From 149c2454c1a8a6f1cd5f62bf7569edec9c84261d Mon Sep 17 00:00:00 2001 From: "Mike Jones (DOCS)" Date: Thu, 20 Jun 2024 17:04:12 -0700 Subject: [PATCH 1/3] Remove IE references --- docs/deployment/securing-clickonce-applications.md | 4 ++-- ...-client-configuration-issues-in-clickonce-deployments.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/deployment/securing-clickonce-applications.md b/docs/deployment/securing-clickonce-applications.md index afe0eff2e4c..fbbbcd1383a 100644 --- a/docs/deployment/securing-clickonce-applications.md +++ b/docs/deployment/securing-clickonce-applications.md @@ -23,7 +23,7 @@ ClickOnce applications are subject to code access security constraints in the .N Additionally, ClickOnce uses certificates to verify the authenticity of the application's publisher, and to sign the application and deployment manifests to prove that the files have not been tampered with. Signing is an optional step, which makes it easier to change the application files after the manifests are generated. However, without signed manifests, it is difficult to ensure that the application installer is not tampered in man-in-the-middle security attacks. For this reason, we recommend that you sign your application and deployment manifests to help secure your applications. ## Zones - Applications that are deployed using ClickOnce technology are restricted to a set of permissions and actions that are defined by the security zone. Security zones are defined in Internet Explorer, and are based on the location of the application. The following table lists the default permissions based on the deployment location: + Applications that are deployed using ClickOnce technology are restricted to a set of permissions and actions that are defined by the security zone. Security zones are defined in the browser, and are based on the location of the application. The following table lists the default permissions based on the deployment location: |Deployment Location|Security Zone| |-------------------------|-------------------| @@ -57,7 +57,7 @@ ClickOnce applications are subject to code access security constraints in the .N ## ASP.NET form-based authentication If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnce applications deployed on a Web server. Rather, you would enable users access to the deployments you have installed based on a user's identity using Windows authentication. - ClickOnce does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows authentication is unsupported. + ClickOnce does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the browser cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows authentication is unsupported. ## Pass arguments An additional security consideration occurs if you have to pass arguments into a ClickOnce application. ClickOnce enables developers to supply a query string to applications deployed over the Web. The query string takes the form of a series of name-value pairs at the end of the URL used to start the application: diff --git a/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md b/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md index 974e14fa6dc..c12eea872dd 100644 --- a/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md +++ b/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md @@ -38,7 +38,7 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo You will have to configure *.manifest*, *.application*, and *.deploy*, for example, if you are using IIS where you have not installed the .NET Framework, or if you are using another Web server (for example, Apache). ## ClickOnce and Secure Sockets Layer (SSL) - A ClickOnce application will work fine over SSL, except when Internet Explorer raises a prompt about the SSL certificate. The prompt can be raised when there is something wrong with the certificate, such as when the site names do not match or the certificate has expired. To make ClickOnce work over an SSL connection, make sure that the certificate is up-to-date, and that the certificate data matches the site data. + A ClickOnce application will work fine over SSL, except when the browser raises a prompt about the SSL certificate. The prompt can be raised when there is something wrong with the certificate, such as when the site names do not match or the certificate has expired. To make ClickOnce work over an SSL connection, make sure that the certificate is up-to-date, and that the certificate data matches the site data. ## ClickOnce and proxy authentication ClickOnce provides support for Windows Integrated proxy authentication starting in .NET Framework 3.5. No specific machine.config directives are required. ClickOnce does not provide support for other authentication protocols such as Basic or Digest. @@ -48,13 +48,13 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo For more information, see [\ element (network settings)](/dotnet/framework/configure-apps/file-schema/network/defaultproxy-element-network-settings). ## ClickOnce and Web browser compatibility - Currently, ClickOnce installations will launch only if the URL to the deployment manifest is opened using Internet Explorer. A deployment whose URL is launched from another application, such as Microsoft Office Outlook, will launch successfully only if Internet Explorer is set as the default Web browser. + Currently, ClickOnce installations will launch only if the URL to the deployment manifest is opened using the browser. A deployment whose URL is launched from another application, such as Microsoft Office Outlook, will launch successfully only if Internet Explorer is set as the default Web browser. > [!NOTE] > Mozilla Firefox is supported if the deployment provider is not blank or the Microsoft .NET Framework Assistant extension is installed. This extension is packaged with .NET Framework 3.5 SP1. For XBAP support, the NPWPF plug-in