I have created a webservice which also has a client (console app). This client is placed on a mapped drive. Calling the service results in an error with the log4net dll. The error is a ThrowSecurityException and the message it has is something like this (I only have the German text, so I have to translate): The assembly only allows callers which are fully trustworthy.
The dll is in the same directory as the client exe file. I tested on a normal drive and it works fine. Ideas here?
try to give the dll read permission to everyone http://technet.microsoft.com/en-us/library/bb727008.aspx
you might need to do it from the original location.
try to change the securityPolicy section in your config file to this:
<system.web>
<securityPolicy>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
</system.web>
you can read about it here: http://msdn.microsoft.com/en-us/library/wyts434y.aspx
You need to assign FullTrust to the network drive (it has LocalIntranet by default). I think this should be similar as for a network share. See Using CasPol to Fully Trust a Share.
Edit:
Or try something like this:
caspol -q -machine -addgroup 1 -url file://X:/* FullTrust -name "X Drive"
(replace X with your mapped drive letter)
Related
System.Net.WebException:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.'
This is an error that occurs in my VS2022 solution when working with a self signed certificate and Android.
The case is the following:
It is an android app that runs on an local network, with a local https backend service. A certificate has been issued for this service by the domain admin. However, the domain is not an official CA (Certificate Authority). You then have to manually install a CA, via settings.
Part of the solution
What I did to solve this is adding the CA certificates to the Android device (via Settings > Security -> Encryption & Credentials -> Install a Certificate).
The web browser, in the android app, can now successfully access the https site, without warnings.
I still need help with
However the CA store is not accessible via the app unless it is configured via network-security-config: https://developer.android.com/training/articles/security-config#TrustingAdditionalCas
This is something that can be done in the Xamarin days like:
https://devblogs.microsoft.com/xamarin/cleartext-http-android-network-security/
https://nicksnettravels.builttoroam.com/android-certificates/#:~:text=Accessing%20the%20Android%20Certificate%20Store
But in MAUI I'm a bit lost, I don't see the right resources, mipmap, etc.
I would like to solve this issue with a one-liner like this:
[assembly: Application(UsesCleartextTraffic = true)]
...which can also be configured via the via network-security-config.
Is there a one-liner or can someone help me out configuring my network-security-config to get the CA store available in a MAUI solution?
After this suggestion of Gerald, "So you can still add a xml folder under Resources (under the Android folder that is)", I finally got it!
Add a network_security_config.xml file, under the Android folder, with:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<!-- Trust preinstalled CAs -->
<certificates src="system" />
<!-- Additionaly trusted user added CAs -->
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
And in your AndroidManifest.xml add the: android:networkSecurityConfig="#xml/network_security_config" attribute to your Application node.
So, add it to the already existing node, don't add a new one (or else you'll get strange errors):
And the trust anchor exception is gone, but I'm still curious if there is another way - without the network-security-config. ;-)
PS Don't forget to add the CA certificates to the Android device, as stated in the original question.
OK so I see a couple of things here and not sure what you're after exactly so let me go over it one by one.
Let's start with: if you can, please avoid using clear text traffic! ;)
UseClearTextTraffic Attribute
Then, the easy one, you want the [assembly: Application(UsesCleartextTraffic = true)] oneliner. You can totally still do that and actually you can now that throughout the whole project I think. But it makes the most sense in Android.
Notice how the attribute says assembly so it works for the whole assembly anyway and it doesn't really matter where you put it. That is how it typically works. However, in .NET MAUI there is already a [Application] attribute above the MainApplication, so open that and modify it like below.
namespace MauiAndroidClearText;
[Application(UsesCleartextTraffic = true)]
public class MainApplication : MauiApplication
{
// Your code
}
Network Security Config
Basically your separate Android project is now under the Platforms\Android folder. Everything you put there, even if it's not there by default, will still behave as it was in a separate Android project.
So you can still add a xml folder under Resources (under the Android folder that is), then add the network_security_config.xml file with:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">10.0.2.2</domain> <!-- Debug port -->
<domain includeSubdomains="true">xamarin.com</domain>
</domain-config>
</network-security-config>
And in your AndroidManifest.xml add the android:networkSecurityConfig="#xml/network_security_config" attribute to your Application node.
See a full sample here: https://github.com/jfversluis/MauiAndroidClearText
How you asked how you could trust a self signed root certificate (self signed CA) without needed to install in the device, I will share the code.
