Use ClickOnce on password protected web site

Question

I am using ClickOnce to distribute an application from a website URL. The application has a few merge modules such as ADO ActiveSync that requires the ClickOnce installer to download the dependecy.

If I password protect the URL, the user can log in and start the Click Once process using the publish.htm page. The process fails when it tries to download the dependecy files since ClickOnce is not supplying the authentication information. Is there a setting I can use so that ClickOnce can log back into the website it was just started from and download the merge modules?

I don't really care if the username/password is stored in the XML config files in plain text. I just want to stop anyone in the world from downloading the app.

Answer 1

You cannot use forms authentication with ClickOnce deployment.

ClickOnce does not support forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows NT authentication is unsupported. MSDN for ClickOnce Deployment and Security

If you want more control over your distribution system you might consider a third party solution. I have used AppLife Update and enjoyed the flexibility it game me. But there are other 3rd party solutions out there.

There is an excellent StackOverflow question about alternatives to ClickOnce over here: Alternatives to ClickOnce