Redirecting to ClickOnce application fails

[Jürgen]

Hello,



We have implemented a few years ago a "zero touch" deployed smart client
application for .NET 1.1.

We ported now this application to .NET 2.0 and deploying it with ClickOnce.
Because we have still .NET 1.1 clients around, we made a small ASP.NET
startup application that checks host header values and redirects
(Response.Redirect(...)) to the .application file in case the client has
..NET 2.0 installed. Otherwise it will launch the old smart client on a web
page.

This all works fine as long as we start the ASP.NET startup page (let's call
it StartClient.aspx) from within Internet Explorer. If we put a link to the
startup page into an e-mail or just on the desktop launching the ClickOnce
client with this link fails with a "Cannot Start Application" message box.
The details say:



SOURCES

Deployment url :
https://myserver/Client/StartClient.aspx



ERROR SUMMARY

Below is a summary of the errors, details of these errors are
listed later in the log.

* Activation of https://myserver/Client/StartClient.aspx
resulted in exception. Following failure messages were detected:

+ Downloading
https://myserver/Client/StartClient.aspx did not succeed.

+ The remote server returned an error: (403)
Forbidden.



The deployment url is the startup page and not the .application manifest
file as we would expect. When checking IIS logs, we can find first a request
to StartClient.aspx, second a request to
https://myserver/ClickOnceClient/MyApp.application (the manifest), and a
third request back to StartClient.aspx.

This third request doesn't happen when we access the aspx page from within
Internet Explorer (where, as mentioned before, everything works as
expected).



It seems like it only partially redirects when launching from a hyperlink in
a document.



Thanks for your help in advance,



Jürgen

 

[Linda Liu[MSFT]]

Hi Juergen,

I performed a simple test based on your description but didn't reproduce
the problem on my side.

In my test, the deployment URL is
http://myserver/ClickOnceTest/ClickOnceTest.application

I use a .asp page to redirect to the deployment URL. The content of the
.asp file is as follows:
<html>
<head></head>
<%
Response.Redirect "http://myserver/clickoncetest/clickoncetest.application"
%>
<body>
</body>

When I browse the .asp page from IE, the ClickOnce application is launched
properly. I create a shortcut to the URL of the .asp page on desktop and
double-click the shortcut. The ClickOnce application is also launched
properly in this case.

Could you please tell me how you check host header values in your aspx page?

When a page is accessed from IE, email or desktop, the http headers sent in
the http message may vary. I suggest that you check the code logic in your
StartClient.aspx page to find the reason that causes the problem.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jürgen]

Hello Linda,

I tried your simple asp file and found the problem. It works as long as
there is anonymous access enabled. Once I turn on any authentication it
fails. For some reason the click once application launcher goes back to the
asp page without being able to authenticate.
Unfortunately we do need SSL authentication to protect our application. Is
there a way to prevent the application launcher to access the asp page? How
does the application launcher know about the original asp page?

Thanks for your help so far,

Jürgen

 

[Linda Liu[MSFT]]

Hi Juergen,

Thank you for your quick reply!

I performed a test disabling Anonymous access to the ClickOnce application
but enabling Integrated Windows authentication through IIS.

The result is that when I double click the shortcut to the ASP file on the
desktop that redirects to the ClickOnce application deployment file, the
ClickOnce application is launched properly.

Note that ClickOnce application only support Integrated Windows
authentication so far. Please enable Integrated Windows authentication for
your ClickOnce application to see if the problem is solved.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jürgen]

Hello Linda,

The ClickOnce application is running with anonymous access in our case. Just
the starting web page (StartClient.aspx) needs to run with SSL Certificate
authentication. We cannot use Windows Integrated Authentication, because the
application is running over the internet.
The problem is that the application launcher requests the StartClient.asp
page (with the contents you've had in the previous message) a second time
after the initial redirect.
When I dump the "ApplicationDeployment.CurrentDeployment.ActivationUri"
after the application starts (without any authentication) I get:
- for IE started:
http://myserver/clickoncetest/clickoncetest.application (as expected)
- for e-mail link started:
http://myserver/client/StartClient.asp

That is wrong and doesn't make sense. I guess if the ActivationUri would be
right, it would not go back to the original asp page a second time and then
all the authentication trouble would go away.
Is there something I can do to get this ActivationUri fixed when started
from an e-mail link?

Thanks,
Jürgen

 

[Linda Liu[MSFT]]

Hi Juergen,

Thank you for your prompt response!

What authentication do you enable on the StartClient.asp?

If you don't redirect to the ClickOnce application deployment file from
within the StartClient.asp, can you browse the StartClient.asp properly via
a link in email or a shortcut on desktop?

The ApplicationDeployment.CurrentDeployment.ActivationUri property gets the
URL used to launch the deployment manifest of the application and is a
readonly property. So we cannot set this property to a "correct" URL to fix
the problem.

Since all you need is a user authentication at the StartClient.asp level, a
workaround is to let users input user name and password on the
StartClient.asp and submit to the server. If the user name and password is
correct and the client machine has .NET 2.0 installed, redirect to the
ClickOnce application deployment manifest.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jürgen]

Hi Linda,

What authentication do you enable on the StartClient.asp?

We do need to use SSL client certificate mapping, but for testing Basic
authentication is sufficient to demonstrate my problem.

If you don't redirect to the ClickOnce application deployment file from
within the StartClient.asp, can you browse the StartClient.asp properly
via
a link in email or a shortcut on desktop?

Yes, I can.

The ApplicationDeployment.CurrentDeployment.ActivationUri property gets
the
URL used to launch the deployment manifest of the application and is a
readonly property. So we cannot set this property to a "correct" URL to
fix
the problem.

