In browser trusted application Silverlight 5

Question

With the new Silverlight 5, we can now have an In-Browser elevated-trust application. However, I'm experiencing some problems to deploy the application.

When I am testing the application from Visual Studio, everything works fine because it automatically gives every right if the website is hosted on the local machine (localhost, 127.0.0.1).

I saw on MSDN that I have to follow 3 steps to make it work on any website:

1. Signed the XAP — I did it following the Microsoft tutorial
2. Install the Trusted publishers certificate store — I did it too following the Microsoft Tutorial
3. Adding a Registry key with the value AllowElevatedTrustAppsInBrowser.

The third step is the one I am the most unsure about. Do we need to add this registry key on the local machine or on the server? Is there any automatic function in Silverlight to add this key or is it better to make a batch file?

Even with those three steps, the application is still not working when called from another url than localhost.

Does anybody have successfully implemented an in-browser elevated-trust application? Do you see what I'm doing wrong?

Sources:

• http://msdn.microsoft.com/en-us/library/gg192793(v=VS.96).aspx
• http://pitorque.de/MisterGoodcat/post/Silverlight-5-Tidbits-Trusted-applications.aspx

Answer 1

There are lots of great resources describing this process, including the ones mentioned in responses here. I wanted to document the steps that worked for us. (Silverlight 5.1.10411.0)

Here are the steps that we took to enable In-Browser Trusted Applications:

1. Sign the Xap file with code signing key.
2. Install public code signing key into "Certificates->Current User->Trusted Publishers"
3. Set the DWORD registry key AllowElevatedTrustAppsInBrowser = 1 at

   SL 64 bit path: HKLM\Software\Wow6432Node\Microsoft\Silverlight

   SL 32 bit path: HKLM\Software\Microsoft\Silverlight

4. Open the Silverlight project in a text editor and verify the following entries exist:

   <RequireInBrowserElevation>true</RequireInBrowserElevation>
   <InBrowserSettingsFile>Properties\InBrowserSettings.xml</InBrowserSettingsFile>
   

5. Check that the Properties\InBrowserSettings.xml exists and contains:

   <InBrowserSettings>
     <InBrowserSettings.SecuritySettings>
       <SecuritySettings ElevatedPermissions="Required" />
     </InBrowserSettings.SecuritySettings>
   </InBrowserSettings>
   

Note:

• If you use a self signed certificate while testing, you will also need to install it into "Certificates->Current User->Trusted Root Certification Authorities". (Buy one before you go into production)
• Once you sign a XAP file you cannot unzip and modify it as doing so breaks the signing (it must be resigned).
• Don't forget to clear your browser cache if you are caching the xap file.
• This worked on Windows 7 and Windows 8 Release Preview (desktop mode) with IE, Chrome, Firefox and Safari.

Answer 2

I have successfully created in-browser Silverlight 5 app with elevated privileges fallowing this msdn article. You can always check if Your app has elevated privs with:

Application.Current.HasElevatedPermissions

My problem is that while it works without problem in Firefox 14, IE9 needs to be run as administrator in Windows 7. I am currently looking for a way to make it work without executing IE as administrator. If anybody knows how to do this I would appreciate the help.

Edit:

Wow. Actually link from Aaron McIver post helped me a lot. I just switched "Enable protected mode" off and now it works just fine without administrator rights. :D