David H.256282

I'm trying to configure an ASP.Net 2 web site to return a Word document that contains a VSTO customization that displays an action pane when the document opens.

I've manually added the Caspol security settings on the machine to point to the site. I've tried it for all zones and for both IIS access to the site as well as using the built in VS web site but I'm still getting blocked and the document opens with this error:

---------------------------

The current .NET security policy does not permit the customization to run ...

Could not load file or assembly 'VSTOWordTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)
----------------------------

I get the error whether I use a hyperlink to open the word document or whether I use a button click event to stream the file back to the client. I'm also now trying to reset the internal mappings to the manifest in the click event that returns the word doc, but that doesn't work either. Is there anything else that needs to be done on either the client side or server side that I'm missing

Here's the click event from my .ASPX page that returns the document:

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click

Dim wDoc As String = "C:\VSTOTestSite\VSTOWordTest.doc"

Dim fname As String = System.IO.Path.GetFileName(wDoc)

Dim assemblyName As String = "C:\VSTOTestSite\VSTOWordTest_1.0.0.2\VSTOWordTest.dll"

Dim manifestPath As String = "http://localhost:2290/VSTOTestSite/VSTOWordTest.application"

Dim applicationVersion As String = "1.0.0.2"

If ServerDocument.IsCustomized(wDoc) Then

ServerDocument.RemoveCustomization(wDoc)

End If

ServerDocument.AddCustomization( _

wDoc, assemblyName, manifestPath, _

applicationVersion, False)

Dim fs As System.IO.FileStream = Nothing

Dim bytes() As Byte = Nothing

fs = New System.IO.FileStream(wDoc, IO.FileMode.Open, IO.FileAccess.Read)

ReDim bytes(fs.Length)

fs.Read(bytes, 0, fs.Length)

fs.Close()

Dim wsd As New ServerDocument(bytes, fname)

wsd.Save()

Response.Clear()

Response.ContentType = "application/msword"

Response.AddHeader("Content-disposition", "filename=" & fname)

Response.BinaryWrite(wsd.Document)

wsd.Close()

Response.End()

End Sub

Other Info:

My development machine is an XP running Visual Studio 2005 with VSTO 2005. Right now I'm targeting Office 2003.



Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

Misha Shneerson - MSFT

When downloading a document from web-site you also need to author CAS to trust the document using Office Document membership condition. See this documentation page for more info.

Also, your server document is doing some strange thing - it sets assembly location the local path - when in reality the assembly should come from the web-site.






Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

David H.

I added the msosec.dll to the GAC and set up full trust to it by call the 2 lines in the VS command window:

gacutil -i "C:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll"
caspol -m -af "c:\Program Files\Microsoft Office\Office11\Addins\Msosec.dll"

However, I still get the security error.

In reading the documentation you cited, I had some questions about doing this anyway. There was a note that said there could be a performance hit:

If you use Msosec in your policy, it will have a negative impact on performance for all managed code on the computer. It is recommended that you not add Msosec to servers or other computers where it is not required.

I also saw some other threads that said that these steps were no longer necessary.

Also, before I set up my little test bed, I was able to successfully install and run the Benefits Registration System sample code from this article:

http://msdn2.microsoft.com/en-us/library/aa537190(office.11).aspx

In that example, an HTTPHandler is used to return the document -- but I don't understand why that approach would avoid the security challenge while streaming the document back directly from the page via a response.binaryWrite would cause it

Ultimately, we don't want to hard code the file path, but instead would most likely be returning Word files stored in BLOBs in a database and will certainly need to wire up the VSTO document action panel component at run time. Consequently, our preferred approach is to do everything at the server in memory and not do any disk reads and writes. Is that going to be possible

- David





Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

Misha Shneerson - MSFT

Hi David,

I believe you will be able to stream the document. You will need to configure the manifest in such a way that the assemblies reside on the web site, though.

Regarding the loading failure - what is the exact error message that you are getting Is there any call stack at the point of failure that you can post as well

Additionally you can use fuslogvw.exe which will be helpful in where the assembly is loaded from.






Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

David H.

Misha,

Thanks for the quick reply. Here's the stack trace I'm getting:

-

Could not load file or assembly 'VSTOWordTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)


************** Exception Text **************
System.IO.FileLoadException: Could not load file or assembly 'VSTOWordTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)
File name: 'VSTOWordTest, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ---> System.Security.Policy.PolicyException: Execution permission cannot be acquired.
at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission)
at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.HandleOnlineOffline(Exception e, String basePath, String filePath)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.LoadStartupAssembly(EntryPoint entryPoint, Dependency dependency, Dictionary`2 assembliesHash)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.ConfigureAppDomain()
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.LoadAssembliesAndConfigureAppDomain(IHostServiceProvider serviceProvider)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.ExecuteCustomization(IHostServiceProvider serviceProvider)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.42 (RTM.050727-4200)
CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
msosec
Assembly Version: 7.0.5000.0
Win32 Version: 7.10.3191.0
CodeBase: file:///C:/WINDOWS/assembly/GAC/msosec/7.0.5000.0__b03f5f7f11d50a3a/msosec.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Runtime
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.762
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Runtime/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Runtime.dll
----------------------------------------
Microsoft.Office.Tools.Common
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.42
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.Office.Tools.Common/8.0.0.0__b03f5f7f11d50a3a/Microsoft.Office.Tools.Common.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.42 (RTM.050727-4200)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.42 (RTM.050727-4200)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.42 (RTM.050727-4200)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------





Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

Misha Shneerson - MSFT

David,

Check out this advise on how to troubleshoot this:

From http://blogs.msdn.com/ptorr/archive/2003/10/06/56250.aspx

caspol -all -lg

caspol -rsg path_to_assembly

What this will tell me is what their security policy looks like (lg == list groups == list all policy rules), and then how the CLR thinks the evidence of the assembly maps to those rules (rsg == resolve groups == list groups the assembly matches). This tells me whether or not they have set up policy correctly, and whether or not their assembly is matching the code groups they think it should match. Most problems are caught here for one of three reasons:

  1. A network rule (eg, http://server/ --> FullTrust) was added to the MyComputer zone, but it's in the LocalIntranet
  2. There's a typo in the filename or URL
  3. The asterisk (*) was not added after a directory to indicate "and all folders under here"

I'll show an example of a fourth problem I've only seen once, but the effect is the same as for the three cases above:

A simplified output of caspol -all -lg

Enterprise

All_Code: FullTrust

Machine

All_Code: Nothing

MyComputer: FullTrust

LocalIntranet: LocalIntranet

http://localhost/*: FullTrust

TrustedSites: LocalIntranet

RestrictedSites: Nothing

User

All_Code: FullTrust

A simplified output of caspol -rsg http://localhost/myassembly.dll

Enterprise

All_Code

Machine

All_Code

TrustedSites

User

All_Code

Immediately it is obvious to the trained eye that the user thought http://localhost/ was in the LocalIntranet zone (which it is by default), but for one reason or another they have added it to the TrustedSites zone in IE. The answer is simply to move the localhost rule from LocalIntranet to TrustedSites, and you are golden.






Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

Goran B

Hi there, I have the same problem and I tried to troubleshoot the problem as you pointed out. It leaves me even pore puzzled!!!

this is what I get back (notice I gave everything I could FULLTRUST):

Code Snippet

Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights re

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Enterprise

Code Groups:

1. All code: FullTrust

Level = Machine

Code Groups:

1. All code: FullTrust
1.1. Zone - MyComputer: FullTrust
1.2. Zone - Intranet: FullTrust (Exclusive)
1.3. Zone - Internet: FullTrust (Exclusive)
1.4. Zone - Untrusted: FullTrust
1.5. Zone - Trusted: FullTrust

Level = User

Code Groups:

1. All code: FullTrust
Success

when I check my dll I get:

Code Snippet

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>caspol -rsg mydll
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.2. Zone - Intranet: FullTrust (Exclusive)


Level = User

Code Groups:

1. All code: FullTrust

Success

I would expect no problems whatsoever executing my code. And still I get:

Code Snippet

Could not load file or assembly 'VerslagActionPane, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed70b5da3002c189' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)


************** Exception Text **************
System.IO.FileLoadException: Could not load file or assembly 'VerslagActionPane, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed70b5da3002c189' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)
File name: 'VerslagActionPane, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed70b5da3002c189' ---> System.Security.Policy.PolicyException: Execution permission cannot be acquired.
at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission)
at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.HandleOnlineOffline(Exception e, String basePath, String filePath)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.LoadStartupAssembly(EntryPoint entryPoint, Dependency dependency, Dictionary`2 assembliesHash)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.ConfigureAppDomain()
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.LoadAssembliesAndConfigureAppDomain(IHostServiceProvider serviceProvider)
at Microsoft.VisualStudio.Tools.Applications.Runtime.AppDomainManagerInternal.LoadEntryPointsHelper(IHostServiceProvider serviceProvider)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Microsoft.VisualStudio.Tools.Applications.Runtime
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.816
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualStudio.Tools.Applications.Runtime/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualStudio.Tools.Applications.Runtime.dll
----------------------------------------
Microsoft.Office.Tools.Common
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.816
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.Office.Tools.Common/8.0.0.0__b03f5f7f11d50a3a/Microsoft.Office.Tools.Common.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.832 (QFE.050727-8300)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------

WHAT is the problem

The situation is: A word document in a sharepoint library with custom properties _AssemblyName and _AssemblyLocation pointing to a manifest on the same server as the sharepoint site but to a different site (sharepoint is on port 80 and manifest with deployed dlls is on site that uses port 10000 on same server). Running this on a localhost on the development machine works perfectly. Deploying it to a test webserver and trying to open the document with actionpane from development machine just doesn't work.

Am I missing something

Kind Regards,

Goran






Re: Visual Studio Tools for Office Customization doesn't run in VSTO Word Doc returned from server

Misha Shneerson - MSFT

Goran,

As you can see your assemblies are granted FullTrust based on Zone evidence. Under VSTO security system this is not enough - you need to have a FullTrust grant based on something else e.g. strong name or URL.