Least Privilege Hall of Shame: Data Dynamics' ActiveReports for .NET
Man, this is a hard one to write. I just love ActiveReports so I'm bummed that it has this problem. At least it is limited to licensing, not design and runtime use.
I was having a problem with getting rid of the red “ActiveReports Evaluation” banner that they put at the bottom of all reports until you license the app. I have a licensed copy and did all the stuff the docs say to do and the knowlege base articles suggest as workarounds. Nothing worked. I also posted to the Data Dynamics support forums but didn't get any suggestions that worked. So I sent a support request email:
Hi,
I am struggling with what seems to be a licensing problem with ActiveReports. My serial number is XXXXXXXXXXXX.
No matter what I do, I can't get rid of the red ActiveReports Evaluation banner on my WinForms-based reports. I've done these things:
- Created a licenses.licx file, which has this line in it (among others for other products): DataDynamics.ActiveReports.ActiveReport, ActiveReports
- Followed the instructions in HOWTO: How Can I Use Run-Time Licensing in ActiveReports for .NET? at http://www.datadynamics.com/ShowPost.aspx?PostID=46811. This may indicate the problem, since I couldn't complete the "Create Web.Config Key" step; it kept saying that the serial number was invalid.
I don't know if I had registered the product. When I just tried to on the Web site, it said "There were no search results found." I wasn't searching for anything; I was trying to register.
What do I need to do to get this resolved?
Thanks!
Don Kiely
(I failed to mention having run the LicensePro.exe app.) The initial response suggested stuff that I had already tried. So, to make a long story long, I ended up talking to Peter, a support rep. Once again, all the usual attempts to fix it didn't work, but then it occurred to me that because they write write licensing stuff to the registry there might be an issue that I don't run as an administrative user. That solved the problem.
It turns out that ActiveReports has a problem with licensing. If you run the LicensePro as non-administrator it silently fails to do the proper registry entries. As soon as I ran it as an administrator (RunAs worked), everything worked fine. Fortunately, it doesn't appear that there is any user profile-related information saved.
I followed up on the support call with an email that concluded like this:
Please! Do one of two things:
- Fail with a message that you need admin rights to run License.exe or LicensePro.exe for ActiveReports. This solves the immediate problem, but the bigger problem is that you shouldn't be writing to protected parts of the registry. That's a security problem.
- Stop writing to a protected portion of the registry. I haven't looked to see where you are writing, but it should be in HKEY_CURRENT_USER, and certainly not to HKEY_LOCAL_MACHINE.
ActiveReports is a wonderful product. Given my experience with their excellent support and what I know about the company, I'm betting this is fixed quickly. I hope. In the meantime, beware. But again, the product itself works beautifully as a least privileged user.
Update: Issam Elbaytam with Data Dynamics and all-around good guy, responded to my email, which I include here in its entirety with permission:
Don:
I just read your blog entry about this issue and I appreciate you bringing it to our attention, your blog does not seem to have comments so I couldn't respond there. I apologize for the trouble this might have caused you. I have forwarded this to our development staff to look into it and correct it with the appropriate solution.
I believe the reason we write to HKLM is for web server situations where we cannot make sure that the ASPNET user is registered because it is not a typical interactive user. In addition, because of the integration with VS.NET (which also writes entries to HKLM) we have to write some of our entries there too.
Regardless of the reason why we're accessing HKLM, we'll work on eliminating it and updating our licensing exe files. In addition, we'll publish a KB article to our web site that explains the current situation and its remedy.
Thanks again for bringing this to our attention.
issam
Moral of the story: Let vendors know when you run into these kinds of problems. The good ones will fix the problem.