4

To enable elevated trust for the Silverlight 5 application when running in-browser I've tried so many options well described e.g. here (by Mister Goodcat) and it works good with our VeriSign certificate only if I add the registry key AllowElevatedTrustAppsInBrowser. For our customers this is not an option, because our application must run with elevated permissions as well out-of-browser as in-browser (and it works but only after changing the registry key). The application will be hosted on our internet Website.

Is it possible to enable the elevated trust for the in-browser without adding the registry key (e.g. for adding some configurations on the server, but not on the client? Is it possible to ask the user for the elevated permissions like it was e.g. in the Silverlight 4 for the webcam capturing?

Alexander Zwitbaum
  • 4,776
  • 4
  • 48
  • 55
  • Oh we wish... In others words: all the evidence I've found so far points to no, you can't. Or maybe you can try to fiddle with group policies, but if you can't add a registry key, chances are you won't be able to use a GP either. – jv42 Feb 05 '13 at 15:19

2 Answers2

1

I have faced similar issues in the past. After I configured the application by changing the registry settings, it worked properly. But the client questioned about the security violations if we do such settings. Then I created an OOB application and having ClientAccessPolicy.xaml file for elevating the trust. After this, I don't need any registry changes or importing the certificate as mentioned in the link: http://www.mistergoodcat.com/post/Silverlight-5-Tidbits-Trusted-applications

Also, if someone can elaborate on security issues on changing registry settings. As per my understanding, since we do that change just for silverlight application. So, any other malicious app cannot run since it might not be having Trusted certificate installed (certificate can only be imported by Admin)

I used this [link] (http://msdn.microsoft.com/en-us/library/dd833073(v=vs.95).aspx) to create an OOB application. Also, I created one ClientAccessPolicy file with below content: 

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
  <Deployment.OutOfBrowserSettings>
  <OutOfBrowserSettings.SecuritySettings>
    <SecuritySettings ElevatedPermissions="Required" />
  </OutOfBrowserSettings.SecuritySettings>
  </Deployment.OutOfBrowserSettings>
</access-policy>

Then I published my application to the server and it works as a OOB application without any need to modify the registry settings.

Eera Gupta
  • 11
  • 2
  • Can you please exactly explain the details of fixing the problem by extending the application to OOB and creating and embedding the ClientAccessPolicy file. – Alexander Zwitbaum Jul 11 '14 at 15:13
0

I had the same problem. Like jv42' answer, you have to add the registry key to enable the Elevated Trust for the Silverlight 5 application in-browser. So, my solution is to add a OOB app that changes the registry key in the same solution. if(Application.Current.HasElevatedPermissions) is false in the application in-browser, launches the OOB app and adds the AllowElevatedTrustAppsInBrowser registry to the client machine. It just needs one time when the client first time uses your application. I hope it will useful to other guys who have the same problem.

user689072
  • 134
  • 8
  • How can you install and launch the second OOB application from your main in-browser application? Then how can the user without Administrator rights add the registry key to the HKLM? – Alexander Zwitbaum Apr 10 '13 at 15:53
  • This link is useful to learn how to provide a OOB installation button on your main in-browser application. (ref: http://timheuer.com/blog/archive/2009/08/12/silverlight-out-of-browser-force-install-pattern.aspx) Then, you need to know how to use the COM Interop Automation Factory in your OOB application to change the registry in the client machine. Here is another useful link to learn it. (http://www.silverlightshow.net/items/Mastering-LOB-Development-for-Silverlight-5-Out-of-Browser-OOB-Applications-.aspx) Have a fun:) – user689072 Apr 11 '13 at 13:13
  • Unfortunately it doesn't answers my questions above. Yes, is it simple to provide a OOB installation button on your main in-browser application, but you need to provide an installation of the second OOB (as you wrote) that adds a registry key!!! OK, you can also install the main application as OOB this way, but how can you add a registry key to the HKLM (with or without the COM Interop Automation) if the user is not an Administrator? – Alexander Zwitbaum Apr 11 '13 at 15:38
  • I did not read the carefully about Administrator rights in your question. As you know, the user can't add the registry key on HKLM without the Administrator privileges:( – user689072 Apr 11 '13 at 21:21