I am using a MAUI project that use .NET 6.
In the MAUI project, in platform/android/resources/raw, you have to copy your ca.crt certificate. It can have .crt or .pem extension. In my case, I use .crt.
The raw folder is not created by default, so you have to create this folder.
In platform/android/resources, you have to create the folder xml, so you will have platform/android/resources/xml folder. In this folder, add a new xml file, with this name: network_security_config.xml.
This file set the certificates in which you want to trust.
The code of this file is:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<!--NOTA: el subdominio es necesario porque si no no se podrĂ¡ instalar-->
<domain includeSubdomains="true">192.168.1.200</domain>
<trust-anchors>
<certificates src="#raw/ca"/>
</trust-anchors>
</domain-config>
</network-security-config>
The certificate is ca, with no extension, if not, it will give an error when you try to compile.
You have to include a subdomain, in my case, the IP of the server, because I am not inside a domain. If you don't set this, when you try to debug it doesn't start, gives problems.
You have to edit the file AndroidManifest.xml, this exists. The code of my file is this:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
<application android:allowBackup="true" android:icon="#mipmap/appicon" android:roundIcon="#mipmap/appicon_round" android:supportsRtl="true"
android:networkSecurityConfig="#xml/network_security_config"></application>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.INTERNET" />
</manifest>
You only need to add android:networkSecurityConfig="#xml/network_security_config" in the application entry. This tells that you will config the network security.
That's all, you can build the project and then the application will include the CA in the trusted certificates, so you don't need to install the certificate in the device.
You can also see the following documentation for more information:
https://developer.android.com/training/articles/security-config
If you have some question, tell me and I will try tohelp.
I faced very strange behaviour - after I overwrite .NET exectables with new versions from network drive it cannot start.
When try to start from Windows Explorer it shows me following error:
[Window Title]
C:\Programs\zzz\clients.net\zzzNet.exe
[Content]
C:\Programs\zzz\clients.net\zzzNet.exe
The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.
I tried to execute following commands:
SxsTrace Trace -logfile:SxsTrace.etl
SxStrace Parse -logfile:SxSTrace.etl -outfile:SxSTrace.txt
And got following result:
=================
Begin Activation Context Generation.
Input Parameter:
Flags = 0
ProcessorArchitecture = AMD64
CultureFallBacks = en-US;en;ru-RU;ru
ManifestPath = C:\Programs\zzz\clients.net\zzzNet.exe
AssemblyDirectory = C:\Programs\zzz\clients.net\
Application Config File = C:\Programs\zzz\clients.net\zzzNet.exe.Config
-----------------
INFO: Parsing Application Config File C:\Programs\zzz\clients.net\zzzNet.exe.Config.
INFO: Parsing Manifest File C:\Programs\zzz\clients.net\zzzNet.exe.
INFO: Manifest Definition Identity is (null).
ERROR: Line 0: XML Syntax error.
ERROR: Activation Context generation failed.
End Activation Context Generation.
It is quite simple .NET application (1 exe + 8 dll files). It was built for .NET 3.5 Client Profile.
I not defined any special "manifest" there. Just clicked "New Windows Forms Project" in Visual Studio and developed it.
Also app.config does not contain anything special - only primitive standard settings - appSettings and userSettings sections.
On PC where I developed it all is perfectly works. Problems only began when I copy these binaries to this particular VM and try to start.
Also please note - these executables were not installed in GAC or such, I just copied them into a folder on VM and started. And when it was 1st time all was working fine.
So, the problem pattern is following:
Copy .NET execuatbles to new VM (it is Win 7 x64), run it, all is working fine. Close it.
Build new version of .NET execuatbles on host PC, copy new .NET execuatbles to VM (with files overwriting).
Try to start - got mentioned problem.
After some shaman-style actions (like OS reboot, etc) it begin to work but why that happened at all?!
Why replacing .NET executables with new versions is causing SUCH HUGE PROBLEMS?!
Also the BIG QUESTION - is there any special procedure to replace .NET executables to keep them working? Because it is a new app development, I do not want lost so much time on every new executables installation. :-\
Could you please help? Because it looks completely weird!
Thank you in adance.
PS. I checked all VS projects - all they have PlatformTarget=AnyCPU. Also in run-time I can see ProcessType=MSIL (I show this info in AboutBox for application). So, there is no mix of x86/x64 binaries.
It seems that was related to mapped network drive behavior.
