp for
> > >> a
> > >> discussion of key storage techniques.
> > >>
> > >>
> > >> > - Why is the policy change work on my ("the developer's") machine?
> > >>
> > >> Most likely because there's something different about your machine's
> > >> configuration. There are many, many possibilities, and trying to guess
> > >> is
> > >> likely to be fruitless.
> > >>
> > >> > - Should I test the policy change on more then one user?
> > >>
> > >> Eventually, yes. However, it would be a good idea to get it working on
> > >> at
> > >> least one user machine before starting to muck about with others.
> > >>
> > >>
> > >> > - Do I need to refence the assembly file or key in the VS project or
> > >> > the
> > >> > program file?
> > >>
> > >> No. The key file is never needed at runtime.
> > >>
> > >> > - Do I need to register the key (regsvces,exe??)
> > >>
> > >> No. Again, the key is only used to sign the assembly at compile time.
> > >> It's
> > >> never needed again unless you need to re-sign a delay-signed assembly,
> > >> which
> > >> you don't since you're not using delay signing.
> > >>
> > >>
> > >> >
> > >> > Steve
> > >> >
> > >> > "Steve B." wrote:
> > >> >
> > >> >> Nicole,
> > >> >>
> > >> >> Trying to provide you as may elements of my environment as possible.
> > >> >> Please
> > >> >> - don't assume I know what I'm doing
> > >> >>
> > >> >> -->When do you see this message?
> > >> >> 1. When I try to do the policy changes NOT when the application runs.
> > >> >>
> > >> >> --> Could you please provide repro steps?
> > >> >> 2. The policy change steps are the same steps as I did on my machine
> > >> >> and
> > >> >> are the the same as the earlier web site you referenced
> > >> >> (Machine-all_code-new..). The error message occurs after selecting
> > >> >> Strong
> > >> >> Name from comboBox and after clicking the Import button and when I
> > >> >> iidentify
> > >> >> the application dll on the shared Pub drive
> > >> >>
> > >> >> -->Exact message
> > >> >> 3. OK Message: "The Import failed. The assembly does not appear to
> > >> >> be
> > >> >> valid."
> > >> >>
> > >> >> -->Correct versions of your compiled assemblies
> > >> >> 4. My VS compiling procedures: I Debug compile locally on my machine
> > >> >> then
> > >> >> send a Release "updated" compiled version of the application to my
> > >> >> local
> > >> >> network (\\serverName\Pub\Business...). Then. I went to a typical
> > >> >> users
> > >> >> machine and tried to set it up the Machine Code Group same way I did
> > >> >> on
> > >> >> my
> > >> >> machine. My machine works fine form Pub
> > >> >>
> > >> >> -->Are any of the assemblies delay signed?
> > >> >> 5. No assemblies are delay signed
> > >> >>
> > >> >> Note: The VS solution has one exe file project and two dll projects.
> > >> >> One
> > >> >> dll is a GUI for a Access dB and the other is a Library for the dB.
> > >> >> The
> > >> >> excute file DOES RUN on the users machine because I earlier ran the
> > >> >> Trust
> > >> >> Assembly wizard and identified the exe file however the exe file calls
> > >> >> the dB
> > >> >> GUI and that fails to open. The Trust Assembly wizard will not trust
> > >> >> the
> > >> >> dB
> > >> >> dll's
> > >> >>
> > >> >> Steve
> > >> >>
> > >> >> "Nicole Calinoiu" wrote:
> > >> >>
> > >> >> > "Steve B." <SteveB@discussions.microsoft.com> wrote in message
> > >> >> > news:F89770A4-781D-481D-B11B-0D1962B42E07@microsoft.com...
> > >> >> > > Nicole,
> > >> >> > >
> > >> >> > > Sorry to to keep asking these questions, however, this is the most
> > >> >> > > success
> > >> >> > > I've had in solving this problem so far.
> > >> >> > >
> > >> >> > > After following the earlier post instructions the program opened
> > >> >> > > up
> > >> >> > > fine
> > >> >> > > on
> > >> >> > > my machine but when I went to another user's machine I recieved
> > >> >> > > the
> > >> >> > > following
> > >> >> > > message:
> > >> >> > >
> > >> >> > > Imported failed. The assmbly does not appear to be vailid ...
