How to make ClickOnce work over SSL requiring client certificates

Current feature limitations of Clickonce does not provide for security over internet by design.

 

It does work over SSL with server certificates which provides a mechanism to let users know that the application is coming from a trusted publisher. However, it you want to secure your application itself to a limited set of users you will need to setup the web server to "Require Client certificates" over SSL.

Clickonce is known to not work when the Web Server is set to "Require Client Certificates".

When Internet Explorer encounters a Clickonce deployment manifest (.application file) it calls something like rundll32.exe dfshim.dll, ShOpenVerbApplication applicationname.application

A process by the name dfsvc.exe is started in further reading from the Application manifest (.exe.manifest file) and downloading the files from the server into the Clickonce application cache.

 

dfsvc is not able to handle any prompt for authentication during this process and setting up the Web Server to "Require Client Certificates" causes a prompt to the user to select an installed client certificate from the users certificate store. Therefore deployment fails with an error "The remote server returned an error: (403) Forbidden"

IIS can be configured to "Require Client Certificates" at the Website level, Virtual Directory level and the file level.

 

Setting up IIS to require client certificates at the website, virtual directory and the publish.htm level but not on the .application file and the rest of the files in the publish directory will cause a prompt for certificate when you hit the publish.htm file but not when the .application file is processed.

Clickonce should successfully deploy with this setting. Security is ensured since users will need a valid Client certificate installed to enter the Publish.htm page.

 

More Information

NOTE: One caveat to this solution is that users will still be able to directly launch the application from the .application file provided the URL is made known to them. But the URL can only be known after getting prompted for certificate to hit the Publish.htm page

 

 


Contributor : Ravi Shankar

Comments

  • Anonymous
    September 15, 2010
    Thanks for the information. We were running into this situation, and I am glad I have more information as to why this was happening.