Required permissions cannot be acquired?

[Bradley Plett]

I've posted a similar question in the
microsoft.public.sqlserver.reportingsvcs group, but I need to solve
this and it is more of a .NET/permissions issue anyway. However, it
is in the context of RS' forms authentication, which is making it more
difficult for me to understand/debug.

I have forms authentication in SQL RS working like a charm. (For more
info, see
http://msdn.microsoft.com/library/?url=/library/en-us/dnsql2k/html/ufairs.asp).
However, I am now trying to do some authentication against an Oracle
database. What's very strange is that as soon as I try to bind to
Oracle's client (Oracle.DataAccess in, by default,
C:\oracle\ora92\bin\Oracle.DataAccess.dll), I get
"System.Security.Policy.PolicyException: Required permissions cannot
be acquired." I've definitely narrowed it down to the Oracle binding,
but can't figure out how to make it work. I've looked in "Microsoft
..NET Framework 1.1 Configuration" under "Runtime Security Policy" and
did an "Evaluate Assembly", which returned "Unrestricted". I also
tried editing rssrvpolicy.config (in "C:\Program Files\Microsoft SQL
Server\MSSQL\Reporting Services\ReportServer\") to add a full trust
for the Oracle.DataAccess.dll, but none of this has helped. Any other
ideas or suggestions?

Despite being much more capable, I often find .NET permissions much
more confusing, especially trying to debug this type of failure. If
anyone can point me to some good tools and/or techniques on this
topic, I'd MUCH appreciate it. I suppose part of the problem is that
I don't have time to read an entire book - I just want to skip to the
good parts!

Thanks a lot!
Brad.

 

[Popezilla]

I have had a very similar problem and what I did to solve it was to add the
everyone group read/write access to this folder and all subfolders. This was
on my dev machine and so did not matter. I doubt you want to do this in
production.

I tried to be more granular than the entire directory by downloading FileMon
from SysInternals and watching to see what directory the aspnet_wp process
attempted to access when it got an access denied error, but that didn't work
in all cases.

There is a link -

http://www.error-bank.com/microsoft.public.dotnet.framework.adonet/79112_Thread.aspx

This thread will tell you the same thing. Look at the last message in the
thread.

Hope this helps. If not, I feel we should all go back to DBase III+.

 

[Bradley Plett]

Thanks for that prompt reply!

It was a good idea, but sadly it didn't make any difference in my
case. :-(

I did find it somewhat interesting that the permissions on "C:\oracle"
already included everyone, but the permissions weren't being inherited
by "C:\oracle\ora92". I had only been checking on "C:\oracle", so I
was hopeful when I discovered this. Still, when I opened up
"C:\oracle\ora92" to everyone, and ensured that everyone definitely
had access to read & execute
"C:\oracle\ora92\bin\Oracle.DataAccess.dll", there was no change in
the behavior of my app, even after a reboot.

Brad.

P.S. DBase III+?!?!? Well, it's great to hear from another old-timer
like myself who actually remembers that!

 

[Nicole Calinoiu]

Bradley,

The problem probably lies with the Oracle client requiring some permission
that your code is not being granted, not with a permission that the Oracle
code is not being granted. You can use permview.exe
(http://msdn.microsoft.com/library/en-us/cptools/html/cpgrfpermissionsviewtoolpermviewexe.asp)
to verify the permission(s) for which a RequestMinimum has been specified in
the Oracle.DataAccess.dll assembly. If there are any required permissions,
you should then use the "evaluate assembly" functionality in the .NET
configuration manager to determine if your assembly has been granted these
permissions.

HTH,
Nicole

 

[Bradley Plett]

Thanks a lot - this may be getting me closer!

I ran permview on Oracle.DataAccess.dll, and here's the output:
==================================================
Microsoft (R) .NET Framework Permission Request Viewer. Version
1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

minimal permission set:
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.SecurityPermission,
mscorlib,
Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="SkipVerification"/>
</PermissionSet>

optional permission set:
Not specified

refused permission set:
Not specified
==================================================

Now what? It does appear that the Oracle.DataAccess.dll does require
some special permissions, but in my context I don't know how to
provide those permissions. Any ideas?

Thanks!
Brad.

 

[Nicole Calinoiu]

SkipVerification isn't going to cause any problems unless the
Oracle.DataAccess.dll assembly isn't granted this permission. Since you
mentioned that it's granted unrestricted permissions, which include
SkipVerification, this should not be a problem.

Unfortunately, this means that the Oracle client is probably demanding a
permission that your assembly doesn't possess, which will be a bit harder to
track down. Could you please provide the following information:

1. Which version of ODP.NET are you using?
2. On which line of code is the exception raised?
3. What permissions are granted to your own assembly (as per the .NET
configuration manager "evaluate assembly" functionality)?

 

[Nicole Calinoiu]

Whoops, forgot a question... Is your code referencing Oracle.DataAccess.dll
from the GAC or as a private assembly copied into its own location? If the
latter, it probably won't be granted the SkipVerification permission it
requires, thereby explaining the PolicyException. If this is the problem,
referencing it from the GAC should fix it.

 

[Bradley Plett]

I think you may have identified the problem, but my knowledge of
security policy configuration files is too limited to solve it. :-(

Looking at the config file, I'm guessing I'm referencing it as a
private assembly, whereas I should reference it through the GAC. I'd
gladly reference it through the GAC, but how?

Here's the relevant snippet of code from the rssrvpolicy.config file:
==================================================
<CodeGroup
class="UnionCodeGroup"
version="1"
Name="OracleDataAccess"
Description="Code group for Oracle data access"
PermissionSetName="FullTrust">
<IMembershipCondition
class="UrlMembershipCondition"
version="1"
Url="C:\oracle\ora92\bin\Oracle.DataAccess.dll"
/>
</CodeGroup>
==================================================
I added this code using another sample, but the sample uses a private
assembly. How would I change this to use the copy or Oracle that is
registered in the GAC? (I realize there may be tokens in the above
snippet that you'll need in order to help me. If so, please let me
know - the entire file was a little too big to post.)

Thanks again!
Brad.

 

[Nicole Calinoiu]

Did you create a Visual Studio project to build an assembly that is
performing the authentication against the Oracle database? If so, that's
where the reference was set to Oracle.DataAccess.dll, not in the
rssrvpolicy.config file. If not, could you please identify the sample you
are following since there are just too many possibilities for me to keep
guessing...

 

[Bradley Plett]

Sorry - I was away from this problem for a while, but I'd still like
to solve it.

In answer to your question, I have a Visual Studio project to build
the assembly. I don't understand where you're going with this, but
the only reference to the Oracle.DataAccess.dll in my vbproj file is
as follows:
--------------------------------------------------
<Reference
Name = "Oracle.DataAccess"
AssemblyName = "Oracle.DataAccess"
HintPath = "..\..\oracle\ora92\bin\Oracle.DataAccess.dll"
AssemblyFolderKey = "hklm\dn\odp.net"
/>
--------------------------------------------------

As I mentioned in a previous post, I'm guessing I'm referencing it as
a private assembly, whereas I should reference it through the GAC.
I'd gladly reference it through the GAC, but how?

Thanks!
Brad.

 

[Nicole Calinoiu]

Bradley,

You're already using a referenced to the copy in the GAC. If not, the
reference would be marked as private in the vbproj file.

Guess this takes us back to square one... Could you please try to answer
the following:

1. What are these samples you are using as the basis for your code?
2. Are your assembly, ODP.NET, and Reporting Services all installed and
running on the same machine?
3. In what report mode(s) are you seeing the exception?

Nicole