"Rodney" <Rodn***@Mailinator.com> wrote in message
news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>I want to provide a small Click Once application to a small number of
> selected users, when the application is published on an otherwise public
> web
> server (I don't want everyone to have access to my application).
>
> My first solution was to setup a virtual directory (the publish location)
> with "Anonymous Access" turned off - setting up a special username and
> password for it which I give to my selected users.
>
> The users then 'log on' to the initial install page, and install the
> application.  However, subsequent running of the application should check
> for any updates - but because the update location doesn't allow anonymous
> access, the application fails to log on and assumes that its offline, so
> continues to use the initial version, never downloading any updates.
>
> What am I missing?  How can you securely publish a Click Once application
> to
> a public website?
>

"Julie Lerman" <jler***@thedatafarm.com> wrote in message
news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
> I'm in the process of trying to do ClickOnce deployment/updates using
> forms authentication. That way you can still have the website use
> anonymous access for the updates
> I will post back my results.
> I have not been able to find anything via google where anyone talks about
> this or gives examples.
>
> I have also done an in-house only deployment using Integrated
> Authentication. I wrote up how I did this along with gotchas on my blog.
> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
> be sure to see the "Update about 2 hours later" at the bottom of the post
> .
>
> julie lerman
>
> "Rodney" <Rodn***@Mailinator.com> wrote in message
> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>I want to provide a small Click Once application to a small number of
>> selected users, when the application is published on an otherwise public
>> web
>> server (I don't want everyone to have access to my application).
>>
>> My first solution was to setup a virtual directory (the publish location)
>> with "Anonymous Access" turned off - setting up a special username and
>> password for it which I give to my selected users.
>>
>> The users then 'log on' to the initial install page, and install the
>> application.  However, subsequent running of the application should check
>> for any updates - but because the update location doesn't allow anonymous
>> access, the application fails to log on and assumes that its offline, so
>> continues to use the initial version, never downloading any updates.
>>
>> What am I missing?  How can you securely publish a Click Once application
>> to
>> a public website?
>>
>
>

"Julie Lerman" <jler***@thedatafarm.com> wrote in message
news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
> just a quick update.
>
> I'm stuck on the problem of the .exe and .application files not being
> protected by ISAPI. So even with using forms auth to get to the publishing
> page working properly, it is possible to browse directly to the setup.exe
> and app.application files without being authenticated.
>
> I have tried to map those extensions, but htere is something not working
> with that process - even for a .GIF file.
>
> I'll be back...
>
> julie
>
>
> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>> I'm in the process of trying to do ClickOnce deployment/updates using
>> forms authentication. That way you can still have the website use
>> anonymous access for the updates
>> I will post back my results.
>> I have not been able to find anything via google where anyone talks about
>> this or gives examples.
>>
>> I have also done an in-house only deployment using Integrated
>> Authentication. I wrote up how I did this along with gotchas on my blog.
>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>> be sure to see the "Update about 2 hours later" at the bottom of the post
>> .
>>
>> julie lerman
>>
>> "Rodney" <Rodn***@Mailinator.com> wrote in message
>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>I want to provide a small Click Once application to a small number of
>>> selected users, when the application is published on an otherwise public
>>> web
>>> server (I don't want everyone to have access to my application).
>>>
>>> My first solution was to setup a virtual directory (the publish
>>> location)
>>> with "Anonymous Access" turned off - setting up a special username and
>>> password for it which I give to my selected users.
>>>
>>> The users then 'log on' to the initial install page, and install the
>>> application.  However, subsequent running of the application should
>>> check
>>> for any updates - but because the update location doesn't allow
>>> anonymous
>>> access, the application fails to log on and assumes that its offline, so
>>> continues to use the initial version, never downloading any updates.
>>>
>>> What am I missing?  How can you securely publish a Click Once
>>> application to
>>> a public website?
>>>
>>
>>
>
>

"Julie Lerman" <jler***@thedatafarm.com> wrote in message
news:%23QZ1XLLLGHA.2416@TK2MSFTNGP15.phx.gbl...
