Debugging TrustNotGrantedException in VSTO word addin

Question

I'm getting TrustNotGrantedException thrown for some specific users of our VSTO word addin.

These users have the certificate installed correctly.

The exception is being thrown when the app checks for updates:

try
{
    ApplicationDeployment.CurrentDeployment.CheckForUpdate()
}
catch(TrustNotGrantedException ex)
{
    Log(ex);
}

The stack trace is logged as follows:

User has refused to grant required permissions to the application.

   at System.Deployment.Application.ApplicationTrust.RequestTrust(SubscriptionState subState, Boolean isShellVisible, Boolean isUpdate, ActivationContext actCtx, TrustManagerContext tmc)    at System.Deployment.Application.DeploymentManager.DetermineTrustCore(Boolean blocking, TrustParams tp)    at System.Deployment.Application.DeploymentManager.DetermineTrust(TrustParams trustParams)    at System.Deployment.Application.ApplicationDeployment.CheckForDetailedUpdate(Boolean persistUpdateCheckResult)    at System.Deployment.Application.ApplicationDeployment.CheckForUpdate()    at iReport.iReportAddIn.CheckForUpdates()

Has anyone experienced this or knows how to prevent this in the code or with any workarounds?

Edit:

I have read through this blog post on the issues and it seems like it could be an issue with CAS Permissions for the problem users.

I'll try and give a problem user access to the update URL using this and will follow up in a bit, although I would much prefer to be able to prevent this in the code instead of fixing individual client machines. Something like:

caspol -m -ag 1 -url "http://machinename/application/*" FullTrust -exclusive on

Edit2:

Using caspol.exe worked! Does anyone know a way to prevent this from happening in the code? Or can anyone explain why it could only be happening to select users?

Edit3:

I'm going to try add

<system.web>
  <!-- level="[Full|High|Medium|Low|Minimal]" -->
  <trust level="Full" originUrl=""/>
</system.web>

to the app.config

Edit4:

Adding full CAS trust to the app.config didn't help. Can anyone show me if its possible to achieve what CASPOL is doing in code?

Edit5:

If it isn't possible to do this in code, is there a easy way to run the CASPOL command as part of the clickonce install?

Answer 1

In recent versions of Windows, downloaded files are flagged as blocked and have security restrictions imposed on them that can cause breakage when consumed by other apps due to the sandboxing.

The implementation uses NTFS alternate streams . If the file is blocked you can tell by right clicking on the file, viewing properties and seeing the unblock button. Clicking unblock removes the stream and releases the extra security restrictions.

It can also be removed using sysinternals streams.exe . Test whether this is your issue by downloading your plugin on a Windows 7 machine, and then install without unblocking to see if it reproduces the issue.