Page 1 of 3 123 LastLast
Results 1 to 10 of 27
Like Tree4Likes

Thread: Revit 2017 Signed Addins NOT Always Loading

  1. #1
    Member troygates's Avatar
    Join Date
    December 17, 2010
    Location
    Southern California
    Posts
    143
    Current Local Time
    05:31 AM

    Question Revit 2017 Signed Addins NOT Always Loading

    We are about to deploy Revit 2017, but are having an issue with the new addin security. On every computer in our domain that we've tested Revit 2017, none of them are accepting the signed addins using the "Always Load" button. We click that button every time we load Revit 2017, but it comes back every time for all of them. This is not happening with unsigned addins.

    Revit 2017 Signed Addins NOT Always Loading-alwaysload.png

    Is there a Group Policy, security setting, or something else that would be preventing signed addins from storing their certificates onto the computers?

    Thanks

  2. #2
    Forum Co-Founder Twiceroadsfool's Avatar
    Join Date
    December 7, 2010
    Location
    Dallas, TX
    Posts
    9,871
    Current Local Time
    08:31 AM
    Examples of specific addins that arent storing the settings? The Always Load values are stored in the registry, and theyve saved for every addin ive tried on all of my machines, so far...

  3. #3
    Administrator Gordon Price's Avatar
    Join Date
    December 7, 2010
    Location
    Rotterdam, South Holland
    Posts
    3,039
    Current Local Time
    02:31 PM
    Quote Originally Posted by troygates View Post
    We are about to deploy Revit 2017, but are having an issue with the new addin security. On every computer in our domain that we've tested Revit 2017, none of them are accepting the signed addins using the "Always Load" button. We click that button every time we load Revit 2017, but it comes back every time for all of them. This is not happening with unsigned addins.

    Click image for larger version. 

Name:	AlwaysLoad.png 
Views:	44 
Size:	11.9 KB 
ID:	28007

    Is there a Group Policy, security setting, or something else that would be preventing signed addins from storing their certificates onto the computers?

    Thanks
    I think you have to add the certificate, which might be what Always Load is doing, but it also might be that you need to be a local admin to do it. You can probably also add the certificate with Group Policy, or you can use a CER file and the command line (again, as a local admin).
    certmgr.exe -add MyCert.cer -s -r localMachine trusted publisher
    You can get a CER file by manually installing the addin and adding the certificate on a Sandbox machine, then go to Control Panel > Internet Options > Content > Certificates then select the correct certificate and Export. Not sure if I did DER or Base-64 encoding. Need to verify before I do my documentation. I have tested this with Family Browser, but I need to bang on it a bit more to get all the details sorted. Should probably do Ideate stuff next anyway, so I'll let you know what I find out.
    Curious if that all works for you in a domain situation.

    Gordon

  4. #4
    Member troygates's Avatar
    Join Date
    December 17, 2010
    Location
    Southern California
    Posts
    143
    Current Local Time
    05:31 AM
    Aaron, the unsigned addins work. Revit stores the unsigned addin GUID in the registry to prevent the dialog from coming up every time. For signed addins, Revit is supposed to store the certificate in the local computer's Trusted Publisher store. For some reason when we click Always Load, Revit isn't storing the certificate. I think our IT group might have some security setting blocking it. But they haven't been able to find it.

    Gordon, all users have local admin rights, so its definitely not that. I'm hoping this isn't the case that we need to do via GPO push of certificates. I really don't want users sending my IT group addins constantly to extract their certificates. We push out a set of addins by default, but users are allowed to install additional addins themselves.

    Thanks guys, but I just want it to work like Autodesk says its supposed to. I have a ticket in with them but was hoping the community could answer it faster.

  5. #5
    Administrator Gordon Price's Avatar
    Join Date
    December 7, 2010
    Location
    Rotterdam, South Holland
    Posts
    3,039
    Current Local Time
    02:31 PM
    Curious to hear what they have to say. It may be worth trying the CER approach just to see if it throws any errors that point at a root cause. It could be something like GP specifically blocking users adding to SafePublishers, and the GUI doesn't provide feedback, but perhaps the command line utility does. Not a solution so much as a troubleshooting option.

    Gordon

  6. #6
    Member troygates's Avatar
    Join Date
    December 17, 2010
    Location
    Southern California
    Posts
    143
    Current Local Time
    05:31 AM
    True, I'll give it a try to see what it does.

  7. #7
    Member troygates's Avatar
    Join Date
    December 17, 2010
    Location
    Southern California
    Posts
    143
    Current Local Time
    05:31 AM
    So here is what I've found so far...

    I found that I can extract the certificates from the addin dll file properties. Using the command line does work to import the certificates and Revit no longer shows the prompts to load them if you install them to the localMachine Trusted Publisher.

    I tried bringing the certificate into the currentUser and I get an error (see below). I wonder if Revit is trying to use the currentUser store which it appears is locked down on my domain. I am trying to figure out how to unlock the currentUser to see if it works automatically when Revit tries to install the certificate.
    cganiere likes this.

  8. #8
    Administrator Gordon Price's Avatar
    Join Date
    December 7, 2010
    Location
    Rotterdam, South Holland
    Posts
    3,039
    Current Local Time
    02:31 PM
    Ah, that's progress Troy! And that would make some sense. ADSK wants everything in the user's hands, so CU store. But allowing a user to approve a certificate is not considered best security practice by most IT folks I know, so it could be locked down by GPO.

    And, a question for you...
    What are some of the unsigned addins you are seeing ask for a one time approval? I have tested a few and they open with no alerts at all, only signed addins are an issue, when I don't have the cert pre added. But also testing in Windows 7 Home at the moment. Need to expand to Pro and Windows 10 in the next day or two.

  9. #9
    Administrator Gordon Price's Avatar
    Join Date
    December 7, 2010
    Location
    Rotterdam, South Holland
    Posts
    3,039
    Current Local Time
    02:31 PM
    Quote Originally Posted by troygates View Post
    Aaron, the unsigned addins work. Revit stores the unsigned addin GUID in the registry to prevent the dialog from coming up every time.
    Troy,
    where in the Registry is this getting stored? Been trying to track it down for Revit Quick Select with no luck.

    EDIT: Oh Heeeelllll YEAH, I found the registry bit, and it's nasty because there is a big long GUID in there with zero information tying it back to a particular addin, so on a machine with a bunch of addins it would be impossible to decide which goes with which. Plan A was to create a sandbox VM, install just one addin, extract the GUID for reference, roll back, install another addin, repeat until the desire to scream overwhelms you. But Plan B is SOOO much better. If you root around in the addin files you find a manifest that contains an AddInId, and THAT is the GUID you need to push. At least, I am pretty sure. Testing now. Woot!

    Gordon
    aperte and cganiere like this.

  10. #10
    Junior Member
    Join Date
    April 27, 2011
    Location
    Paw Paw, Michigan, United States
    Posts
    44
    Current Local Time
    09:31 AM
    Has there been any fixes for this yet? My users (and I) are getting tired of having to ALWAYS LOAD 9 addins every day. =) I am hoping there is a simple fix that has been discovered so I do not have to involve my IT consultant. =\

    Thanks!

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 0
    Last Post: May 27th, 2016, 06:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •