Web.Config / Security Settings for sites NOT on sys partition

Discussion in 'ASP .Net Security' started by Grant Harmeyer, Oct 10, 2003.

  1. I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
    development test sites on this server for deployment elsewhere. Up until
    now, there was no issue with the sites residing in the Inetpub directory on
    the sys partition. However, we are starting to consume valuable disk space
    on the sys partition. So, I have moved one of the sites (a low priority one)
    to a network drive (and different partition) that is still on the same
    physical server, just not the sys partition.

    The .NET runtime now has what I beleive to be a security problem with the
    site when it is being hosted from this location. It states that it can't
    load the type (ASPX CodeBehind) of the page because of a SecurityException
    that can be fixed by adding a node to my Web.Config file. But I am unable to
    find any documentation as to what this node is, or where it is to be placed
    in the Web.Config file. If I were to guess, I would say this may be an
    instance where the web application needs to impersonate an account with the
    correct tokens for the app to run, but I'm a bit lost right now. Any quick
    fixes for hosting sites off of a network drive?

    P.S. I have ensured my ACL file settings on the site are correct, as well as
    IIS perms ( twice ;-) )

    Grant Harmeyer
    Grant Harmeyer, Oct 10, 2003
    #1
    1. Advertising

  2. Hi Grant,

    This is actually a Common Language Runtime security policy issue. The
    Common Language Runtime is not allowing assemblies located on your remote
    share the permissions necessary to run. The solution is to create a new
    Code Group to allow them to run correctly.

    * Open the .NET Framework Configuration tool from Administrative Tools.
    * Expand the Runtime Security Policy node.
    * Expand the Machine node.
    * Expand the Code Groups node.
    * Right-click on the All_Code node and choose New.
    * In the Name box, enter a name of your choice for this new code group.
    * Click Next.
    * Select URL from the checkbox.
    * In the URL box, enter the UNC share in the following format:
    file:///\\SERVER\SHARE\*
    In other words, if your UNC share is \\server\share, you would enter it
    exactly as above. Make sure you add the "\*" at the end.
    * Click Next.
    * Select Full Trust from the dropdown.
    * Click Next.
    * Click Finish.

    After you've done that, go to a command line and run IISRESET to restart
    the worker process. You should now be able to run your app.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Reply-To: "Grant Harmeyer" <>
    >From: "Grant Harmeyer" <>
    >Subject: Web.Config / Security Settings for sites NOT on sys partition
    >Date: Fri, 10 Oct 2003 15:22:32 -0500
    >Lines: 24
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7112
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
    >development test sites on this server for deployment elsewhere. Up until
    >now, there was no issue with the sites residing in the Inetpub directory on
    >the sys partition. However, we are starting to consume valuable disk space
    >on the sys partition. So, I have moved one of the sites (a low priority

    one)
    >to a network drive (and different partition) that is still on the same
    >physical server, just not the sys partition.
    >
    >The .NET runtime now has what I beleive to be a security problem with the
    >site when it is being hosted from this location. It states that it can't
    >load the type (ASPX CodeBehind) of the page because of a SecurityException
    >that can be fixed by adding a node to my Web.Config file. But I am unable

    to
    >find any documentation as to what this node is, or where it is to be placed
    >in the Web.Config file. If I were to guess, I would say this may be an
    >instance where the web application needs to impersonate an account with the
    >correct tokens for the app to run, but I'm a bit lost right now. Any quick
    >fixes for hosting sites off of a network drive?
    >
    >P.S. I have ensured my ACL file settings on the site are correct, as well

    as
    >IIS perms ( twice ;-) )
    >
    >Grant Harmeyer
    >
    >
    >
    Jim Cheshire [MSFT], Oct 10, 2003
    #2
    1. Advertising

  3. Worked like a charm. Another trick added to the toolbox. Thanks


    Grant Harmeyer


    "Jim Cheshire [MSFT]" <> wrote in message
    news:...
    > Hi Grant,
    >
    > This is actually a Common Language Runtime security policy issue. The
    > Common Language Runtime is not allowing assemblies located on your remote
    > share the permissions necessary to run. The solution is to create a new
    > Code Group to allow them to run correctly.
    >
    > * Open the .NET Framework Configuration tool from Administrative Tools.
    > * Expand the Runtime Security Policy node.
    > * Expand the Machine node.
    > * Expand the Code Groups node.
    > * Right-click on the All_Code node and choose New.
    > * In the Name box, enter a name of your choice for this new code group.
    > * Click Next.
    > * Select URL from the checkbox.
    > * In the URL box, enter the UNC share in the following format:
    > file:///\\SERVER\SHARE\*
    > In other words, if your UNC share is \\server\share, you would enter

