How can I use the system.net section of my app.config in a partial trust environment?

Brann picture Brann · Feb 18, 2009 · Viewed 12.3k times · Source

I've a WCF application deployed using clickonce. It connects to my server using https, and everything works fine

I use the default proxy when needed thanks to the following code:

  <configSections>
    <sectionGroup name="system.net" type="System.Net.Configuration.NetSectionGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
      <section name="defaultProxy" type="System.Net.Configuration.DefaultProxySection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </sectionGroup>
  </configSections>
  <system.net>
    <defaultProxy useDefaultCredentials="true"/>
  </system.net>

In Full Trust mode, everything works fine

Now, if I set my security settings to partial trust, it does work fine if there's no proxy involved, but if I try to launch my software in a corporate environment, the proxy is not autodetected anymore.

From my understanding :

The configSections are not parsed anymore in partial trust environments, unless the requirePermission attribute is set, like this :

<section requirePermission="false" name="defaultProxy">

Setting this attribute throw a System.Configuration.ConfigurationException with the following error message :

Section or group name 'defaultProxy' is already defined. Updates to this may only occur at the configuration level where it is defined.

The 'defaultproxy' section is indeed already defined in the machine.config file :

   <section name="defaultProxy" type="System.Net.Configuration.DefaultProxySection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

However, this doesn't seem to be a problem as long as the requirePermission is not set. In other words, it seems that the error message should rather read :

Section or group name 'defaultProxy' is already defined with another requirePermission setting. Updates to this may only occur at the configuration level where it is defined.


Has somebody run into the same problem? Is it possible to silently use the default proxy from a WCF application in partial trust mode? I've also tried to set the proxy programatically, without success

System.Net.WebProxy proxy = new WebProxy();
proxy.UseDefaultCredentials = true;
WebRequest.DefaultWebProxy = proxy;

The useDefaultWebProxy attribute of the wshttpbinding is set straight from the beginning, but doesn't seem to work, either in a partial or full trust environment, without the 'system.net.defaultProxy' section correctly defined :

   <binding name="WebBinding" useDefaultWebProxy="true">

I guess I could ask my clients to update their local machine.config files to add the needed defaultProxy useDefaultCredentials="true", but it's definitely not gonna ease deployment.

Answer

Dave R. picture Dave R. · Mar 6, 2009

I believe this is a known issue, possibly related to private key transport. There is an MS Connect entry here:

https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=354646

I hope I have understood the issue correctly. If your issues are the result of this bug, then it looks like there's no ETA on a fix just yet. However, there may be a workaround related to manually requesting credentials. Obviously this isn't ideal, but it may give you another option before you deploy to production systems.

There is additional discussion on the MSDN forums here:

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/c19b726b-573b-4157-91fd-051724f04180/