is activated when needed. ## Activate ClickOnce applications through browser scripting - If you have developed a custom Web page that launches a ClickOnce application using Active Scripting, you may find that the application will not launch on some machines. Internet Explorer contains a setting called **Automatic prompting for file downloads**, which affects this behavior. This setting is available on the **Security** Tab in its **Options** menu that affects this behavior. It is called **Automatic prompting for file downloads**, and it is listed underneath the **Downloads** category. The property is set to **Enable** by default for intranet Web pages, and to **Disable** by default for Internet Web pages. When this setting is set to **Disable**, any attempt to activate a ClickOnce application programmatically (for example, by assigning its URL to the `document.location` property) will be blocked. Under this circumstance, users can launch applications only through a user-initiated download, for example, by clicking a hyperlink set to the application's URL. + If you have developed a custom Web page that launches a ClickOnce application using Active Scripting, you may find that the application will not launch on some machines. The browser contains a setting such as **Automatic prompting for file downloads**, which affects this behavior. This browser setting is typically listed underneath the **Downloads** category, and is enabled by default. When this setting is disabled, any attempt to activate a ClickOnce application programmatically (for example, by assigning its URL to the `document.location` property) will be blocked. Under this circumstance, users can launch applications only through a user-initiated download, for example, by clicking a hyperlink set to the application's URL. ## Additional server configuration issues From ffe8c48df3b8d7a8e1f116372af2fc3327508274 Mon Sep 17 00:00:00 2001 From: "Mike Jones (DOCS)" Date: Thu, 20 Jun 2024 17:13:31 -0700 Subject: [PATCH 2/3] edit --- docs/deployment/clickonce-security-and-deployment.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/deployment/clickonce-security-and-deployment.md b/docs/deployment/clickonce-security-and-deployment.md index 539956e8964..3fc386b6f45 100644 --- a/docs/deployment/clickonce-security-and-deployment.md +++ b/docs/deployment/clickonce-security-and-deployment.md @@ -107,7 +107,6 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi |Browser|.NET Framework version| |-------------|----------------------------| -|Internet Explorer|2.0, 3.0, 3.5, 3.5 SP1, 4| |Firefox|2.0 SP1, 3.5 SP1, 4| |Chrome|3.5| |Microsoft Edge|3.5| From b17113fa05c3dc6e2b3bbb82393ef01900b8bc75 Mon Sep 17 00:00:00 2001 From: "Mike Jones (DOCS)" Date: Tue, 25 Jun 2024 10:56:16 -0700 Subject: [PATCH 3/3] Acrolinx edits --- .../clickonce-security-and-deployment.md | 14 ++++---- .../securing-clickonce-applications.md | 12 +++---- ...uration-issues-in-clickonce-deployments.md | 36 +++++++++---------- 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/docs/deployment/clickonce-security-and-deployment.md b/docs/deployment/clickonce-security-and-deployment.md index 3fc386b6f45..b53ef011715 100644 --- a/docs/deployment/clickonce-security-and-deployment.md +++ b/docs/deployment/clickonce-security-and-deployment.md @@ -25,7 +25,7 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi - **Difficulties in updating applications.** With Microsoft Windows Installer deployment, whenever an application is updated, the user can install an update, an msp file, and apply it to the installed product; with ClickOnce deployment, you can provide updates automatically. Only those parts of the application that have changed are downloaded, and then the full, updated application is reinstalled from a new side-by-side folder. -- **Impact to the user's computer.** With Windows Installer deployment, applications often rely on shared components, with the potential for versioning conflicts; with ClickOnce deployment, each application is self-contained and cannot interfere with other applications. +- **Impact to the user's computer.** With Windows Installer deployment, applications often rely on shared components, with the potential for versioning conflicts; with ClickOnce deployment, each application is self-contained and can't interfere with other applications. - **Security permissions.** Windows Installer deployment requires administrative permissions and allows only limited user installation; ClickOnce deployment enables non-administrative users to install and grants only those Code Access Security permissions necessary for the application. @@ -36,13 +36,13 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi ClickOnce applications can be self-updating; they can check for newer versions as they become available and automatically replace any updated files. The developer can specify the update behavior; a network administrator can also control update strategies, for example, marking an update as mandatory. Updates can also be rolled back to an earlier version by the end user or by an administrator. For more information, see [Choose a ClickOnce update strategy](../deployment/choosing-a-clickonce-update-strategy.md). - Because ClickOnce applications are isolated, installing or running a ClickOnce application cannot break existing applications. ClickOnce applications are self-contained; each ClickOnce application is installed to and run from a secure per-user, per-application cache. ClickOnce applications run in the Internet or Intranet security zones. If necessary, the application can request elevated security permissions. For more information, see [Secure ClickOnce applications](../deployment/securing-clickonce-applications.md). + Because ClickOnce applications are isolated, installing or running a ClickOnce application can't break existing applications. ClickOnce applications are self-contained; each ClickOnce application is installed to and run from a secure per-user, per-application cache. ClickOnce applications run in the Internet or Intranet security zones. If necessary, the application can request elevated security permissions. For more information, see [Secure ClickOnce applications](../deployment/securing-clickonce-applications.md). ## How ClickOnce security works The core ClickOnce security is based on certificates, code access security policies, and the ClickOnce trust prompt. ### Certificates - Authenticode certificates are used to verify the authenticity of the application's publisher. By using Authenticode for application deployment, ClickOnce helps prevent a harmful program from portraying itself as a legitimate program coming from an established, trustworthy source. Optionally, certificates can also be used to sign the application and deployment manifests to prove that the files have not been tampered with. For more information, see [ClickOnce and Authenticode](../deployment/clickonce-and-authenticode.md). Certificates can also be used to configure client computers to have a list of trusted publishers. If an application comes from a trusted publisher, it can be installed without any user interaction. For more information, see [Trusted application deployment overview](../deployment/trusted-application-deployment-overview.md). + Authenticode certificates are used to verify the authenticity of the application's publisher. By using Authenticode for application deployment, ClickOnce helps prevent a harmful program from portraying itself as a legitimate program coming from an established, trustworthy source. Optionally, certificates can also be used to sign the application and deployment manifests to prove that the files haven't been tampered with. For more information, see [ClickOnce and Authenticode](../deployment/clickonce-and-authenticode.md). Certificates can also be used to configure client computers to have a list of trusted publishers. If an application comes from a trusted publisher, it can be installed without any user interaction. For more information, see [Trusted application deployment overview](../deployment/trusted-application-deployment-overview.md). ### Code access security Code access security helps limit the access that code has to protected resources. In most cases, you can choose the Internet or Local Intranet zones to limit the permissions. Use the **Security** page in the **ProjectDesigner** to request the zone appropriate for the application. You can also debug applications with restricted permissions to emulate the end-user experience. For more information, see [Code access security for ClickOnce applications](../deployment/code-access-security-for-clickonce-applications.md). @@ -51,7 +51,7 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi If the application requests more permissions than the zone allows, the end user can be prompted to make a trust decision. The end user can decide if ClickOnce applications such as Windows Forms applications, Windows Presentation Foundation applications, console applications, XAML browser applications, and Office solutions are trusted to run. For more information, see [How to: Configure the ClickOnce trust prompt behavior](../deployment/how-to-configure-the-clickonce-trust-prompt-behavior.md). ## How ClickOnce deployment works - The core ClickOnce deployment architecture is based on two XML manifest files: an application manifest and a deployment manifest. The files are used to describe where the ClickOnce applications are installed from, how they are updated, and when they are updated. + The core ClickOnce deployment architecture is based on two XML manifest files: an application manifest and a deployment manifest. The files are used to describe where the ClickOnce applications are installed from, how they're updated, and when they're updated. ### Publish ClickOnce applications The application manifest describes the application itself. This includes the assemblies, the dependencies and files that make up the application, the required permissions, and the location where updates will be available. The application developer authors the application manifest by using the Publish Wizard in Visual Studio (Publish tool for .NET Core and .NET 5+) or the Manifest Generation and Editing Tool (*Mage.exe*) in the Windows Software Development Kit (SDK). For more information, see: @@ -65,17 +65,17 @@ ClickOnce is a deployment technology that enables you to create self-updating Wi [!INCLUDE[ndptecclick](../deployment/includes/dotnet-dotnetmage-exe.md)] ### Deploy ClickOnce applications - After it is created, the deployment manifest is copied to the deployment location. This can be a Web server, network file share, or legacy media such as a CD. The application manifest and all the application files are also copied to a deployment location that is specified in the deployment manifest. This can be the same as the deployment location, or it can be a different location. When using the **Publish Wizard** in Visual Studio, the copy operations are performed automatically. + After it's created, the deployment manifest is copied to the deployment location. This can be a Web server, network file share, or legacy media such as a CD. The application manifest and all the application files are also copied to a deployment location that is specified in the deployment manifest. This can be the same as the deployment location, or it can be a different location. When using the **Publish Wizard** in Visual Studio, the copy operations are performed automatically. ### Install ClickOnce applications - After it is deployed to the deployment location, end users can download and install the application by clicking an icon representing the deployment manifest file on a Web