We are trying to allow users to scan documents using a Silverlight XAP running in-browser with elevated trust, from a remote server, and are getting the following error:
Unhandled Error in Silverlight Application Failed to create an object instance for the specified ProgID.
The failure is at the following line:
Dim CommonDialog = AutomationFactory.CreateObject("WIA.CommonDialog")
Application.Current.HasElevatedPermissions and AutomationFactory.IsAvailable both return True.
I can successfully create an instance of unsafe ActiveX controls, e.g. Scripting.FileSystemObject:
Dim fso = AutomationFactory.CreateObject("Scripting.FileSystemObject")
The code fails when running from the production environment on the remote server. When running from the ASP.NET Development server from localhost, the code succeeds, and the WIA scanning dialog is shown when calling CommonDialog.ShowAcquireImage().
How can I resolve this? (Is there perhaps something specific about WIA that prevents it from being used this way?) What steps can I take to try and debug this?
Update
When I try to open the generated Silverlight test page (via the file protocol), I get the same error.
Update 2
Process Monitor shows that the AllowLaunchOfElevatedTrustApps and AllowElevatedTrustAppsInBrowser keys are being successfully queried.
Update 3
With Protected Mode turned off, the code works.
The MSDN reference states that to enable COM Interop inside the browser, you must
Set Registry Key HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\ (or on x64 HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight\) AllowElevatedTrustAppsInBrowser DWORD 0x0000001
Check your group policy has not disabled AllowInstallOfElevatedTrustApps and AllowLaunchOfElevatedTrustApps
Sign the .xap
Install cert to Trusted Application Store (see screenshots illustrating how)
Additionally, you must
configure as Out of Browser Application (even if you are not running Out of Browser)
before calling the ComAutomationFactory.CreateObject you should check for Application.Current.HasElevatedPermissions and AutomationFactory.IsAvailable
note that Elevated Permission testing from http://localhost and http://127.0.0.1 is not reliable test, as Silverlight runtime makes exception for these two URLs. Instead use file://.
Troubleshooting
Use ProcMon to verify that the AllowElevatedTrustAppsInBrowser registry key is being read
Attach Debugger to Silverlight (see screenshots)
MSIE Protected Mode settings can also adversely affect whether a Silverlight application can run with Elevated Permissions. Try running with different Protected Mode settings.
Related
I am creating a Nancy Module that will eventually be hosted inside of a Windows Service. I am currently running it inside of a WPF test application. To start the Nancy hosting, I am using Nancy.Hosting.Self and calling:
nancyHost = new Nancy.Hosting.Self.NancyHost(new Uri("http://localhost:8080"));
nancyHost.Start();
On my local machine I am able to go to a web browser and access my module by entering http://localhost:8080 into the address bar.
If I go to another machine I am not able to access the service. My Windows Firewall is turned off.
If I start the hosting with anything other than localhost in the baseUri, I get an "access denied" exception upon calling nancyHost.Start();
Is there something that I am missing? Should I be able to access the Nancy module from any machine as long as I know the IP:Port to the machine doing the hosting? Is there any type of "host headering" that I need to be aware of?
Thanks for your help with this.
Windows will prevent you from listening on ports without permission. You can either run your process as administrator, or add permission using "netsh":
netsh http add urlacl url=http://+:8080/app user=domain\user
The "+" is a wildcard so it can listen on any IP.
Normally you'd handle the latter during installation, so you may want to run as admin to debug, then make sure your installer sets the relevant permissions.
For local debugging, use
http://+:8733/Design_Time_Addresses
You can add any subdirectory you like, for example
http://+:8733/Design_Time_Addresses/myService
and debug it at
http://localhost:8733/Design_Time_Addresses/myService
without running your IDE (Visual Studio?) as Administrator.
Look this: Self-Hosting-Nancy
The Host Configuration: UrlReservations, add under code:
var configuration = new HostConfiguration
{
UrlReservations = new UrlReservations { CreateAutomatically = true }
};
OK, you can create your host!~
I have a SL navigation application, that currently runs on a shared hosting package with a 3rd party ISP. I can login, and register using the ASP.NET membership and role providers.
I have now setup a dedicated server, on which only my app will run. It does not yet have a domain name that points to it... I access it via an IP address.
I've copied the entire site (including the ClientBin and all the XAP's) to the new server, but the Authentication and Registration services don't work... they just return NotFound.
When I check Fiddler on the working site, this service is called :
www.myaddress.com/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
which of course succeeds. However, on the other site, the fiddler trace looks the same (because I just copied the site) :
123.123.123.123/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
but, the call fails with NotFound. Fiddler reports it as HTTP/1.1 500 Internal Server Error. When I open
http://localhost/ClientBin/MyApp-Web-AuthenticationService.svc/binary/Login
on the server, I get the HTTP/1.1 500, as well as this description :
Handler "svc-Integrated" has a bad module "ManagedPipelineHandler" in its module list
Which leads me to believe that there is something wrong with my IIS config, as the exact same code is working on another system.
What is a "bad module"? How do I fix it?
Normally this type of error is that ASP.Net is not activated or that a handler for svc is not registered or registered correctly.
In your case is looks a bit different. It could be that you have .net framework 4.0 code that you are trying to run in a .net framework 2.0 application pool.
IIS 500 errors often show up with more information in the Windows Event log - if you can somehow get access to that?
Also I've noticed that often the server will actually send debugging output back to the client that everything seems to ignore. Have you checked the entire raw response that is coming back from the server to see if there are any clues there?
What is the correct way of handling errors on the client side of Silverlight applications? I tried building a service endpoint that would receive details about the error and then would write that string to the database. The problem is, the error's text exceeds the maximum byte length, so I can't send the exception message and stacktrace. What would be a better way of handling errors that end up at the client side?
Try handling faults...I used this pattern from MSDN
http://msdn.microsoft.com/en-us/library/dd470096%28VS.96%29.aspx
If you find you message is too long to send to your logging web service then try setting your binding properties such as maxBufferSize and maxStringContentLength to appropriately large values. They default to 16KB, personally i have set mine to 2147483647 (which is int.MaxValue).
Obviously you cannot send the raw exception straight to the logging web service (exceptions are not serializable), what i did was write a function that takes an exception and walks it, translating it into a WCF friendly structure that can then be passed to my logging end point. Of course you need to ensure that if this fails you have a backup plan, like maybe logging it to isolated storage if you are running in browser, or logging it to the user's file system if you are running elevated OOB.
You should not be considering logging of error messages via a service. What if the error that you want to log is related to the service itself? Maybe the server that hosts all dependant services (including the error logging service) is not reachable or down. client errors should be logged on the client side and periodically flushed to the server when connectivity to service is available.
Thats what I would do...
Take a look at the new Silverlight Integration Pack for Enterprise Library from Microsoft patterns & practices. It provides plumbing for both logging (client-side and via a remote service) and exception handling with flexible configuration of policies via config or programmatically.
I am using SQL Server 2008 Reporting Services and set mode remotely. All is going fine and reports running on my machine. I am not using report viewer control, but switch to browser.
Problem is that when I access the report from any other system in browser by providing required url. I m getting the following premission error:
Server Error in /ReportServer Application. Access is denied:
Description: An error is occured while
accessing the resources required to
serve for this request. You might have
not premission to view the requested
resources. Error message: 401.3 : You
dont have the premission to view this
directory or page using the
creditinals you supplied.
I have go through all step of this article "http://msdn.microsoft.com/en-us/library/ms365170.aspx" and set remotly premession but after all changes no success and getting same error.
Please some one can tell me or provide step list, that how can I set the premession? that the report can run from other machine. Quick and detail response will
This link should give you some more steps to follow to set up the permissions as this sounds like a permissions error.
http://technet.microsoft.com/en-us/library/aa337491.aspx
Also .... does it prompt for a username and password when you visit the site from another machine? if not you may need to add the required authentication methods into IIS (just an idea)
Then create a local (or domain) account for people to use to browse reports and use the properties tab on the report server home page to add them as 'Browser' type members.
When you visit the reports site from another PC it should prompt for sign in details (may not on a domain - not sure), if it errors before showing the home page then it is a security config issue, once you get in you may have a bit more tinkering to do to get the reports to run, but you tend to get slightly more verbose descriptions then so its not too hard to figure out and it normally database security permissions related.
Best of luck.
CB
I am trying to impersonate a domain user account in a WPF application so the application can write to a folder on the network. The domain user has sufficient rights to write to this location.
I'm using some code found on the net to perform the impersonation.
Basically, it calls the native LogonUser method which returns a security token, then create a new WindowsIdentity passing the token and finally calling the windowsIdentity.Impersonate() method.
I get no exceptions executing above logic.
Calling WindowsIdentity.GetCurrent() -> returns impersonated identity.
Writing to the UNC path -> UnauthorizedAccess exception.
So, I inspect the Thread.CurrentPrincipal object before I try to write the file, this has a GenericPrincipal, and not a WindowsPrincipal with the impersonated WindowsIdentity.
So in the startup of the application I set the AppDomain.CurrentAppDomain.SetPrincipalPolicy to PrincipalPolicy.Impersonate.
I restart my application...
Before my call to impersonate, i can see my own credentials on Thread.CurrentPrincipal, the ones that i'm using to log onto my development machine and which is executing my WPF program.
I again try to run the impersonation logic, again I see the impersonated identity on WindowsIdentity.GetCurrent, all seems fine, no exceptions
However on Thread.GetCurrentPrincipal I still see my own credentials, and if I look at the AuthenticationType property, there is an UnauthorizedException (which is only visible in the debugger, it is not being thrown in the application !!). I let the code run.
Again, UnauthorizedAccess when trying to write my file on the UNC location.
Last thing I tried is to create a new WindowsPrincipal with WindowsIdentity.GetCurrent()
and I explicitly set it on Thread.Current, but same result.
UnauthorizedAccess when a write to the UNC location.
I'm out of ideas :)
Does the machine with network share belong is in the domain?
Did you try accessing network share using that domain account? For instance using "Run As...".
In LogonUser function try to use LOGON32_LOGON_NETWORK flag, when doing logon.
Also to see if impersonation actually took place try to enable auditing of Logon/Logoff events from security policy (info link)