J
Jason Lewis
Hi,
We have an Access 2003 database deployed with the Access 2003 Runtime
environment and we are having issues with the digital certificate and the
Trusted Publisher list. According to all Microsoft sources I could find, the
only way to add your certificate to the Trusted Publishers list is through
the Security Warning dialog that has the checkbox to 'Always trust files from
this publisher and open them automatically' (or something to that effect). In
our labs, this works fine, but we have reproduced the following problem
(Note: Only In Runtime Environment Not On Full Access 2003) and do not have a
resolution:
1. Open signed MDB file [SecurityLevel is Default For Both HKCU/HKLM keys;
i.e. not set].
2. Click Yes to 'Block Unsafe Expressions' (SandBoxMode) dialog;
SandBoxMode=3.
3. Prompted with Security Warning Dialog with certificate information and
checkbox to 'Always trust files from this publisher and open them
automatically'
4. Check box to trust the digital certificate [A Verisign Certificate for
Code Signing].
5. Subsequent open attempts on DB opens without warning (so far so good).
6. Open Access Built-In security dialog programatically (Equivalent To
Tools->Macros->Security... from MDB container).
7. Dialog shows that security is set to Medium. Click Trusted Sources tab
and our certificate is displayed in the list.
8. Use Remove button on Trusted Publisher tab to remove ourself from Trusted
Publisher list to allow dialog to return (to attempt repeat tests of process
to trust our certificate via the same mechanism).
9. Subsequent attempts to open MDB file will prompt with a Security Warning
dialog with only Open or Cancel option and will not show the checkbox to
'Always trust files from this publisher and open them automatically'.
10. [Thinking the MDB may have had a corrupted signature; the very same MDB
file was copied to another machine and the checkbox 'Always trust files from
this publisher and open them automatically' dialog was displayed].
11. [Same as 10; but the digital signature was also re-verified from a
machine with a Full copy of Access from the Modules Tools->Digital
Signature... dialog]. (e.g. the certificate is still valid, but is not
responded to by the runtime environment)
This was verified on two machines:
A) Windows 2003 Server (Windows Updated [Express] beyond SP2)
B) Windows 2003 R2 Server [both 2003 runtime and Access 2007 runtime; MDB
still 2003 (so far)].
It was also verified with a simple database with only a single form and a
single module [no tables/queries/macros] to verify issue was not related to
signature corruption, which I have read many articles about as well.
We have not found a way to allow a user to re-add the certificate to the
Trusted Sources list, and the only documented way we could fine was to rely
on the Security Warning dialog. Any assistance would be appreciated!
Thanks,
Jason Lewis
Director, Research and Development
Forward Advantage, Inc.
PS - UPDATE:
I have now confirmed that the same signed Access 2003 MDB file is recognized
as having code signed with a digital certificate by the Access 2007 Runtime,
which appropriately prompts with a checkbox to 'Always trust files from this
publisher'. When the same signed Access 2003 MDB file is opened by the Access
2003 Runtime (from a fresh image of the OS on the same machine), the Security
Warning dialog with only an Open and Cancel buttons is displayed.
To me appears as evidence that there is a bug with Access 2003 Runtime in
its ability to recognize digital certificates that should be addressed.
Are there any comments on this? Or can anyone confirm this behavior as
reproducible or point me to a Microsoft KB article confirming this issue? We
are trying to make a decision on how to upgrade an Access 2.0 database BE/FE
which is part of a larger application. We have been researching 2003 and have
installers in Alpha testing, and the issue above is one of our final hurdles.
The Access 2.0 database file started corrupting on Windows 2003 servers with
Service Pack 2 installed (removal of Service Pack 2 resolves the issue).
However, this is not going to be acceptable (for obvious reasons) long term.
Our other options include Access 2007, or a SQL backend and a custom front
end (C++). Any information or suggestions are appreciated.
We have an Access 2003 database deployed with the Access 2003 Runtime
environment and we are having issues with the digital certificate and the
Trusted Publisher list. According to all Microsoft sources I could find, the
only way to add your certificate to the Trusted Publishers list is through
the Security Warning dialog that has the checkbox to 'Always trust files from
this publisher and open them automatically' (or something to that effect). In
our labs, this works fine, but we have reproduced the following problem
(Note: Only In Runtime Environment Not On Full Access 2003) and do not have a
resolution:
1. Open signed MDB file [SecurityLevel is Default For Both HKCU/HKLM keys;
i.e. not set].
2. Click Yes to 'Block Unsafe Expressions' (SandBoxMode) dialog;
SandBoxMode=3.
3. Prompted with Security Warning Dialog with certificate information and
checkbox to 'Always trust files from this publisher and open them
automatically'
4. Check box to trust the digital certificate [A Verisign Certificate for
Code Signing].
5. Subsequent open attempts on DB opens without warning (so far so good).
6. Open Access Built-In security dialog programatically (Equivalent To
Tools->Macros->Security... from MDB container).
7. Dialog shows that security is set to Medium. Click Trusted Sources tab
and our certificate is displayed in the list.
8. Use Remove button on Trusted Publisher tab to remove ourself from Trusted
Publisher list to allow dialog to return (to attempt repeat tests of process
to trust our certificate via the same mechanism).
9. Subsequent attempts to open MDB file will prompt with a Security Warning
dialog with only Open or Cancel option and will not show the checkbox to
'Always trust files from this publisher and open them automatically'.
10. [Thinking the MDB may have had a corrupted signature; the very same MDB
file was copied to another machine and the checkbox 'Always trust files from
this publisher and open them automatically' dialog was displayed].
11. [Same as 10; but the digital signature was also re-verified from a
machine with a Full copy of Access from the Modules Tools->Digital
Signature... dialog]. (e.g. the certificate is still valid, but is not
responded to by the runtime environment)
This was verified on two machines:
A) Windows 2003 Server (Windows Updated [Express] beyond SP2)
B) Windows 2003 R2 Server [both 2003 runtime and Access 2007 runtime; MDB
still 2003 (so far)].
It was also verified with a simple database with only a single form and a
single module [no tables/queries/macros] to verify issue was not related to
signature corruption, which I have read many articles about as well.
We have not found a way to allow a user to re-add the certificate to the
Trusted Sources list, and the only documented way we could fine was to rely
on the Security Warning dialog. Any assistance would be appreciated!
Thanks,
Jason Lewis
Director, Research and Development
Forward Advantage, Inc.
PS - UPDATE:
I have now confirmed that the same signed Access 2003 MDB file is recognized
as having code signed with a digital certificate by the Access 2007 Runtime,
which appropriately prompts with a checkbox to 'Always trust files from this
publisher'. When the same signed Access 2003 MDB file is opened by the Access
2003 Runtime (from a fresh image of the OS on the same machine), the Security
Warning dialog with only an Open and Cancel buttons is displayed.
To me appears as evidence that there is a bug with Access 2003 Runtime in
its ability to recognize digital certificates that should be addressed.
Are there any comments on this? Or can anyone confirm this behavior as
reproducible or point me to a Microsoft KB article confirming this issue? We
are trying to make a decision on how to upgrade an Access 2.0 database BE/FE
which is part of a larger application. We have been researching 2003 and have
installers in Alpha testing, and the issue above is one of our final hurdles.
The Access 2.0 database file started corrupting on Windows 2003 servers with
Service Pack 2 installed (removal of Service Pack 2 resolves the issue).
However, this is not going to be acceptable (for obvious reasons) long term.
Our other options include Access 2007, or a SQL backend and a custom front
end (C++). Any information or suggestions are appreciated.