securityfaq | Channel 9

Summary: Frequently Asked Questions and Issues related to Microsoft Robotics Studio security configuration etc.

Running a DSS Node using a Non-Administrative Account

Note: This information is also part of the Microsoft Robotics Studio information available as part of the installation.

In order to run a DSS node using a non-administrative account, you must first reserve an HTTP namespace with the kernel level HTTP listener (http.sys) to be able to listen for requests. Administrative users do not have to reserve a namespace.

You can reserve an HTTP namespace using the "HttpReserve" utility. The following example shows a namespace reservation enabling a local, non-administrative account called MSRS_TEST to run a DSS node on port 50000:

		 httpreserve /port:50000 /user:msrs_test

Namespace reservations are persisted and only necessary to do once for a given port and user or group. They can be removed by using the "/remove" option like this:

		 httpreserve /port:50000 /remove+

Authentication fails

When connecting to a Dss node using a browser you should be automatically authenticated to the Node. However, this does not work in all settings.

1) Change browser settings

These instructions are for IE 6 and 7, other browsers will vary

*On the "Tools" Menu, select "Internet Options"
*On the "Internet Options" dialog, select the "Security" Tab
*On the "Security" property sheet, click on the "Local Intranet" zone icon (the globe with a monitor infront of it)
*Still on the "Security" property sheet, click the "Custom level..." button.
*In the "Security Settings - Local Intranet Zone" dialog scroll to the bottom of the "Settings" listbox.
*Change the "User Authentication -> Logon" setting to either of the "Automatic Logon" selections.
*Select "OK" to close the "Security Settings - Local Intranet Zone" dialog.
*In the "Security" tab of the "Internet Options" dialog click on the button "Sites..."
*In the "Local Intranet" dialog Ensure that all three options are selected.
*In the "Local Intranet" dialog click on the "Advanced..." button.
*Add the website address "http://localhost" to the zone by entering "http://localhost" in the "Add this Web site to the zone:" text box and then clicking on the "Add" button.
*Ensure that the "Require server verification (https: ) for all sites in this zone" check box is not checked.
*Select "OK" three times to close the dialogs.
*Close all open browser windows.

This should fix the problem.

If this doesn't work you can try either 2a or 2b below. Note that either of these leaves an executing node enitirly unsecured on your machine. If other machines have network access to a running node then they can send any message to any service.

2a) Turn off security for the Dss Node

You can turn all security off for the node by editing the file bin\dsshost.exe.config

Within the appSettings element there is a key called security

		 <appSettings>
		     .
		     <add key="Security" value="..\store\SecuritySettings.xml"/>
		     .
		 </appSettings>

Note: Commenting this out will make the node start without security by default. To re-enable security either add this key back to the config file or start the node with the /security option

2b) Disable authentication for the Node

Alternatively you create a security settings file in the store directory called SecuritySettings.xml with the contents...

		 <?xml version="1.0"?>
		 [<SecuritySettings] xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
		                   xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
		                   xmlns="http://schemas.microsoft.com/robotics/2006/10/security.html">
		   [<AuthenticationRequired>false</AuthenticationRequired>]
		   [<OnlySignedAssemblies>false</OnlySignedAssemblies>]
		   <Users />
		 [</SecuritySettings>]

this will turn the authentication requirement off.

Summary%3a Frequently Asked Questions and Issues related to Microsoft Robotics Studio security configuration etc.
 
%21%21 Running a DSS Node using a Non-Administrative Account
 
*Note%3a* This information is also part of the Microsoft Robotics Studio information available as part of the installation.
 
In order to run a DSS node using a non-administrative account%2c you must first reserve an HTTP namespace with the kernel level HTTP listener %28http.sys%29 to be able to listen for requests. Administrative users do not have to reserve a namespace. 
 
You can reserve an HTTP namespace using the %22HttpReserve%22 utility. The following example shows a namespace reservation enabling a local%2c non-administrative account called MSRS_TEST to run a DSS node on port 50000%3a
 
%7b%7b
 httpreserve /port%3a50000 /user%3amsrs_test
%7d%7d
 
Namespace reservations are persisted and only necessary to do once for a given port and user or group. They can be removed by using the %22/remove%22 option like this%3a
 
%7b%7b
 httpreserve /port%3a50000 /remove%2b
%7d%7d
 
%21%21 Authentication fails
 
When connecting to a Dss node using a browser you should be automatically authenticated to the Node. However%2c this does not work in all settings.
 
%21%21%21 1%29 Change browser settings
 
_These instructions are for IE 6 and 7%2c other browsers will vary_
 
	*On the %22Tools%22 Menu%2c select %22Internet Options%22
	*On the %22Internet Options%22 dialog%2c select the %22Security%22 Tab
	*On the %22Security%22 property sheet%2c click on the %22Local Intranet%22 zone icon %28the globe with a monitor infront of it%29
	*Still on the %22Security%22 property sheet%2c click the %22Custom level...%22 button.
	*In the %22Security Settings - Local Intranet Zone%22 dialog scroll to the bottom of the %22Settings%22 listbox.
	*Change the %22User Authentication -%3e Logon%22 setting to either of the %22Automatic Logon%22 selections.
	*Select %22OK%22 to close the %22Security Settings - Local Intranet Zone%22 dialog.
	*In the %22Security%22 tab of the %22Internet Options%22 dialog click on the button %22Sites...%22
	*In the %22Local Intranet%22 dialog Ensure that all three options are selected.
	*In the %22Local Intranet%22 dialog click on the %22Advanced...%22 button.
	*Add the website address %22http%3a//localhost%22 to the zone by entering %22http%3a//localhost%22 in the %22Add this Web site to the zone%3a%22 text box and then clicking on the %22Add%22 button.
	*Ensure that the %22Require server verification %28https%3a %29 for all sites in this zone%22 check box is *not* checked.
	*Select %22OK%22 three times to close the dialogs.
	*Close all open browser windows.
 
This should fix the problem.
 
If this doesn%27t work you can try either 2a or 2b below. Note that either of these leaves an executing node enitirly unsecured on your machine. If other machines have network access to a running node then they can send any message to any service.
 
%21%21%21 2a%29 Turn off security for the Dss Node
 
You can turn all security off for the node by editing the file _bin%5cdsshost.exe.config_
 
Within the _appSettings_ element there is a key called _security_
 
%7b%7b
 %3cappSettings%3e
     .
     %3cadd key%3d%22Security%22 value%3d%22..%5cstore%5cSecuritySettings.xml%22/%3e
     .
 %3c/appSettings%3e
%7d%7d
 
*Note%3a* Commenting this out will make the node start without security by default. To re-enable security either add this key back to the config file or start the node with the _/security_ option
 
%21%21%21 2b%29 Disable authentication for the Node
 
Alternatively you create a security settings file in the store directory called %5bSecuritySettings.xml%5d with the contents...
 
%7b%7b
 %3c%3fxml version%3d%221.0%22%3f%3e
 %5b%3cSecuritySettings%5d xmlns%3axsi%3d%22http%3a//www.w3.org/2001/XMLSchema-instance%22 
                   xmlns%3axsd%3d%22http%3a//www.w3.org/2001/XMLSchema%22 
                   xmlns%3d%22http%3a//schemas.microsoft.com/robotics/2006/10/security.html%22%3e
   %5b%3cAuthenticationRequired%3efalse%3c/AuthenticationRequired%3e%5d
   %5b%3cOnlySignedAssemblies%3efalse%3c/OnlySignedAssemblies%3e%5d
   %3cUsers /%3e
 %5b%3c/SecuritySettings%3e%5d
%7d%7d
 
this will turn the authentication requirement off.