page or in a folder. In most cases, the end user is presented with a simple dialog box asking the user to confirm installation, after which installation proceeds and the application is started without additional intervention. In cases where the application requires elevated permissions or if the application is not signed by a trusted certificate, the dialog box also asks the user to grant permission before the installation can continue. Though ClickOnce installs are per-user, permission elevation may be required if there are prerequisites that require administrator privileges. For more information about elevated permissions, see [Securing ClickOnce applications](../deployment/securing-clickonce-applications.md). + After it's deployed to the deployment location, end users can download and install the application by clicking an icon representing the deployment manifest file on a Web page or in a folder. In most cases, the end user is presented with a simple dialog box asking the user to confirm installation, after which installation proceeds and the application is started without additional intervention. In cases where the application requires elevated permissions or if the application isn't signed by a trusted certificate, the dialog box also asks the user to grant permission before the installation can continue. Though ClickOnce installs are per-user, permission elevation may be required if there are prerequisites that require administrator privileges. For more information about elevated permissions, see [Securing ClickOnce applications](../deployment/securing-clickonce-applications.md). Certificates can be trusted at the machine or enterprise level, so that ClickOnce applications signed with a trusted certificate can install silently. For more information about trusted certificates, see [Trusted application deployment overview](../deployment/trusted-application-deployment-overview.md). The application can be added to the user's **Start** menu and to the **Add or Remove Programs** group in the **Control Panel**. Unlike other deployment technologies, nothing is added to the **Program Files** folder or the registry, and no administrative rights are required for installation > [!NOTE] -> It is also possible to prevent the application from being added to the **Start** menu and **Add or Remove Programs** group, in effect making it behave like a Web application. For more information, see [Choose a ClickOnce deployment strategy](../deployment/choosing-a-clickonce-deployment-strategy.md). +> It's also possible to prevent the application from being added to the **Start** menu and **Add or Remove Programs** group, in effect making it behave like a Web application. For more information, see [Choose a ClickOnce deployment strategy](../deployment/choosing-a-clickonce-deployment-strategy.md). ### Update ClickOnce applications When the application developers create an updated version of the application, they generate a new application manifest and copy files to a deployment location—usually a sibling folder to the original application deployment folder. The administrator updates the deployment manifest to point to the location of the new version of the application. diff --git a/docs/deployment/securing-clickonce-applications.md b/docs/deployment/securing-clickonce-applications.md index fbbbcd1383a..fda2cee0b21 100644 --- a/docs/deployment/securing-clickonce-applications.md +++ b/docs/deployment/securing-clickonce-applications.md @@ -20,7 +20,7 @@ ms.subservice: deployment ClickOnce applications are subject to code access security constraints in the .NET Framework to help limit the access that code has to protected resources and operations. For that reason, it is important that you understand the implications of code access security to write your ClickOnce applications accordingly. Your applications can use Full Trust or use partial zones, such as the Internet and Intranet zones, to limit access. - Additionally, ClickOnce uses certificates to verify the authenticity of the application's publisher, and to sign the application and deployment manifests to prove that the files have not been tampered with. Signing is an optional step, which makes it easier to change the application files after the manifests are generated. However, without signed manifests, it is difficult to ensure that the application installer is not tampered in man-in-the-middle security attacks. For this reason, we recommend that you sign your application and deployment manifests to help secure your applications. + Additionally, ClickOnce uses certificates to verify the authenticity of the application's publisher, and to sign the application and deployment manifests to prove that the files haven't been tampered with. Signing is an optional step, which makes it easier to change the application files after the manifests are generated. However, without signed manifests, it is difficult to ensure that the application installer isn't tampered in man-in-the-middle security attacks. For this reason, we recommend that you sign your application and deployment manifests to help secure your applications. ## Zones Applications that are deployed using ClickOnce technology are restricted to a set of permissions and actions that are defined by the security zone. Security zones are defined in the browser, and are based on the location of the application. The following table lists the default permissions based on the deployment location: @@ -32,7 +32,7 @@ ClickOnce applications are subject to code access security constraints in the .N |Install from network file share|Local Intranet Zone| |Install from CD-ROM|Full Trust| - The default permissions are based on the location from which the original version of the application was deployed; updates to the application will inherit those permissions. If the application is configured to