When I copied new files from network drive folder it copied wrong files - a strange random mess of new files and older ones (which were there before I updated them on VM host).
The scenario to make it working:
on VM: delete all files in a folder on network drive
on VM host: copy new files into a folder which is mapped as network drive on VM
on VM: copy files into target folder
on VM: run application - it works now
Weird thing. I remember I have seen something similar with Windows Explorer on Windows 2008 behaviour when copying updated win32 binaries.
I have a C# Web API Elastic Beanstalk app which needs a folder outside the deployment directory that the IUSER and IIS_USERS users can write to. I've created a .config file and put this in the top level .ebextensions folder in my project. The contents are below:
commands:
0_mkdir:
command: mkdir C:\\AppFolder\\
1_set_iuser_permissions:
command: cacls C:\\AppFolder\\ /t /e /g IUser:f IIS_Users:f
However while the folder is created successfully the permissions aren't set. If anyone has any idea what I am doing wrong I would be hugely grateful. Big thanks in advance.
In the end I switched to using Json instead of YAML as, despite my YAML being validated by several online YAML testers, AWS still wouldn't accept it. It always had issues with the parameters passed to icacls. I also changed to a folder within the application App_Data folder as setting permissions on any directory external to the application didn't appear to work. So, my final configuration file is as follows:
{
"container_commands": {
"01": {
"command": "icacls \"C:/inetpub/wwwroot/AppName_deploy/App_Data/AppFolder\" /grant DefaultAppPool:(OI)(CI)F"
}
}
}
Hope this helps someone else out.
It looks like you are using invalid .net accounts (unless these are custom accounts you created). That is part of the reason why your permissions are not being set. They should be IUSR or IIS_IUSRS
Furthermore, container_commands executes after your app/server environment has been setup, but before your deployment has started. There is no other way to set permissions on files/folders within your deployment directory other than using a wpp.targets file within visual studio.
The following SO post is a good read using wpp.targets to solve your issue.
Can Web Deploy's setAcl provider be used on a sub-directory?
Place a file 01_fix_permissions.config inside .ebextensions folder.
contents:
files:
"/opt/elasticbeanstalk/hooks/appdeploy/pre/49_change_permissions.sh":
mode: "000755"
owner: root
group: root
content: |
#!/usr/bin/env bash
sudo chown -R ec2-user:ec2-user tmp/
I'm trying to run a local instance of an Azure Worker Role for debugging and testing, but for some reason, my Role will not deploy to the Emulator locally, it is saying, "The compute emulator had a error: Found too many .csdef files.."
The problem is, I checked the project directory, and there is only one csdef file...
I have already built the file as required with CSPack, and my CSRun command looks like this:
csrun.exe /run:C:\ODA
T\WorkerRole\WorkerRole;C:\ODAT\WorkerRole\WorkerRole\
ServiceDefinition.csdef
And this is being ran at the following director: C:\Program Files\Windows Azure Emulator\emulator
Any help is greatly appreciated!
Try using the cscfg file not the csdef and use the .csx directory for the emulator.
csrun C:\ODAT\WorkerRole\WorkerRole.csx C:\ODAT\WorkerRole\WorkerRole.cscfg
If you don't have a .cscfg file you can have cspack create it for you by specifying the /generateConfigurationFile:ServiceConfiguration.cscfg
I have a site for which i want to activate feature using powershell
When i run the following command :
enable-spfeature FEATURE NAME -url http://URL
it throws an error :value cannot be null parameter name section.
it basically fails to find the configuration section located under the web application configuration.If i create a file with name powershell.exe.config and place it under the
powershell folder ,it works fine but i dont want to touch the system folder.
Is it possible to give powershell a path of config located int some other folder and ask it to use that while activating feature.
I have tried something like this but with no luck
$configpath = "C:\DevTools.exe.config"
[System.AppDomain]::CurrentDomain.SetData("APP_CONFIG_FILE",$configpath)
enable-spfeature Feature name -url http://url
Why arn't you putting the configuration information in the web application web.config file?
#Lee Activating the feature from powershell expects the configuration to be under the hosting process which is powershell in this case.
The solution to my problem was to load the configuration at run time as shown below and using windows powershell instead of using sharepoint management shell :
[System.AppDomain]::CurrentDomain.SetData("APP_CONFIG_FILE",$configpath)
add-type -path C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.dll
Add-PSSnapin Microsoft.Sharepoint.PowerShell
enable-spfeature $FeatureName -url http:\\url