I have an Outlook Add-In that's installed from a web server. This add-in works the same way as all other add-ins I've worked on in Office.
setup.exe is downloaded and executed
all prerequisites (.Net framework and such) are verified
vsto file is downloaded
So far, everybody installing this add-in has had no problems (this add-in has been in use for about a year). We have a new customer installing it on Windows 7 and we're seeing our first issue. Here's the error:
There was an error during installation:
Downloading http://<path and filename>.vsto did not succeed
***************** Exception Text******************
System.Deployment.Application.DeploymentDownloadException: Downloading http://<path and filename>.vsto did not succeed
System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required. ---> System.ComponentModel.Win32Exception: The token supplied to the function is invalid
at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.NtlmClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
at System.Net.NtlmClient.Authenticate(String challenge, WebRequest webrequest, ICredentials credentials)
at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckSubmit(Exception& e)
--- End of inner exception stack trace ---
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
Obviously, I cannot duplicate from my location. My gut is telling me this customer's network security is causing an issue (my understanding is that they have a series of firewalls and such), but their Windows XP machines are having no problem installing.
Anybody see anything I'm missing?
In the end, the answer wasn't too difficult. What was happening is that, obviously, the user is behind a Proxy Server that's blocking the download of the VSTO file, as it didn't have the Proxy Credentials.
So, I've had to make an exception for these users, sending them all the files in a zip that they can install from.
Note that users that run into this MUST run a command to clear the ClickOnce app cache before proceeding; it looks like the mere attempt to install this was leaving some residuals behind that was causing a problem. If you don't already know, you can clear the app cache by running this command from the command prompt (or creating a .bat file containing):
rundll32 dfshim CleanOnlineAppCache
There is a MS KB (KB917952) that corrects ClickOnce deployment issues when using Proxy Authentication.
End users or IT can modify the machine.config to enable proxy authentication with their NTLM login. This will allow them to install ClickOnce or VSTO applications behind proxies that require authentication.
How To: Change your Default Proxy to always use your default credential (NTLM login).
Edit %windir%\Microsoft.NET\Framework\v4.0.30319\config\machine.config
Add the defaultProxy element shown below. Remember to add to an existing system.net section when one exists already.
<configuration>
..
<system.net>
<defaultProxy enabled="true" useDefaultCredentials="true"/>
</system.net>
...
</configuration>
Element (Network Settings)
useDefaultCredentials
Specifies whether the default credentials for this host are used to access the web proxy. The default value is false.
Related
I am trying to deploy the asp.net core Web API to the IIS. This application works perfectly fine on the Visual studio and also when I run the dll using the dotnet command. This application has the certificate for signing the JWT token. After deploying the application to IIS I am getting "HTTP Error 500.30 - ANCM In-Process Start Failure" and I checked the windows log and error message is
Host terminated unexpectedly.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)......
I checked the file path and file name everything is correct but some reason IIS is not able to load find the certificate file. Also, I checked the permission and it also looks good. Not sure why I am getting this error message
Also, I ran the same application dll file using the dotnet run command where IIS is pointing to but I am not getting any error. I am getting this error only after deployng to IIS.
On startup.cs file and configuration method I am getting error on this line.
var cert = new X509Certificate2("test_cert.pfx", pwdFrmVault);
I after searching for this error and googling, this solution worked for me. IIS Manager->application pool -> advanced settings ->Under Process model, Load User Profile to true. More detail on link
We have a plug-in that runs on Outlook 2016. Our plug-in is using VSTOInstaller.exe file to install new updates from the installation folder URL. Now, the certificate of our plug-in is about to expire, so we bought a new certificate and deployed a new version with the new certificate.
But during the installion of the new update with the new certificate, the plug-in have encountered a security error that is preventing it from updating to the new version, see error below:
Exception: Customized functionality in this application will not work because it has not been granted trust. The certificate used to sign the deployment manifest is unknown, and the customization itself (Time Tracking System) is not on the inclusion list. Contact your administrator for further assistance.
************** Exception Text **************
System.Security.SecurityException: Customized functionality in this application will not work because it has not been granted trust. The certificate used to sign the deployment manifest is unknown, and the customization itself (Time Tracking System) is not on the inclusion list. Contact your administrator for further assistance.
at Microsoft.VisualStudio.Tools.Office.Runtime.OfficeAddInDeploymentManager.VerifyAddInTrust(ClickOnceAddInTrustEvidence evidence)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.VerifySecurity(ActivationContext context, Uri manifest, AddInInstallationStatus installState)
at Microsoft.VisualStudio.Tools.Applications.Deployment.ClickOnceAddInDeploymentManager.InstallAddIn()
The Zone of the assembly that failed was:
MyComputer
After searching for a solution over the internet, I found this article: http://www.aivanoff.net/Blogs/Details/VSTOwithHSA256fail.