> > >> >> > > strong
> > >> >> > > name
> > >> >> >
> > >> >> > When do you see this message? When attempting to apply the policy
> > >> >> > changes
> > >> >> > or when attempting to run your application? If the former, could
> > >> >> > you
> > >> >> > please
> > >> >> > provide repro steps? Also, is there any chance you might be able to
> > >> >> > provide
> > >> >> > the exact message?
> > >> >> >
> > >> >> > >
> > >> >> > > What wrong?
> > >> >> > >
> > >> >> > > The following is a typical configuration I have in each Visual
> > >> >> > > Studio
> > >> >> > > project (file name(s): AssemblyInfo.cs) within the solution:
> > >> >> > >
> > >> >> > > [assembly: AssemblyDelaySign(false)]
> > >> >> > > [assembly:
> > >> >> > > AssemblyKeyFile(@"C:\BusinessInformationSoftware\ADONetLibrary\obj\adoNetLibrary.snk")]
> > >> >> > > [assembly: AssemblyKeyName("")]
> > >> >> >
> > >> >> > Are any of the assemblies delay signed? i.e.: Do any have the
> > >> >> > attribute
> > >> >> > [assembly: AssemblyDelaySign(true)]? Also, are you sure that the
> > >> >> > other
> > >> >> > machine has the correct versions of your compiled assemblies?
> > >> >> >
> > >> >> >
> > >> >> >
> > >> >> > >
> > >> >> > > Steve
> > >> >> > >
> > >> >> > > "Nicole Calinoiu" wrote:
> > >> >> > >
> > >> >> > >>
> > >> >> > >> "Steve B." <SteveB@discussions.microsoft.com> wrote in message
> > >> >> > >> news:A40F8CFA-F5E0-45B1-AC61-98B31FFECA70@microsoft.com...
> > >> >> > >> > Nicole
> > >> >> > >> >
> > >> >> > >> > Are there instructions on how trust a directorory and the files
> > >> >> > >> > within
> > >> >> > >> > it.
> > >> >> > >>
> > >> >> > >> You would simply need to use a URL membership condition rather
> > >> >> > >> than
> > >> >> > >> a
> > >> >> > >> strong
> > >> >> > >> name membership condition when you create the new code group.
> > >> >> > >> However,
> > >> >> > >> getting the URL right can be a bit tricky since it must match the
> > >> >> > >> URL
> > >> >> > >> used
> > >> >> > >> by the CLR to load the assemblies.
> > >> >> > >>
> > >> >> > >>
> > >> >> > >> > I have separate strong names for each project within the file
> > >> >> > >> > VS
> > >> >> > >> > solution.
> > >> >> > >> > Should I have one strong name for the whole solution?
> > >> >> > >>
> > >> >> > >> By definition, each assembly would have a distinct strong name,
> > >> >> > >> so I
> > >> >> > >> suspect
> > >> >> > >> you're actually concerned about different signing keys. It is
> > >> >> > >> rather
> > >> >> > >> unusual to use a different signing key for each project within a
> > >> >> > >> solution.
> > >> >> > >> The "typical" schemes are to use a single signing key for all
> > >> >> > >> assemblies
> > >> >> > >> released by an organization, or for all assemblies released in a
> > >> >> > >> given
> > >> >> > >> product group. Since all projects within your solution
> > >> >> > >> presumably
> > >> >> > >> form
> > >> >> > >> part
> > >> >> > >> of the same product, they would usually be signed with the same
> > >> >> > >> key
> > >> >> > >> under
> > >> >> > >> either scheme.
- Next message: Nicole Calinoiu: "Re: Remoting Problem"
- Previous message: Valery Pryamikov: "Re: Bad Data CryptographicException when RSA decrypting"
- Next in thread: Nicole Calinoiu: "Re: Appl. Security Problems"
- Reply: Nicole Calinoiu: "Re: Appl. Security Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
