full trusted forms

[Franz Demmel]

Hi,

I found various files on full trusted forms and on the various security
levels. But I still have some problems. Maybe somebody helps me.
I have a form, that needs to load an xml file via file dialog. I chose
full trusted form and signed the form with a self created certificate.
But when I publish it, the file open dialog still doesn't show up,
because the concerning user doesn't have enough rights.
Then I tried
this(http://msdn.microsoft.com/library/d...UnderstandingFullyTrustedForms_HV01073332.asp),
and created a script file with RegForm. But when I start .js file from
another account I get an access denied error.
So what exactly do I have to do to publish this form?

Regards,

Franz

 

[Alessandro Catorcini [MSFT]]

There are two separate problems that you are hitting.

1) Signing a form does not mean that the form is automatically fully
trusted. What matters is what is the trust relation that the signature
creates: if the certificate that you use is in the store of the trusted
publishers on the client machine that will run the form, then this evidence
will ensure that a request for full trust be granted. If the certificate is
not in the trusted publisher store of the client, though, the evidence does
not provide anything and the form remains a vanilla domain-based form with
security driven by the IE zone of the XSN location.

2) Using RegForm requires administrator privilege to access the registry.

The solution to your problem could be twofold:

a) use RegForm and create an MSI install to deploy on the client machine (as
you would install an app).
b) install your certificate on the client machine as a trusted publisher (or
better, get a real code-signing cert from a trusted CA)

Hope this helps

--Alessandro

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Franz Demmel]

There are two separate problems that you are hitting.

1) Signing a form does not mean that the form is automatically fully
trusted. What matters is what is the trust relation that the signature
creates: if the certificate that you use is in the store of the trusted
publishers on the client machine that will run the form, then this evidence
will ensure that a request for full trust be granted. If the certificate is
not in the trusted publisher store of the client, though, the evidence does
not provide anything and the form remains a vanilla domain-based form with
security driven by the IE zone of the XSN location.

Ok. I understand.

2) Using RegForm requires administrator privilege to access the registry.

The solution to your problem could be twofold:

a) use RegForm and create an MSI install to deploy on the client machine (as
you would install an app).

I could make an install file. But I still get an access denied error
when I try to open the file browser which I defined in my user defined
task pane.

b) install your certificate on the client machine as a trusted publisher (or
better, get a real code-signing cert from a trusted CA)

I'll try to get one, but it would be good if I would not need a cert
from a trusted CA.

I'm a bit stuck with all this security issues. I read about the full
trusted forms
on msdn and other articles, but I'm still struggling with this. So I
describe my scenario and maybe some one can give me some hints:
1. I need to load XML data from a file stored at the client pc, so I
need a full trusted form.
2. I have to publish it to a network folder. I don't have direct access
to the web server. I might get access to a sharepoint server.
3. The users which will use this form only have restricted rights
(usually they don't have permissions to install or remove software)
So with all these issues I guess it is not easy to get this form
running. But any help would be appreciated.