For short, changing the RSAKeyValue from the "HKEY_CURRENT_USER\Software\Microsoft\VSTO\Security\Inclusion" in the registry with the RSAKeyValue of the new certificate will fix the problem. I have tried this solution and it worked but this is not the kind of solution that we want to give to our users.
I have also tried solution from the URL below, but it did not work:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/b1289353-91ab-4f3f-be20-6d65615441bd/security-trust-issue-only-on-some-client-machines-outlook-addin?forum=vsto
Could someone please let me know an explanation about why this error occur? And is there any other way to fix it?
Thanks,
Ben
I am trying to publish as ASP.NET Core project with a hosting provider that supports ASP.NET Core. I am getting 500 Internal Server Error which I believe is very common. So I searched through the internet and various forums and then I checked the processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" in web.config and they look to be correctly converted with processPath="dotnet" and arguments=".\MyApplication.dll".
I also checked the connection string and it points to production DB server that's working. I confirmed the DB connection by changing the connection string to production DB and running project local. It works and I get the production DB access.
I also tried to get the error info by using the below in my Startup.cs (irrespective of env):
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
I have also enabled stdoutLog in web.config, but I don't see that folder either:
stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout"
I also tried to change applicationUrl and launchUrl in launchSettings.json to my prod Url, but that didn't work as well.
So, the 500 Internal Server Error refuses to go away, and I still don't have a useful error message. The page just says:
Oops.
500 Internal Server Error
An error occurred while starting the application.
I would really appreciate if someone could help me here.
I have also enabled stdoutLog in web.config as but I don't see that folder either:
stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout"
There is one trick here - you must create both folders logs and stdout manually - then and only then IIS will create log file inside logs folder (not stdout as you could expect) - don't ask me why, because I don't know why ;)
Oops. 500 Internal Server Error An error occurred while starting the application.
Usually, means problems with a configuration in Startup.cs - the most common problems include an issue with DB itself, an issue with migrations (if you are using Code First approach), problems with appsettings.js, problems with Social Logins credentials (like missing SecretKey)...
Please refer to log file in .\logs\stdout - this is the quickest way to find details about the problem :)
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
Those will work after your WebApp fully started, but not while starting the application.
in web.config file change modules="AspNetCoreModuleV2" to modules="AspNetCoreModule"
and watch this video
https://www.youtube.com/watch?v=clCR3k6kkD8
Thanks to Lukasz for his comments. I was able to see the log and it stated that "ClientId option must be provided". The problem was with the UserSecrets. Since secrets.json is only available in Development, there were no secrets found in Production. Once I had the secrets in my appSettings.json, it worked fine.
Moreover, To replicate this in Local environment, just go to Project properties and change the environment variable ASPNETCORE_ENVIRONMENT to 'Production' and run in local. This will replicate the 500 Internal Server Error in local and you'll get the error message.
Also, ensure that the ASP.NET Core Windows Server Hosting bundle is installed. THis creates a reverse proxy between IIS and the Kestral server.
More Info:
https://learn.microsoft.com/en-us/aspnet/core/publishing/iis?tabs=aspnetcore2x#tabpanel_tfsY37MhAQ_aspnetcore2x
I would like to add some more info to #Lukasz Makowej answer.
I found out the reason why to have to create the folder, in microsoft documentation it is said that:
stdoutLogFile - Optional string attribute.
".....Any folders provided in the path must exist in order for the module to create the log file...."
So you have to create it yourself :)
Check it out here:
https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/aspnet-core-module?view=aspnetcore-2.0
I also must said that in my case I had to validate that the web-site had the permissions to access to the "log" folder.
Make sure your web.config is good. I've been stomped more than once by a syntactically good web.config that referred to a module (Rewrite) that wasn't on the server. No error messages anywhere, other than the 500 response error.
Std log wasn't working for me, I had to uninstall all .ENT Core runtime / SDK versions from the server and my local to install the latest one and it worked after publishing everything again from scratch.
Another thing that helped was binding the IIS app to port 5000 without any dns so it actually showed me errors on http://localhost:5000
Encountered this issue yesterday, we also had no logging, no eventlog message whatsoever.
Then we checked the site's authentication settings via the IIS-manager to double-check the settings. And pop suddenly a popup with an error message 'Error on line XXXX'.
Turned out the configuration section was locked in the website's config at server-level.
