Digital Certificates for Runtime (1 Viewer)

mjdemaris

Working on it...
Local time
Today, 14:56
Joined
Jul 9, 2015
Messages
424
After reading a couple of threads, I have the idea that to deploy a front end with some level of security against tampering, the runtime version should be used. However, I am left with dealing with a security warning from Windows every time I open it. To deal with this, it seems I need a digital certificate. After reading Galaxiom's posts on this subject, it sounds like a lot of work to go through to get this done.

Does it cost anything to create a certificate?
Is the trouble of creating a certificate worth it? Granted, for 40 something users, it costs us whatever MS charges in annual licensing fees.
So, what would be the best option - use runtime or not? (If I understand the situation clearly enough)

And if I were to use runtime, in simple terms, how would I go about creating a certificate and deploying it with my front end? (I got lost in some of the domain/group policy stuff.) Plus, I am on the active directory as a regular user (if that's what we are called) with no special permissions or server access. I could ask for server access, if I need it. Do I need it?

Even using accde files, Windows still pops up a security warning.

Thanks.
 

mjdemaris

Working on it...
Local time
Today, 14:56
Joined
Jul 9, 2015
Messages
424
That is interesting. Someone (in some post i read) said they did that and it didn't work...so, being the smart developer I am, I decided I didn't need to check that...Well, after deciding to re-evaluate my "smartness" seeing your post, that is what I needed to do, lol.

Thanks.
 

CJ_London

Super Moderator
Staff member
Local time
Today, 21:56
Joined
Feb 19, 2013
Messages
16,553
The code you have been pointed to does work, but the user will still see the security message the very first time the file is opened.

If you supply a runtime version as a packaged product you can modify the registry to include a trusted location with the installer (subject to the user having the required privileges) so the user never sees the message since the registry is modified before the file is opened. This presumes you are going to install the db in a known location (typically c:\users\Username\appdata\local\yourfolder) with a shortcut on the desktop.

If through the installer you are allowing the user to choose where to put the db you would need more complex code - and perhaps not use the windows packager but something like inno which has more flexible options
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 16:56
Joined
Feb 28, 2001
Messages
27,001
Regarding getting a digital certificate: We did this with the Navy all of the time, but you have to watch out for the purpose of the certificate. Access isn't normally a web-based solution so you have to decide the proper values to be included in the purpose field on the certificate. For instance, if you do a remote session (RDP or TLS) then you need one flavor of certificate. If you want a web-based session (HTTP/HTTPS) then you need a different purpose. And if you use the certificate for the wrong purpose, the software that "knows" how certificates work will balk at the wrong use. You will get a "certificate usage" error.

Then there is the matter that you need to determine who is your Certificate Authority, because that is the only person (or organization) that can digitally sign the certificate in its CA slot. If the CA isn't properly signed, you get other errors relating to invalid signatures and again, things won't go so well.

If there is ANY way to set up trusted locations in your environment, it would be faster and easier and you would lose less hair overall.
 

mjdemaris

Working on it...
Local time
Today, 14:56
Joined
Jul 9, 2015
Messages
424
It looks like I can operate without the runtime version. It seems all users have the full version of Office, so that leaves me with securing the accdb files.

Doc, currently we do not use a web/browser based system, though I am looking to move in that direction with SQL server as the backend. It's just the split FE/BE for now.

CJ, I really don't want to mess with the registry, for now... :)

Anyway, thanks for you help gentlemen!
 

CJ_London

Super Moderator
Staff member
Local time
Today, 21:56
Joined
Feb 19, 2013
Messages
16,553
I really don't want to mess with the registry, for now...
Not a problem, but if your users don't have the appropriate rights you won't be any further forward, because adding a trusted location via access options updates the registry. One client I worked for did not allow registry changes, end of. Everyone who had to open a .xlsm or .docm as well as access had to allow every time.

One other thing to be aware of is that there are two options, to allow trusted documents on your local drive, and an additional option to allow them on the network.
 

mjdemaris

Working on it...
Local time
Today, 14:56
Joined
Jul 9, 2015
Messages
424
I see your point. I think we can live with using an accdb file, which does not require trusted locations. However, in the future we may need to address this, depending on which way this project goes - either a new access database with multiple back-ends, or SQL server with Access/C# front end.
 

CJ_London

Super Moderator
Staff member
Local time
Today, 21:56
Joined
Feb 19, 2013
Messages
16,553
I think we can live with using an accdb file, which does not require trusted locations.
that's my point - it does
 

Users who are viewing this thread

Top Bottom