ActiveX Installer Service REPOST

Hello (reposting again since I got NO answers)

I'm testing the ActiveX Installer Service (AxIS) and I'm not getting this to
work correctly. I'm currently testing this on a Windows Vista Ultimate
computer member of an Windows Server 2003 SP2 Active Directory domain.

This is what I did:
1. Installed the ActiveX Installer Service on the Vista computer.

2. Configured to ActiveX Installer service to automatic startup and started
the service.

3. Configured a GPO for this computer, configured the "Approved Installation
Sites for ActiveX Controls" setting under \Computer Configuration\Windows
Components\ActiveX Installer Service. I added the following sites:
http://download.macromedia.com
http://fpdownload.macromedia.com
http://fpdownload2.macromedia.com

I used the value 2,2,2,0.

4. I logon with a Domain User account, open IE and navigates to a web page
where I know I will be asked for Shockwave Player.


What happens is that I get a prompt to press OK to run an ActiveX control.
Then I get the "The website wants to install the following..." on the IE
information bar. If proceed I get prompted again and then I get the UAC
prompt for credentials. (The UAC settings are default, they are not changed).

When I logon with an admin account and check the Application Log I see an
event 4097 AxInstallService with the details:
Attempt to install control
http://download.macromedia.com/pub/s...swdir8d204.cab
failed. The host URL http://download.macromedia.com is not in policy.

Of course this is incorrect as I know the URL is configured in the GPO
applied to the computer, RSOP aslo confirms that.


What is going on? Thanks!

/Ragnar

If you get an elevation prompt, something is not working. The whole idea of
AX Installer Service is that you don't get that.

You did enable the ActiveX Installer Service first right? That service is
not running by default.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Ragnar" wrote:

If you read my post I wrote that I have installed the ActiveX Installer
service and I also list what GPO settings I have configured.

/Ragnar

"Jesper" wrote:

I did read your post. Installing the service does not _enable_ the service.
You need to do that too.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Ragnar" wrote:

Never mind, I did miss that. I saw that you configured the GPO, but missed
that you started it. Sorry.

Try using 2,2,2,0 as the settings and see if that works. There may be
something in the 2,0,0,0 settings that causes it to fail.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Ragnar" wrote:

I have installed the service, I have configured the service to auto and
started it and I have configured the GPO settings.

Are you refering to any other required steps? The link you provided is a
book on amazon. Do you recommend this book?

/Ragnar

"Jesper" wrote:

On Wed, 26 Sep 2007 03:32:03 -0700, Ragnar wrote:
You might want to check the author of the book, that should answer your
question.
I certainly recommend the book.
--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
A CONS is an object which cares. -- Bernie Greenberg

I was using the 2,2,2,0 configuration not 2,0,0,0 so I have already tried
this setting.

However I have tried using the 2,2,1,0 setting and it worked super! I didn't
get a prompt as this setting would imply, and i still don't understand why
this is not working as documented.

Thank you for your time!

/Ragnar

"Jesper" wrote:

OK, we are getting somewhere now. 2,2,1,0 means:
* Installation behavior for controls signed with a cert chaining to a root
cert in the trusted publishers store - succeed
* Installation behavior for controls signed with an untrusted cert - prompt
* Installation behavior for unsigned controls - prompt
* How to handle HTTPS validation - fail if it does not validate AND the site
uses HTTPS.

The fourth one doesn't matter since Adobe does not use HTTPS. So, the
difference is in the third one. You said 2,2,2,0 did not work? That is
probably because 2 is not a valid value for the third setting. Unsigned
controls can't be installed silently, so the only values allowed there are 0
and 1, where 1 means prompt, and 0 means fail.

So, based on this, I would say that your problem is likely that the code
that validates the third position in the policy looks specifically for 0 or
1, and fails the install on everything else. I verified that the Shockwave
control you tried is signed properly, so that seems the most likely case.

One interesting part struck me about this: as I was looking at some of the
docs around the ActiveX Installer Service, including the TN Mag article
(http://www.microsoft.com/technet/tec.../2007/07/AxIS/), it states
the fact I mentioned above that the third value can only take on 0 or 1. That
is different from the docs I saw during the development cycle, so the Vista
book does not state that. It seems like that's something that was added
later, and, to be honest, I never tested *,*,2,*. Guess I'll have to add that
to the errata.

Oh, and yeah, I do recommend the book. :-)


---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Ragnar" wrote: