In this article, I want to talk about our Silverlight application and the security components the GP Web Client has adopted. Being such that the Microsoft Dynamics GP client is now hosted within the web browser, new challenges arise when it comes to things like printing and exporting data out of your web browser. In addition, understanding that we need to be able to provide the same user experience in the Web Client as we have in the Rich client is a requirement that will be demanded by all end users. Taking that challenge on directly, our Silverlight application does contain the ability to:
But this capability does not exist out the box and it shouldn't for security reasons. Starting in Silverlight 5, system administrators can enable trusted applications to run inside the browser in order to simplify enterprise deployments and updates. Additional information on this topic can be found here. With most trusted applications, they typically run outside of the web browser which requires some level of admin access to the local machine in order to install it. But when trusting a Silverlight application within the browser, delivery and administration of updates can become automatic. So while there are some cool options that are enabled with this Silverlight feature, our main purpose for trusting our Silverlight application is to accomplish the task listed above.
In order to provide the required trust level to the Silverlight application, there are two changes that need to take place on the end users computer. These changes do not occur on the Web Server or Session Host. The two changes are:
So how do these changes work with our Silverlight application? In order to gain access to the local machine file system through the Silverlight application, we make Command Shell calls to invoke the required actions that we need to call an application or invoke a printing call. But before our Silverlight application can do that, the above items must be in place first. Changing the registry key is fairly straight forward, but gaining access to the certificate is a little more difficult. You can't use any old certificate to enable this functionality. The certificate you need is the certificate that Microsoft used to officially SIGN our Silverlight XAP file. Microsoft owns this certificate...and you need it. The cool thing however is that you already have the certificate and don't even know you do. Below are the steps you can take get make the registry change and extract/install the Microsoft certificate.
The first step DOES involve someone going into the local registry on the end user machine, finding the appropriate key and changing one value. While this step is not very difficult, anytime you open the registry editor, you need to take caution on what you change. To make the change, follow these steps:
Note: The AllowElevatedTrustAppsInBrowser.reg file attached to the bottom of the post can simplify the registry change for you.
The second step involves extracting the certificate and then installing it to the correct certificate store. This step will require admin level access to the local machine because the certificate that you will be adding to the certificate store needs to go into a location that requires a higher level of permissions. The first thing we will be stepping through is to extract the certificate from our Silverlight XAP file. This might seem strange that you can do this, but in all reality, this method is WAY more secure than posting the actual certificate on this public blog for everyone to download and potentially use for the wrong purposes. With the RTM release of GP Web Client, we will be delivering an actual MSI installer that can be used to make these changes and install the certificate.
Note: Please do not post or share this certificate and make it available for public download. If you want to share anything, share these steps on how to extract the certificate. Being able to extract the certificate would mean that you at least have access to the GP Web Client software and have deployed it.
Follow these steps to extract/install the certificate:
At this point, to validate that you have successfully load the certificate into the correct stored, follow these steps to find the certificate:
If the ID matches, then you have successfully loaded the correct certificate needed to enable our Silverlight application as a Trusted Application. Your next step is to then log into GP Web Client to check and see if the Silverlight application has the required level of security access to the file system. When you don't have the correct level of access, the Silverlight application displays an icon in the lower right hand corner indicating just that. Below is a screen shot of that icon. The picture represents that the file system is still LOCKED OUT and displays a padlock type icon. This functionality will remain with the RTM release so when troubleshooting printing issues, this should be one of the first things you should look for because if the icon IS PRESENT, no printing or anything with the file system will occur through the Silverlight Application.
As I mentioned above, the RTM release will have a installer that will facilitate these steps above for you. But if you are using the BETA release, you are going to need this information. Enjoy the guidance and Happy Printing!!
PS: While the printing options are enabled with these steps, the printing functionality IS NOT done and is continuing to evolve. What that really means, is that some stuff works and other stuff doesn't. Please be patient as we are working hard on getting this functionality right.
Posting from Mark Polino at DynamicAccounting.net
PLEASE READ BEFORE POSTING
Please only post comments relating to the topic of this page.
If you wish to ask a technical question, please use the links in the links section (scroll down, on right hand side) to ask on the Newsgroups or Forums. If you ask on the Newsgroups or Forums, others in the community can respond and the answers are available for everyone in the future.