So try unlocking the relevant IIS configuration settings at server level, as follows:
Open IIS Manager
Select the server in the Connections pane
Open Configuration Editor in the main pane
In the Sections drop down, select the section to unlock, e.g. system.webServer => security => authentication
Click Unlock Attribute in the right pane
Repeat for any other settings which you need to unlock
Restart IIS (optional) - Select the server in the Connections pane, click Restart in the Actions pane
I am using Windows Explorer to test the WebDAV implementation I am adapting to our system. The implementation is using IIS Express and is launched by Visual Studio 2013. I turned off Windows Explorer's requirement for SSL with WebDAV so I can test basic authentication (which works).
The problem I am having is with the Write method of the DavFile implementation. I connect to the web folder, navigate to a sub folder, then attempt to copy a JPG file from a folder on my computer's hard drive, into the WebDAV sub folder (using Windows Explorer).
The attempt to copy up a file (854kb) fails. When I set a break point, I notice that the "segment" stream (one of the input parameters on the "write" method, shows 0 (zero) bytes length.
Any tips on how to debug this problem? What is the most likely cause of 0 byte in the stream?
Here are some ideas about how to understand what is going wrong:
Examine the server log for exceptions. By default it is called WebDAVLog.txt and located in \App_Data\WebDAV\Logs\ folder. Are there any exceptions in it? Check your server log and make sure all requests were successful.
Examine WebDAV requests with a Fiddler tool or any other debugging proxy. While all requests that reached the WebDAV server Engine are logged, if the request failed before hitting the Engine you will not see it in a log. Usually this happens if the request failed during authentication stage.
Note that to capture requests using Fiddler on 'localhost' you must use 'localhost.fiddler' instead of 'localhost' when connecting to server, for example: http://localhost.fiddler:1234.
Exclude any client side issues. Finally there could be issues with client software that you are using, including with Microsoft miniredirector. Try to access server from any other machine. To get the idea if the problem is on the client or server side try also to reproduce the issue on ajaxbrowser.com.
You can post a part of the WebDAVLog.txt or fiddler log here or send it to IT Hit, it may give the idea of what is wrong.
I'm trying to call Apache ActiveMQ NMS Version 1.6.0 from my code ('IntPub') that must run in a sandbox in a .NET 4.0 environment for security reasons. The program that creates the sandbox makes my code 'partially trusted' and therefore 'security-transparent' which seems to mean that it can't create a ConnectionFactory (see error log below) because NMS seems to be 'security-critical'. Here's the code that's causing this error:
connecturi = new Uri("tcp://my.server.com:61616");
var connectionFactory = new ConnectionFactory(connecturi);
I also tried this instead with similar results:
connecturi = new Uri("activemq:tcp://my.server.com:61616");
var connectionFactory = NMSConnectionFactory.CreateConnectionFactory(connecturi);
Since I can't change the security level of my assembly (the sandbox prevents it) is there a way to make NMS run as 'safe-critical' so it can be called by 'security-transparent' code? Would I have to recompile it to do so, or does NMS do some operation that would never be considered 'safe-critical?
I appreciate any help or suggestions...
Assembly 'IntPub, Version=1.0.0.0, Culture=neutral, PublicKeyToken=6fa620743b8dc60a' is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself. In order to access security critical code, this assembly must be fully trusted.Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ErrorCode>-2147220956</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Unexpected exception from plug-in (Execute): Test.Client: System.MethodAccessException: Attempt by security transparent method 'Test.Client.Execute(System.IServiceProvider)' to access security critical method 'Apache.NMS.ActiveMQ.ConnectionFactory..ctor(System.Uri)' failed.
From the error message attributes, it looks like you're running a Dynamics CRM 2011 plugin in sandbox mode, which has some very specific rules about what you can and can't do. In particular, you're only allowed to make network connections via HTTP and HTTPS, so attempting raw TCP sockets will definitely fail.
Take a look at this MSDN page on Plug-in Isolation, Trusts, and Statistics. It looks like there may be a way to relax the network restrictions by modifying a system registry entry to include tcp, etc, in the regex value. Below is an excerpt from the page. Note: I have not done this myself, so can't say for sure it'll work.
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.
These default web access restrictions are defined in a registry key on
the server that is running the Microsoft.Crm.Sandbox.HostService.exe
process. The value of the registry key can be changed by the System
Administrator according to business and security needs. The registry
key path on the server is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern
The key value is a regular expression string that defines the web access restrictions.
The default key value is:
"^http[s]?://(?!((localhost[:/])|([.])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+)).){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+";*
By changing this registry key value, you can change the web access for sandboxed plug-ins.