check for updates from a Web or network location and a newer version is available, the original installation can receive permissions for the Internet or Intranet zone instead of full-trust permissions. To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. For computers on which this policy is deployed, permissions will be granted automatically and the user will not be prompted. For more information, see [Trusted Application Deployment Overview](../deployment/trusted-application-deployment-overview.md). To configure trusted application deployment, the certificate can be installed to the machine or enterprise level. For more information, see [How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications](../deployment/how-to-add-a-trusted-publisher-to-a-client-computer-for-clickonce-applications.md). + The default permissions are based on the location from which the original version of the application was deployed; updates to the application will inherit those permissions. If the application is configured to check for updates from a Web or network location and a newer version is available, the original installation can receive permissions for the Internet or Intranet zone instead of full-trust permissions. To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. For computers on which this policy is deployed, permissions will be granted automatically and the user won't be prompted. For more information, see [Trusted Application Deployment Overview](../deployment/trusted-application-deployment-overview.md). To configure trusted application deployment, the certificate can be installed to the machine or enterprise level. For more information, see [How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications](../deployment/how-to-add-a-trusted-publisher-to-a-client-computer-for-clickonce-applications.md). [!INCLUDE[ndptecclick](../deployment/includes/dotnet-feature-unsupported.md)] @@ -41,7 +41,7 @@ ClickOnce applications are subject to code access security constraints in the .N [!INCLUDE[ndptecclick](../deployment/includes/dotnet-feature-unsupported.md)] - Including a permission that is not part of the default permission set for the zone from which the application is deployed will cause the end user to be prompted to grant permission at install or update time. To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. On computers where this policy is deployed, permissions will automatically be granted and the user will not be prompted. + Including a permission that isn't part of the default permission set for the zone from which the application is deployed will cause the end user to be prompted to grant permission at install or update time. To prevent users from being prompted, a system administrator can specify a ClickOnce deployment policy that defines a specific application publisher as a trusted source. On computers where this policy is deployed, permissions will automatically be granted and the user won't be prompted. As a developer, it is your responsibility to make sure that your application will run with the appropriate permissions. If the application requests permissions outside of a zone during run time, a security exception may appear. Visual Studio enables you to debug your application in the target security zone and provides help in developing secure applications. For more information, see [Debug ClickOnce apps that use System.Deployment.Application](../deployment/debugging-clickonce-applications-that-use-system-deployment-application.md). @@ -57,7 +57,7 @@ ClickOnce applications are subject to code access security constraints in the .N ## ASP.NET form-based authentication If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnce applications deployed on a Web server. Rather, you would enable users access to the deployments you have installed based on a user's identity using Windows authentication. - ClickOnce does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the browser cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows authentication is unsupported. + ClickOnce does not support ASP.NET forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the browser cache and can be hacked. Therefore, if you're deploying ClickOnce applications, any authentication scenario besides Windows authentication is unsupported. ## Pass arguments An additional security consideration occurs if you have to pass arguments into a ClickOnce application. ClickOnce enables developers to supply a query string to applications deployed over the Web. The query string takes the form of a series of name-value pairs at the end of the URL used to start the application: @@ -66,10 +66,10 @@ ClickOnce applications are subject to code access security constraints in the .N By default, query-string arguments are disabled. To enable them, the attribute `trustUrlParameters` must be set in the application's deployment manifest. This value can be set from Visual Studio and from MageUI.exe. For detailed steps on how to enable passing query strings, see [How to: Retrieve query string information in an online ClickOnce application](../deployment/how-to-retrieve-query-string-information-in-an-online-clickonce-application.md). - You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they are safe. Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands. + You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they're safe. Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands. > [!NOTE] -> Query-string arguments are the only way to pass arguments to a ClickOnce application at startup. You cannot pass arguments to a ClickOnce application from the command line. +> Query-string arguments are the only way to pass arguments to a ClickOnce application at startup. You can't pass arguments to a ClickOnce application from the command line. ## Deploying obfuscated assemblies Visual Studio includes the free [PreEmptive Protection - Dotfuscator Community](../ide/dotfuscator/index.md), which you can use to protect your ClickOnce applications through code obfuscation and active protection measures. For details, please see [the ClickOnce section of the Dotfuscator Community User Guide](https://www.preemptive.com/dotfuscator/ce/docs/help/5.27/advanced_clickonce.html). diff --git a/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md b/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md index c12eea872dd..5555df7e748 100644 --- a/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md +++ b/docs/deployment/server-and-client-configuration-issues-in-clickonce-deployments.md @@ -19,9 +19,9 @@ ms.subservice: deployment --- # Server and client configuration issues in ClickOnce deployments -If you use Internet Information Services (IIS) on Windows Server, and your deployment contains a file type that Windows does not recognize, such as a Microsoft Word file, IIS will refuse to transmit that file, and your deployment will not succeed. +If you use Internet Information Services (IIS) on Windows Server, and your deployment contains a file type that Windows doesn't recognize, such as a Microsoft Word file, IIS will refuse to transmit that file, and your deployment won't succeed. - Additionally, some Web servers and Web application software, such as ASP.NET, contain a list of files and file types that you cannot download. For example, ASP.NET prevents the download of all *Web.config* files. These files may contain sensitive information such as user names and passwords. + Additionally, some Web servers and Web application software, such as ASP.NET, contain a list of files and file types that you can't download. For example, ASP.NET prevents the download of all *Web.config* files. These files may contain sensitive information such as user names and passwords. Although this restriction should cause no problems for downloading core ClickOnce files such as manifests and assemblies, this restriction may prevent you from downloading data files included as part of your ClickOnce application. In ASP.NET, you can resolve this error by removing the handler that prohibits downloading of such files from the IIS configuration manager. See the IIS server documentation for additional details. @@ -35,13 +35,13 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo However, you can disable this option by clearing the **Use ".deploy" file extension** option on the [Publish Options Dialog Box](/previous-versions/visualstudio/visual-studio-2010/7z83t16a(v=vs.100)), in which case you must configure the Web server to unblock all file extensions used in the application. - You will have to configure *.manifest*, *.application*, and *.deploy*, for example, if you are using IIS where you have not installed the .NET Framework, or if you are using another Web server (for example, Apache). + You'll have to configure *.manifest*, *.application*, and *.deploy*, for example, if you're using IIS where you haven't installed the .NET Framework, or if you're using another Web server (for example, Apache). ## ClickOnce and Secure Sockets Layer (SSL) - A ClickOnce application will work fine over SSL, except when the browser raises a prompt about the SSL certificate. The prompt can be raised when there is something wrong with the certificate, such as when the site names do not match or the certificate has expired. To make ClickOnce work over an SSL connection, make sure that the certificate is up-to-date, and that the certificate data matches the site data. + A ClickOnce application will work fine over SSL, except when the browser raises a prompt about the SSL certificate. The prompt can be raised when there's something wrong with the certificate, such as when the site names do not match or the certificate has expired. To make ClickOnce work over an SSL connection, make sure that the certificate is up-to-date, and that the certificate data matches the site data. ## ClickOnce and proxy authentication - ClickOnce provides support for Windows Integrated proxy authentication starting in .NET Framework 3.5. No specific machine.config directives are required. ClickOnce does not provide support for other authentication protocols such as Basic or Digest. + ClickOnce provides support for Windows Integrated proxy authentication starting in .NET Framework 3.5. No specific machine.config directives are required. ClickOnce doesn't provide support for other authentication protocols such as Basic or Digest. You can also apply a hotfix to .NET Framework 2.0 to enable this feature. For more information, see [FIX: Error message when you try to install a ClickOnce application that you created in the .NET Framework 2.0 onto a client computer that is configured to use a proxy server: "Proxy authentication required"](https://support.microsoft.com/help/917952/fix-error-message-when-you-try-to-install-a-clickonce-application-that). @@ -51,28 +51,28 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo Currently, ClickOnce installations will launch only if the URL to the deployment manifest is opened using the browser. A deployment whose URL is launched from another application, such as Microsoft Office Outlook, will launch successfully only if Internet Explorer is set as the default Web browser. > [!NOTE] -> Mozilla Firefox is supported if the deployment provider is not blank or the Microsoft .NET Framework Assistant extension is installed. This extension is packaged with .NET Framework 3.5 SP1. For XBAP support, the NPWPF plug-in is activated when needed. +> Mozilla Firefox is supported if the deployment provider isn't blank or the Microsoft .NET Framework Assistant extension is installed. This extension is packaged with .NET Framework 3.5 SP1. For XBAP support, the NPWPF plug-in is activated when needed. ## Activate