From what source is the ClickOnce app launcher constructing this
ActivationUri? Is there something I can do to the redirect response to get
this ActivationUri right?

Since all you need is a user authentication at the StartClient.asp level,
a
workaround is to let users input user name and password on the
StartClient.asp and submit to the server. If the user name and password is
correct and the client machine has .NET 2.0 installed, redirect to the
ClickOnce application deployment manifest.

This is exactly what I want to do, but with SSL client certificates (that's
what our clients are using for the .NET 1.1 client for several years now).
It just doesn't work, because the app launcher thinks the asp page is the
application manifest, when started from the e-mail link. So it tries to load
it a second time (not sure why this is necessary), but now it is obviously
not able to provide the SSL certificate. So the app launcher is failing to
start the application.

Here is my IIS log when started from within IE:

2008-06-13 07:45:17 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
401 2 2148074254
2008-06-13 07:45:32 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80
juergen 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
302 0 0
2008-06-13 07:45:32 W3SVC1 192.168.80.21 GET
/ClickOnceTest/ClickOnceTest.application - 80 - 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
200 0 0
--> 2008-06-13 07:45:33 W3SVC1 192.168.80.21 GET
/ClickOnceTest/ClickOnceTest.application - 80 - 192.168.80.43 - 200 0 0

Here is the IIS log when started from the desktop:

2008-06-13 07:59:27 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
401 2 2148074254
2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80
juergeb 192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
302 0 0
2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET
/ClickOnceClient/Mortara.ECGWarehouse.FormsClientViewer.application - 80 -
192.168.80.43
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648)
200 0 0
--> 2008-06-13 07:59:41 W3SVC1 192.168.80.21 GET /Client/Startup.asp - 80 -
192.168.80.43 - 401 2 2148074254

Thanks for your help so far,

Jürgen

 

[Linda Liu[MSFT]]

Hi Juergen,

Thank you for your prompt response!

If you redirect to another ASP page instead of the ClickOnce application
deployment manifest from the StartClient.asp and enable SSL client
certificates for the StartClient.asp, can you redirect successfully when
you double-click shortcut to the StartClient.asp URL on desktop?

I searched and found the an MSDN document discussing server and client
configuration issues in ClickOnce deployments. It points out that we need
to set the "Automatic prompting for file downloads" setting to Enable for
Internet Web pages to activate a ClickOnce application programmatically
using Active Scripting. For detailed information, see the "Activating
ClickOnce Applications Through Browser Scripting" section of the following
document:
http://msdn.microsoft.com/en-us/library/ms228998.aspx

I will also consult this issue in our internal discussion group and as soon
as I get any hint, I will update it to you.

Hope this helps.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Linda Liu[MSFT]]

Hi Juergen,

Is there any progress on the problem?

I have consulted this issue in our internal discussion group but haven't
got a reply until now.

I will go on research on this issue. As soon as I get any hint, I will
update it to you. I appreciate your patience!

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Linda Liu[MSFT]]

Hi Juergen,

Sorry for my delayed response!

I received a reply from our internal discussion group.

When we go directly to StartClient.asp from IE, IE will redirect to server
that has .application file. At that time, IE checks mime type of
.application then call ClickOnce. ClickOnce wakes up and install
application. From ClickOnce point of view ClickOnce doesn't even know the
redirection, it is same as someone simply clicks .application directly.

On the other hand, when we double-click the shortcut, Shell checks that
this shortcut is for ClickOnce. ClickOnce wakes up and tries to access the
StartClient.asp but gets 401 errors because it requires authentication. It
won't help if we've already authenticated to the site using IE because that
cookie is not going to be shared to ClickOnce (and any other app) due to IE
security feature.

This is the behavior of Shell that causes the problem in the above second
scenario. I suggest that you always open the StartClient.asp from IE or use
form-based authentication in the StartClient.asp(i.e. let users input user
name and password on the StartClient.asp) instead of SSL certificate
authentication and allow anonymous access to the StartClient.asp page.

Hope this helps.
If you have any concerns, please feel free to let me know.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jürgen]

Hello Linda,

I can't follow all the details of the explanation.
Shell seems to open IE first, based on the .asp extension. This attempt
doesn't result in a 401, because I can select the certificate within the
started IE window. Maybe IE gives control back to Shell because of the
returned MIME type, but somehow Shell misses then the redirection.

Thanks for your help, we'll need to find a different solution.

Jürgen

 

[Linda Liu[MSFT]]

Hi Juergen,

Due to the complexity and lengthy troubleshooting in this issue, I would
like to have a Product Support Professional from Microsoft CSS work with
you to resolution. Please note that there will be no cost to you for this
support incident.

To expedite creation of the support incident, please e-mail me with the
following information(to (e-mail address removed)):

o Customer Name
o Customer email address
o Company Name, if applicable
o Best times to reach you, and your time zone.
o Microsoft Support Contract Information, if applicable
o Complete Address
o Daytime Telephone Number
o Operating System(s) In Use
o Operating System Language, especially if not US English
o Application Language, especially if not US English
o Any additional telephone number(s), in case you cannot be reached at your
primary telephone number.

After I receive an e-mail from you with the requested information, I will
create a support incident for you. Then, one of our support professionals
will contact you to establish a mutually convenient time to work on this.

Thank you again for your patience in working on this issue in the community.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Linda Liu[MSFT]]

Hi Juergen,

How about the problem now?

I haven't received your email with your detailed contact information until
now. If you'd like us to create a support incident for you to address the
problem, please send the required information to me ([email protected]).

Thank you for your patience in working on this issue in the community.

Sincerely,
Linda Liu
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.