> fyi: this is the official word (from the msdn documentation) on deploying
> click once securely:
> "Therefore, if you are deploying offline applications (ClickOnce
> deployments in which you enable The application is available offline as
> well (launchable from Start menu) on the Publish page), any authentication
> scenario besides Windows NT authentication is unsupported. An acceptable
> solution would be to allow any user to install the application, but have
> the client application authenticate the user by means of Web services at
> activation."
>
> I will, however, figure out how to do it with forms authentication! :-)
>
>
> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
> news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
>> just a quick update.
>>
>> I'm stuck on the problem of the .exe and .application files not being
>> protected by ISAPI. So even with using forms auth to get to the
>> publishing page working properly, it is possible to browse directly to
>> the setup.exe and app.application files without being authenticated.
>>
>> I have tried to map those extensions, but htere is something not working
>> with that process - even for a .GIF file.
>>
>> I'll be back...
>>
>> julie
>>
>>
>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>>> I'm in the process of trying to do ClickOnce deployment/updates using
>>> forms authentication. That way you can still have the website use
>>> anonymous access for the updates
>>> I will post back my results.
>>> I have not been able to find anything via google where anyone talks
>>> about this or gives examples.
>>>
>>> I have also done an in-house only deployment using Integrated
>>> Authentication. I wrote up how I did this along with gotchas on my blog.
>>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>> be sure to see the "Update about 2 hours later" at the bottom of the
>>> post .
>>>
>>> julie lerman
>>>
>>> "Rodney" <Rodn***@Mailinator.com> wrote in message
>>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>>I want to provide a small Click Once application to a small number of
>>>> selected users, when the application is published on an otherwise
>>>> public web
>>>> server (I don't want everyone to have access to my application).
>>>>
>>>> My first solution was to setup a virtual directory (the publish
>>>> location)
>>>> with "Anonymous Access" turned off - setting up a special username and
>>>> password for it which I give to my selected users.
>>>>
>>>> The users then 'log on' to the initial install page, and install the
>>>> application.  However, subsequent running of the application should
>>>> check
>>>> for any updates - but because the update location doesn't allow
>>>> anonymous
>>>> access, the application fails to log on and assumes that its offline,
>>>> so
>>>> continues to use the initial version, never downloading any updates.
>>>>
>>>> What am I missing?  How can you securely publish a Click Once
>>>> application to
>>>> a public website?
>>>>
>>>
>>>
>>
>>
>
>

"news.microsoft.com" <Rodn***@Mailinator.com> wrote in message
news:%230CD5mcLGHA.3468@TK2MSFTNGP10.phx.gbl...
> Hi Julie - thanks for the info at your two blog posts:
> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=1b54b38b-a0be-4cda-a94f-7ed24183608c
> Have you had any luck with a Forms Authentication solution yet?
>
>
> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
> news:%23QZ1XLLLGHA.2416@TK2MSFTNGP15.phx.gbl...
>> fyi: this is the official word (from the msdn documentation) on deploying
>> click once securely:
>> "Therefore, if you are deploying offline applications (ClickOnce
>> deployments in which you enable The application is available offline as
>> well (launchable from Start menu) on the Publish page), any
>> authentication scenario besides Windows NT authentication is unsupported.
>> An acceptable solution would be to allow any user to install the
>> application, but have the client application authenticate the user by
>> means of Web services at activation."
>>
>> I will, however, figure out how to do it with forms authentication! :-)
>>
>>
>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>> news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
>>> just a quick update.
>>>
>>> I'm stuck on the problem of the .exe and .application files not being
>>> protected by ISAPI. So even with using forms auth to get to the
>>> publishing page working properly, it is possible to browse directly to
>>> the setup.exe and app.application files without being authenticated.
>>>
>>> I have tried to map those extensions, but htere is something not working
>>> with that process - even for a .GIF file.
>>>
>>> I'll be back...
>>>
>>> julie
>>>
>>>
>>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>>> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>>>> I'm in the process of trying to do ClickOnce deployment/updates using
>>>> forms authentication. That way you can still have the website use
>>>> anonymous access for the updates
>>>> I will post back my results.
>>>> I have not been able to find anything via google where anyone talks
>>>> about this or gives examples.
>>>>
>>>> I have also done an in-house only deployment using Integrated
>>>> Authentication. I wrote up how I did this along with gotchas on my
>>>> blog.
