Through the Interface

Loading blocked and network-hosted assemblies with .NET 4

, , ,

As you're probably mostly aware, many of our 2012 products use .NET 4 as standard. This has proven "interesting" (i.e. challenging) when it comes to loading – for example – plugin DLLs downloaded from the web, due to .NET's updated security model.

Our ADN Plugins of the Month on Autodesk Labs are a prime example: most were posted prior to AutoCAD 2012 shipping, but when downloaded locally and NETLOADed into AutoCAD 2012, very often a security error gets reported:

Cannot load assembly. Error details: System.IO.FileLoadException: Could not load file or assembly 'file:///C:\Program Files\Autodesk\AutoCAD 2012 – English\ADNPlugin-QRCodes.dll' or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515) File name: 'file:/// C:\Program Files\Autodesk\AutoCAD 2012 – English\ADNPlugin-QRCodes.dll ' ---> System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information.

It also happens in our other products making use of .NET 4 (Revit, in particular).

This is now by far the most common problem reported regarding these plugins, in spite of efforts to document the problem and the solution. (There's also some helpful information on MSDN, in case.)

When this problem first arose, it took a while for it to be understood (by me, at least). If you build the DLLs locally, clearly there isn't a problem. And if *.autodesk.com happens to be in your trusted sites zone in Internet Explorer (which it is for most Autodesk employees, understandably) then the issue doesn't happen, either. Luckily it doesn't occur for the Exchange Store as every app is wrapped in a simple installer and so doesn't suffer from this issue.

Anyway, to make life easier when working with these plugins, I make use of a little trick – modifying acad.exe.config, to add the loadFromRemoteSources element – to stop the issue from occurring. Here's my current acad.exe.config, which also includes the change to reduce debugger output noise mentioned previously:

<configuration>

  <startup useLegacyV2RuntimeActivationPolicy="true">

    <supportedRuntime version="v4.0"/>

  </startup>

  <runtime>         

    <loadFromRemoteSources enabled="true"/>

  </runtime

  <system.diagnostics>

    <sources>

      <source name="System.Windows.Data" switchName="SourceSwitch">

        <listeners>

          <remove name="Default" />

        </listeners>

   
60;  </source>

    </sources>

  </system.diagnostics>

</configuration>

The loadFromRemoteSources change works well for Revit, too. Interestingly it doesn't have any effect in Inventor 2012, which is still using .NET 3.5.

One other important thing to note: this allows you to load .NET assemblies from network locations, something that has been an issue for a long time. This is especially needed now that I'm working inside Parallels on my MacBook Pro: I don't store data inside my Windows 7 installation, I leave it on the native hard-drive which gets mapped through to Windows as a network location. Which means I can now load .NET DLLs from that drive into AutoCAD and Revit (but not into Inventor, as yet).

I will say that making this change could potentially leave your (or – more importantly – your users') system(s) more open to the execution of malicious, so make it at your own risk.

2 responses to “Loading blocked and network-hosted assemblies with .NET 4”

  1. Jimmy Bergmark - JTB World Avatar
    Jimmy Bergmark - JTB World

    I've seen this as well. Sometimes it works to right click and select properties on the DLL and unblock it. But sometimes not and in these cases AlternateStreamView nirsoft.net/utils/alternate_data_streams.html has worked to use by deleting all streams marked ":Zone.Identifier:$DATA" for the selected files to get rid of the security blocks.

    Reply
  2. JeffH Avatar
    JeffH

    Hey Jimmy,
    I have used same method but seems like I got better results if the file was zipped by right clicking on zip file and selecting unblock before I unzipped it.

    Reply
  3. Jerad Avatar
    Jerad

    I have tried this and I am still not able to run a .dll file from the company network. Are there potentially spots I can look to make sure network security is not interfering? I have a feeling it is the case, but I hardly know a nut from a bolt when it comes to talking about servers. What should I do?

