ClickOnce Deployment failed due to improper trusts

What will happen to you when you come across an issue where you don’t have a clue what is going around? J Well, I would go around, dig out the basics and then try and fix the issue.

The same happened to me a few days back. My customer was trying to publish her web application using the ClickOnce Deployment. She was able to publish the 2.0 XAML web application to the web server successfully. When she was trying to access the publish.htm page and click on the install button, she was getting the following error message,

Trust Not Granted
The application cannot be deployed because it is not trusted and possibly unsafe.

Got the detailed error message,

 Below is a summary of the errors, details of these errors are listed later in the log.
 * An exception occurred while determining trust. Following failure messages were detected:
  + User has refused to grant required permissions to the application.

 Following errors were detected during this operation.
 * [4/20/2007 5:09:06 PM] System.Deployment.Application.TrustNotGrantedException (Unknown subtype)
  – User has refused to grant required permissions to the application.
  – Source: System.Deployment
  – Stack trace:
   at System.Deployment.Application.ApplicationTrust.RequestTrust(SubscriptionState subState, Boolean isShellVisible, Boolean isUpdate, ActivationContext actCtx, TrustManagerContext tmc)
   at System.Deployment.Application.DeploymentManager.DetermineTrustCore(Boolean blocking, TrustParams tp)


Ø  She tried publishing it to a file share and tried accessing the application directly. She was able to install the application. So we came to a conclusion that we are failing in a few permissions while running through IIS.

Ø  The process monitor tool didn’t show any ACCESS DENIED error messages.

Ø  The user is an admin on this box.

Ø  I also tried creating a new certificate hoping that might fix the issue, but that didn’t fix the issue either.

Ø  We also isolated the issue by creating a new simple application, but we were seeing the same issue.

Ø  Finally I added the code access security for the URL that we were trying to browse from IIS as follows

caspol -m -ag 1 -url “http://machinename/application/*” FullTrust -exclusive on

Ø  Now we were able to install the application without any error messages.


 A client machine exposes a wide variety of resources that a managed application can have access to, including the file system, the Registry, printing services, the user interface, reflection, and environment variables. Before a managed application can access any of the resources on a client machine, it must have .NET Framework 3.0 Code Access Security (CAS) permission to do so.


The security protections provided by ClickOnce are based only on CAS mechanisms and are not tied to the identity of the user running the application in any way. ClickOnce applications can be installed and run by least-privilege users on the client machine (non-administrators), and there are no built-in security mechanisms specific to ClickOnce for identifying who the user is on the client or server side.

The following figure illustrates the relationship between zones, permission sets, permissions, and resources.


Few of the very useful articles that I referred to,

Code-access security
How to: Publish a ClickOnce Application
Application Deployment Prerequisites



Comments (4)

  1. VT says:

    This post helped me a lot as I was having the same issue and at my wits end to solve it.

    Thanks a million.

    Warm Regards,


  2. Working with Docx using Silverlight and WPF – XBAP

  3. twistur says:

    Thanks so much. This by far is the only solution that works for me. I know there are lots in the net but this one is very simple and straightforward

  4. John says:

    Once I realized I need to run this on the client not the server I was deploying it to, worked like a champ!!!