ClickOnce applications through browser scripting - If you have developed a custom Web page that launches a ClickOnce application using Active Scripting, you may find that the application will not launch on some machines. The browser contains a setting such as **Automatic prompting for file downloads**, which affects this behavior. This browser setting is typically listed underneath the **Downloads** category, and is enabled by default. When this setting is disabled, any attempt to activate a ClickOnce application programmatically (for example, by assigning its URL to the `document.location` property) will be blocked. Under this circumstance, users can launch applications only through a user-initiated download, for example, by clicking a hyperlink set to the application's URL. + If you have developed a custom Web page that launches a ClickOnce application using Active Scripting, you may find that the application won't launch on some machines. The browser contains a setting such as **Automatic prompting for file downloads**, which affects this behavior. This browser setting is typically listed underneath the **Downloads** category, and is enabled by default. When this setting is disabled, any attempt to activate a ClickOnce application programmatically (for example, by assigning its URL to the `document.location` property) will be blocked. Under this circumstance, users can launch applications only through a user-initiated download, for example, by clicking a hyperlink set to the application's URL. ## Additional server configuration issues ##### Administrator permissions required - You must have Administrator permissions on the target server if you are publishing with HTTP. IIS requires this permissions level. If you are not publishing using HTTP, you only need write permission on the target path. + You must have Administrator permissions on the target server if you're publishing with HTTP. IIS requires this permissions level. If you're not publishing using HTTP, you only need write permission on the target path. ##### Server authentication issues - When you publish to a remote server that has "Anonymous Access" turned off, you will receive the following warning: + When you publish to a remote server that has "Anonymous Access" turned off, you'll receive the following warning: ``` "The files could not be downloaded from http:////. The remote server returned an error: (401) Unauthorized." ``` > [!NOTE] -> You can make NTLM (NT challenge-response) authentication work if the site prompts for credentials other than your default credentials, and, in the security dialog box, you click **OK** when you are prompted if you want to save the supplied credentials for future sessions. However, this workaround will not work for basic authentication. +> You can make NTLM (NT challenge-response) authentication work if the site prompts for credentials other than your default credentials, and, in the security dialog box, you click **OK** when you're prompted if you want to save the supplied credentials for future sessions. However, this workaround won't work for basic authentication. ## Use third-party Web servers - If you are deploying a ClickOnce application from a Web server other than IIS, you may experience a problem if the server is returning the incorrect content type for key ClickOnce files, such as the deployment manifest and application manifest. To resolve this problem, see your Web server's Help documentation about how to add new content types to the server, and make sure that all the file name extension mappings listed in the following table are in place. + If you're deploying a ClickOnce application from a Web server other than IIS, you may experience a problem if the server is returning the incorrect content type for key ClickOnce files, such as the deployment manifest and application manifest. To resolve this problem, see your Web server's Help documentation about how to add new content types to the server, and make sure that all the file name extension mappings listed in the following table are in place. |File name extension|Content type| |-------------------------|------------------| @@ -83,10 +83,10 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo |`.msp`|`application/octet-stream`| ## ClickOnce and mapped drives - If you use Visual Studio to publish a ClickOnce application, you cannot specify a mapped drive as the installation location. However, you can modify the ClickOnce application to install from a mapped drive by using the Manifest Generator and Editor (Mage.exe and MageUI.exe). For more information, see [Mage.exe (Manifest Generation and Editing Tool)](/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool) and [MageUI.exe (Manifest Generation and Editing Tool, Graphical Client)](/dotnet/framework/tools/mageui-exe-manifest-generation-and-editing-tool-graphical-client). + If you use Visual Studio to publish a ClickOnce application, you can't specify a mapped drive as the installation location. However, you can modify the ClickOnce application to install from a mapped drive by using the Manifest Generator and Editor (Mage.exe and MageUI.exe). For more information, see [Mage.exe (Manifest Generation and Editing Tool)](/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool) and [MageUI.exe (Manifest Generation and Editing Tool, Graphical Client)](/dotnet/framework/tools/mageui-exe-manifest-generation-and-editing-tool-graphical-client). ## FTP protocol not supported for installing applications - ClickOnce supports installing applications from any HTTP 1.1 Web server or file server. FTP, the File Transfer Protocol, is not supported for installing applications. You can use FTP to publish applications only. The following table summarizes these differences: + ClickOnce supports installing applications from any HTTP 1.1 Web server or file server. FTP, the