>>>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>>> be sure to see the "Update about 2 hours later" at the bottom of the
>>>> post .
>>>>
>>>> julie lerman
>>>>
>>>> "Rodney" <Rodn***@Mailinator.com> wrote in message
>>>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>>>I want to provide a small Click Once application to a small number of
>>>>> selected users, when the application is published on an otherwise
>>>>> public web
>>>>> server (I don't want everyone to have access to my application).
>>>>>
>>>>> My first solution was to setup a virtual directory (the publish
>>>>> location)
>>>>> with "Anonymous Access" turned off - setting up a special username and
>>>>> password for it which I give to my selected users.
>>>>>
>>>>> The users then 'log on' to the initial install page, and install the
>>>>> application.  However, subsequent running of the application should
>>>>> check
>>>>> for any updates - but because the update location doesn't allow
>>>>> anonymous
>>>>> access, the application fails to log on and assumes that its offline,
>>>>> so
>>>>> continues to use the initial version, never downloading any updates.
>>>>>
>>>>> What am I missing?  How can you securely publish a Click Once
>>>>> application to
>>>>> a public website?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Julie Lerman" <jler***@thedatafarm.com> wrote in message
news:%23OxKMDeLGHA.648@TK2MSFTNGP14.phx.gbl...
>I think I've got it worked out. I'm still just having one problem that is
>unrelated - the server won't server up exe files over the web. I'm having
>the I.T. guys see if the ISA Server is responsible.
>
> So...
>
> I shifted things around in the site to make life easier.
>
> I created a folder called protected and copied the folders, the manifests
> and the setup.exe into there.
>
> I marked that folder to deny all anonymous users. Then to ensure that the
> non asp.net files (eg app.application, setup.exe) would participate in
> forms authentication, I added a mapping. See "Securing Non-ASP.NET Files"
> in this quickstart page:
> http://www.asp.net/QuickStart/aspnet/doc/tipstricks/default.aspx
>
> It's not deployed yet, but looks like it's doing what I want.
>
> Let me know how this works for you.
>
> Julie
>
>
> "news.microsoft.com" <Rodn***@Mailinator.com> wrote in message
> news:%230CD5mcLGHA.3468@TK2MSFTNGP10.phx.gbl...
>> Hi Julie - thanks for the info at your two blog posts:
>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=1b54b38b-a0be-4cda-a94f-7ed24183608c
>> Have you had any luck with a Forms Authentication solution yet?
>>
>>
>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>> news:%23QZ1XLLLGHA.2416@TK2MSFTNGP15.phx.gbl...
>>> fyi: this is the official word (from the msdn documentation) on
>>> deploying click once securely:
>>> "Therefore, if you are deploying offline applications (ClickOnce
>>> deployments in which you enable The application is available offline as
>>> well (launchable from Start menu) on the Publish page), any
>>> authentication scenario besides Windows NT authentication is
>>> unsupported. An acceptable solution would be to allow any user to
>>> install the application, but have the client application authenticate
>>> the user by means of Web services at activation."
>>>
>>> I will, however, figure out how to do it with forms authentication! :-)
>>>
>>>
>>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>>> news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
>>>> just a quick update.
>>>>
>>>> I'm stuck on the problem of the .exe and .application files not being
>>>> protected by ISAPI. So even with using forms auth to get to the
>>>> publishing page working properly, it is possible to browse directly to
>>>> the setup.exe and app.application files without being authenticated.
>>>>
>>>> I have tried to map those extensions, but htere is something not
>>>> working with that process - even for a .GIF file.
>>>>
>>>> I'll be back...
>>>>
>>>> julie
>>>>
>>>>
>>>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>>>> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>>>>> I'm in the process of trying to do ClickOnce deployment/updates using
>>>>> forms authentication. That way you can still have the website use
>>>>> anonymous access for the updates
>>>>> I will post back my results.
>>>>> I have not been able to find anything via google where anyone talks
>>>>> about this or gives examples.
>>>>>
>>>>> I have also done an in-house only deployment using Integrated
>>>>> Authentication. I wrote up how I did this along with gotchas on my
>>>>> blog.
>>>>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>>>> be sure to see the "Update about 2 hours later" at the bottom of the
>>>>> post .