    Reply
  4. Kean Walmsley Avatar
    Kean Walmsley

    Sorry - this is not something I have much experience diagnosing, unfortunately. You might try posting to the AutoCAD .NET Discussion Group.

    Kean

    Reply
  5. steve Avatar
    steve

    why did MS drop VBA???
    using VB.net to create the same simple things I did with VBA is like using a jet fighter to go get some groceries.

    Reply
  6. Kean Walmsley Avatar
    Kean Walmsley

    Sorry - I can't speak for Microsoft on this.

    But we are working on making .NET easier to work with, at lease with respect to AutoCAD.

    Kean

    Reply
  7. David Osborne Avatar
    David Osborne

    Hi Kean,
    Coming back to comment on this old post, because all of this just came up again on the .NET discussion group
    forums.autodesk.com/t5/NET/dll-on-the-network-will-that-be-a-problem/m-p/3435819#M28541

    I was not aware that setting enabling LoadFromRemoteSources was allowing AutoCAD to load assemblies from anywhere, regardless of the CAS policy in effect. I found this:

    NetFx40_LegacySecurityPolicy enabled="true"
    (The comment format removed the xml, so here is an MSDN link, msdn.microsoft.com/en-us/library/dd409253.aspx)

    which when used instead of (not along with) LoadFromRemoteSources causes the CAS policy to be obeyed, and I am able to load from a network share if the CAS policy allows it. There was a little back and forth on the discussion thread I linked, and another link to an MSDN site warning about a potential problem with Native assemblies not in the GAC. Maybe this is worth another post from you to get it out to the masses.

    Reply
  8. Kean Walmsley Avatar
    Kean Walmsley

    Hi Dave,

    I'm far from being an authority on CAS policies, but hopefully your comment gives people what they need, assuming they want to use them rather than opening AutoCAD to loading any network-resident assembly (which could clearly pose a security risk).

    But perhaps this is indeed worth a post, at some point...

    Thanks!

    Kean

    Reply
  9. ontheray Avatar
    ontheray

    Thank's you just helped me in the middle
    of the deployment process at my customer!!!

    Reply
  10. Eddy Lucas Avatar
    Eddy Lucas

    Thanks Keane,

    This worked for me to, but why is this not default?
    If you add it, without using netload, it will do no harm.

    Reply
  11. Kean Walmsley Avatar
    Kean Walmsley

    I suspect the decision not to have it in there by default in acad.exe.config is probably security-related (loading from network locations is a common way that viruses spread, albeit not usually with .NET, right now).

    Of course people can choose to enable it, but it's not something we've chosen to do for everyone.

    Kean

    Reply
  12. camiza Avatar
    camiza

    KEAN WALMSLEY YOUR ARE THE BEST!!!!

    THANK YOU FOR YOUR CONTRIBUTIONS

    Reply
  13. Billy Klay Avatar
    Billy Klay

    Kean,

    I'm running all my .NET assemblies from a central network location. I have created registry entries for each so the end user does not have to run NETLOAD. In the LOADER registry key I've entered the fully qualified path (ie. "F:\\CADUtils\\AutoCAD 2015\\JETools 2015\\DrawingTurnoverClassLibrary.dll") I have also added this path to the AutoCAD Profile (Support File Search Path and Trusted Locations). By doing this I have not had to modify the acad.exe.config

    Reply
  14. sherif Avatar
    sherif

    it asks me about user name and serial ... what should i do

    Reply
    1. Kean Walmsley Avatar
      Kean Walmsley

      Try posting to the online support forums.

      Kean

      Reply
  15. gon Avatar
    gon

    Hi Kean,
    Is it possible to automatically NETLOAD a plugin DLL from a web service for authorized users only, using another DLL that implements the IExtensionApplication interface, without copying it to the user's PC?

    Reply
    1. Kean Walmsley Avatar
      Kean Walmsley

      Hi there,

      Please post your support questions to the AutoCAD .NET forum.

      Thank you,

      Kean

      Reply

Leave a Reply to Jerad Cancel reply

Your email address will not be published. Required fields are marked *