Monday, December 04, 2006

App Updater Component & Windows 2003 / IIS6

Some background first...

I'm a pretty big fan of things that make the lives of my users (and thereby my own) easier. One of those things is automatic application updating. For my internally released app's I don't want my users to worry about version numbers, if they have the latest, checking their emails/feeds for new versions, etc. I want the app to let them know there's a new version and to make it painless for them to get it.

For .Net 2.0, ClickOnce goes a good ways toward satisfying this... It's not perfect, but so far, for the production apps I've used it on, it's gotten the job done.

For .Net 1.x, I've been using the AppUpdater Component (.NET Client Applications: .NET Application Updater Component) and have been happy with it. It's not as cool or good as ClickOnce, but it's way better than nothing...

And now today's story...

In the past few months I've been moving all our auto-updating apps from Win2K to Win2k3. The ClickOnce ones went first and today it was time to do a new AppUpdater Component based app release.

Which gacked. Bad. It didn't work, wouldn't download the files, etc.

sigh...

Long story short, remember IIS6 is locked down by default. AND that the AppUpdater Component uses WebDAV and that *.config files are mapped/locked down.

Once I enabled WebDAV, and removed *.config from the mapped extensions I was gold...

Check out these posts for more information on this and how to resolve it.
Appupdater Woes......
Setting up the AppUpdater Component to work with Windows Server 2003

Related Past Post XRef:
Updater Application Block V2
GotDotNet User Sample: AppUpdater Extended

2 comments:

Anonymous said...

I think removing the mapping of "*.config" is a huge security risk. Now people can download the raw "web.config" files from your ASP.NET applications, which might contain SQL Connection strings, passwords, or other relevant info. Even if this is inside the corporate network it is very dangerous.

Greg said...

I agree with you, that's why I didn't do it at the web server level, but at the web site (i.e. directory) level.

And that web site hosts only the files used by my given auto-updating WinForm apps.

All the other sites were not touched and still have their default *.config configuration/security is in place.