>>>>>
>>>>> julie lerman
>>>>>
>>>>> "Rodney" <Rodn***@Mailinator.com> wrote in message
>>>>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>>>>I want to provide a small Click Once application to a small number of
>>>>>> selected users, when the application is published on an otherwise
>>>>>> public web
>>>>>> server (I don't want everyone to have access to my application).
>>>>>>
>>>>>> My first solution was to setup a virtual directory (the publish
>>>>>> location)
>>>>>> with "Anonymous Access" turned off - setting up a special username
>>>>>> and
>>>>>> password for it which I give to my selected users.
>>>>>>
>>>>>> The users then 'log on' to the initial install page, and install the
>>>>>> application.  However, subsequent running of the application should
>>>>>> check
>>>>>> for any updates - but because the update location doesn't allow
>>>>>> anonymous
>>>>>> access, the application fails to log on and assumes that its offline,
>>>>>> so
>>>>>> continues to use the initial version, never downloading any updates.
>>>>>>
>>>>>> What am I missing?  How can you securely publish a Click Once
>>>>>> application to
>>>>>> a public website?
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Julie Lerman" <jler***@thedatafarm.com> wrote in message
news:%23QZ1XLLLGHA.2416@TK2MSFTNGP15.phx.gbl...
> fyi: this is the official word (from the msdn documentation) on deploying
> click once securely:
> "Therefore, if you are deploying offline applications (ClickOnce
> deployments in which you enable The application is available offline as
> well (launchable from Start menu) on the Publish page), any authentication
> scenario besides Windows NT authentication is unsupported. An acceptable
> solution would be to allow any user to install the application, but have
> the client application authenticate the user by means of Web services at
> activation."
>
> I will, however, figure out how to do it with forms authentication! :-)
>
>
> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
> news:e55qBwsKGHA.208@tk2msftngp13.phx.gbl...
>> just a quick update.
>>
>> I'm stuck on the problem of the .exe and .application files not being
>> protected by ISAPI. So even with using forms auth to get to the
>> publishing page working properly, it is possible to browse directly to
>> the setup.exe and app.application files without being authenticated.
>>
>> I have tried to map those extensions, but htere is something not working
>> with that process - even for a .GIF file.
>>
>> I'll be back...
>>
>> julie
>>
>>
>> "Julie Lerman" <jler***@thedatafarm.com> wrote in message
>> news:Oo6lSzmKGHA.1508@TK2MSFTNGP10.phx.gbl...
>>> I'm in the process of trying to do ClickOnce deployment/updates using
>>> forms authentication. That way you can still have the website use
>>> anonymous access for the updates
>>> I will post back my results.
>>> I have not been able to find anything via google where anyone talks
>>> about this or gives examples.
>>>
>>> I have also done an in-house only deployment using Integrated
>>> Authentication. I wrote up how I did this along with gotchas on my blog.
>>> http://www.thedatafarm.com/blog/PermaLink.aspx?guid=3d77e65b-4367-4408-b230-ce609fe9ed88
>>> be sure to see the "Update about 2 hours later" at the bottom of the
>>> post .
>>>
>>> julie lerman
>>>
>>> "Rodney" <Rodn***@Mailinator.com> wrote in message
>>> news:OCEZPDRKGHA.604@TK2MSFTNGP14.phx.gbl...
>>>>I want to provide a small Click Once application to a small number of
>>>> selected users, when the application is published on an otherwise
>>>> public web
>>>> server (I don't want everyone to have access to my application).
>>>>
>>>> My first solution was to setup a virtual directory (the publish
>>>> location)
>>>> with "Anonymous Access" turned off - setting up a special username and
>>>> password for it which I give to my selected users.
>>>>
>>>> The users then 'log on' to the initial install page, and install the
>>>> application.  However, subsequent running of the application should
>>>> check
>>>> for any updates - but because the update location doesn't allow
>>>> anonymous
>>>> access, the application fails to log on and assumes that its offline,
>>>> so
>>>> continues to use the initial version, never downloading any updates.
>>>>
>>>> What am I missing?  How can you securely publish a Click Once
>>>> application to
>>>> a public website?
>>>>
>>>
>>>
>>
>>
>
>