More VSTO Security Documentation Enhancments

The installer was at the client's, installing our VSTO application, and was getting the following error:

"The current .NET security policy does not permit <document> to load custom macros."

The VSTO Troubleshooting page says that the reason for this is that the document was opened from an untrusted location, or from an email attachment. It also mentions as a possibility that the wrong version of the .NET Framework might be running on the machine. After checking the .NET Security Configuration Settings (by phone, arghh!) and getting no results, I started thinking about what is meant by "an untrusted location."  Does it mean that the location of the .NET assembly being loaded by the document is untrusted? No because I had explicitly set the trust level on the dll.  What could it mean then?

...

Eureka!  I'm attempting the run the documents over the intranet!  The Machine->LocalIntranet_Zone has to have FullTrust permissions!  Switch those on and the documents begin working.

Okay, so here's the invitation to the rest of you that are deploying VSTO solutions: Is there anything fundamentally wrong with the approach I took?  Is there something better I could have done?

As an aside:

To Microsoft--

I'm a big fan.  I hope even to join your ranks in Redmond someday.  The .NET Framework is a marvelous achievement, and I am thrilled to see it being integrated with Office.  This brings a level of power to Office Development that had never existed before. It makes it easy to integrate existing and varied solutions with Office documentation, thereby making Office an even more attractive suite of software for business management.  That said, the hoops I have to jump through as a VSTO developer to deploy my Office solutions are too many.  The fact that the client has to have Office 2003 Pro even to make use of these features is a huge detriment to the cause.  The fact that .NET Security Configuration is such a bear, and that there's no clean programmatic way to manipulate it, makes it difficult to justify the trouble. You've created a wonderful set of tools that allow me to provide powerful business software to my clients.  Please, ease the burden of the license and security requirements so that I can continue to work with these tools.

Thank you.

Published Thursday, November 11, 2004 10:24 AM by taganov
Filed under:

Comments

# re: More VSTO Security Documentation Enhancments

Monday, November 15, 2004 1:49 AM by Peter Torr

Chris, sorry you were having a hard time with security; unfortunately if it is easy for you to get your code to run, it will be easy for attackers to get their code to run.

You might want to read two of my blogs:

http://weblogs.asp.net/ptorr/archive/2003/09/25/56217.aspx

and

http://weblogs.asp.net/ptorr/archive/2004/10/29/249366.aspx

The Office Pro requirement is a marketing thing. nothing I can do about that; sorry :-(

# More Debate on VSTO Security

Monday, November 15, 2004 8:40 AM by TrackBack

# re: More VSTO Security Documentation Enhancments

Tuesday, August 14, 2007 2:04 AM by Aric Katz

Is there any documented way to return a string value from a vba function when calling it from c# using the vsto / office interop? i tried using the invoke "run" but it runs against voids only and i tried passing an object to a vatient in vba but it did not return the data although the object was sent byref.

Leave a Comment

(required) 
(required) 
(optional)
(required)