File Transfer Protocol, isn't supported for installing applications. You can use FTP to publish applications only. The following table summarizes these differences: | URL Type | Description | |----------| - | @@ -96,12 +96,12 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo | file:// | You can install a ClickOnce application by using this protocol. | ## Windows Firewall - By default, Windows enables the Windows Firewall. If you are developing your application on a computer that has Windows installed, you are still able to publish and run ClickOnce applications from the local server that is running IIS. However, you cannot access that server that is running IIS from another computer unless you open the Windows Firewall. See Windows Help for instructions on managing the Windows Firewall. + By default, Windows enables the Windows Firewall. If you're developing your application on a computer that has Windows installed, you're still able to publish and run ClickOnce applications from the local server that is running IIS. However, you can't access that server that is running IIS from another computer unless you open the Windows Firewall. See Windows Help for instructions on managing the Windows Firewall. ## Windows Server: Enable FrontPage server extensions FrontPage Server Extensions from Microsoft is required for publishing applications to a Windows Web server that uses HTTP. - By default, Windows Server does not have FrontPage Server Extensions installed. If you want to use Visual Studio to publish to a Windows Server Web server that uses HTTP with FrontPage Server Extensions, you must install FrontPage Server Extensions first. You can perform the installation by using the Manage Your Server administration tool in Windows Server. + By default, Windows Server doesn't have FrontPage Server Extensions installed. If you want to use Visual Studio to publish to a Windows Server Web server that uses HTTP with FrontPage Server Extensions, you must install FrontPage Server Extensions first. You can perform the installation by using the Manage Your Server administration tool in Windows Server. ## Windows Server: Locked-down content types IIS on Windows Server 2003 locks down all file types except for certain known content types (for example, *.htm*, *.html*, *.txt*, and so on). To enable deployment of ClickOnce applications using this server, you need to change the IIS settings to allow downloading files of type *.application*, *.manifest*, and any other custom file types used by your application. @@ -110,19 +110,19 @@ If you use Internet Information Services (IIS) on Windows Server, and your deplo - For the *.application* and *.manifest* extensions, the MIME type should be "application/x-ms-application." For other file types, the MIME type should be "application/octet-stream." -- If you create a MIME type with extension "\" and the MIME type "application/octet-stream," it will allow files of unblocked file type to be downloaded. (However, blocked file types such as *\*.aspx* and *\*.asmx* cannot be downloaded.) +- If you create a MIME type with extension "\" and the MIME type "application/octet-stream," it will allow files of unblocked file type to be downloaded. (However, blocked file types such as *\*.aspx* and *\*.asmx* can't be downloaded.) For specific instructions on configuring MIME types on Windows Server, see [How to add a MIME type to a Web site or application](/iis/configuration/system.webserver/staticcontent/mimemap#how-to-add-a-mime-type-to-a-web-site-or-application). ## Content type mappings - When publishing over HTTP, the content type (also known as MIME type) for the *.application* file should be "application/x-ms-application." If you have .NET Framework 2.0 installed on the server, this will be set for you automatically. If this is not installed, then you need to create a MIME type association for the ClickOnce application vroot (or entire server). + When publishing over HTTP, the content type (also known as MIME type) for the *.application* file should be "application/x-ms-application." If you have .NET Framework 2.0 installed on the server, this will be set for you automatically. If this isn't installed, then you need to create a MIME type association for the ClickOnce application vroot (or entire server). If you deploy using an IIS server, run inetmgr.exe and add a new content type of "application/x-ms-application" for the *.application* extension. ## HTTP compression issues With ClickOnce, you can perform downloads that use HTTP compression, a Web server technology that uses the GZIP algorithm to compress a data stream before sending the stream to the client. The client—in this case, ClickOnce—decompresses the stream before reading the files. - If you are using IIS, you can easily enable HTTP compression. However, when you enable HTTP compression, it is only enabled for certain file types—namely, HTML and text files. To enable compression for assemblies (*.dll*), XML (*.xml*), deployment manifests (*.application*), and application manifests (*.manifest*), you must add these file types to the list of types for IIS to compress. Until you add the file types to your deployment, only text and HTML files will be compressed. + If you're using IIS, you can easily enable HTTP compression. However, when you enable HTTP compression, it is only enabled for certain file types—namely, HTML and text files. To enable compression for assemblies (*.dll*), XML (*.xml*), deployment manifests (*.application*), and application manifests (*.manifest*), you must add these file types to the list of types for IIS to compress. Until you add the file types to your deployment, only text and HTML files will be compressed. For detailed instructions for IIS, see [How to specify additional document types for HTTP compression](/troubleshoot/iis/content-types-http-compression).