    it
    > exactly as above. Make sure you add the "\*" at the end.
    > * Click Next.
    > * Select Full Trust from the dropdown.
    > * Click Next.
    > * Click Finish.
    >
    > After you've done that, go to a command line and run IISRESET to restart
    > the worker process. You should now be able to run your app.
    >
    > Jim Cheshire [MSFT]
    > Developer Support
    > ASP.NET
    >
    >
    > This post is provided as-is with no warranties and confers no rights.
    >
    > --------------------
    > >Reply-To: "Grant Harmeyer" <>
    > >From: "Grant Harmeyer" <>
    > >Subject: Web.Config / Security Settings for sites NOT on sys partition
    > >Date: Fri, 10 Oct 2003 15:22:32 -0500
    > >Lines: 24
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > >Message-ID: <>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:7112
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
    > >development test sites on this server for deployment elsewhere. Up until
    > >now, there was no issue with the sites residing in the Inetpub directory

    on
    > >the sys partition. However, we are starting to consume valuable disk

    space
    > >on the sys partition. So, I have moved one of the sites (a low priority

    > one)
    > >to a network drive (and different partition) that is still on the same
    > >physical server, just not the sys partition.
    > >
    > >The .NET runtime now has what I beleive to be a security problem with the
    > >site when it is being hosted from this location. It states that it can't
    > >load the type (ASPX CodeBehind) of the page because of a

    SecurityException
    > >that can be fixed by adding a node to my Web.Config file. But I am unable

    > to
    > >find any documentation as to what this node is, or where it is to be

    placed
    > >in the Web.Config file. If I were to guess, I would say this may be an
    > >instance where the web application needs to impersonate an account with

    the
    > >correct tokens for the app to run, but I'm a bit lost right now. Any

    quick
    > >fixes for hosting sites off of a network drive?
    > >
    > >P.S. I have ensured my ACL file settings on the site are correct, as well

    > as
    > >IIS perms ( twice ;-) )
    > >
    > >Grant Harmeyer
    > >
    > >
    > >

    >
    Grant Harmeyer, Oct 13, 2003
    #3
  4. I have to recant my "Worked Like a charm." statement. It worked for all but
    1 site, and this site still tells me that I have a security exception. I
    know I have set up the Code Groups correctly, and I am also 100% sure my ACL
    settings are correct for the ASPNET worker process and IUSR accounts
    (they've been set up identical to the working ACL/Code Group settings on the
    other sites). I am a bit baffled why it works on the other sites and not
    this particular one.

    The way the code was written for all these sites follows the same coding
    standard, so that can almost be ruled out I would think.
    It's almost as if the Code Group is not being applied. I have created the
    Code Group, and deleted then re-created it several times to no avail. I have
    also restarted the IIS services on each occassion of the new Code Group, but
    nothing seems to work. Anyone have a similar issue? In the mean time I'll
    see what the Knowledge base has on this. TIA.

    Grant


    "Grant Harmeyer" <> wrote in message
    news:...
    > Worked like a charm. Another trick added to the toolbox. Thanks
    >
    >
    > Grant Harmeyer
    >
    >
    > "Jim Cheshire [MSFT]" <> wrote in message
    > news:...
    > > Hi Grant,
    > >
    > > This is actually a Common Language Runtime security policy issue. The
    > > Common Language Runtime is not allowing assemblies located on your

    remote
    > > share the permissions necessary to run. The solution is to create a new
    > > Code Group to allow them to run correctly.
    > >
    > > * Open the .NET Framework Configuration tool from Administrative Tools.
    > > * Expand the Runtime Security Policy node.
    > > * Expand the Machine node.
    > > * Expand the Code Groups node.
    > > * Right-click on the All_Code node and choose New.
    > > * In the Name box, enter a name of your choice for this new code group.
    > > * Click Next.
    > > * Select URL from the checkbox.
    > > * In the URL box, enter the UNC share in the following format:
    > > file:///\\SERVER\SHARE\*
    > > In other words, if your UNC share is \\server\share, you would enter

    > it
    > > exactly as above. Make sure you add the "\*" at the end.
    > > * Click Next.
    > > * Select Full Trust from the dropdown.
    > > * Click Next.
    > > * Click Finish.
    > >
    > > After you've done that, go to a command line and run IISRESET to restart
    > > the worker process. You should now be able to run your app.
    > >
    > > Jim Cheshire [MSFT]
    > > Developer Support
    > > ASP.NET
    > >
    > >
    > > This post is provided as-is with no warranties and confers no rights.
    > >
    > > --------------------
    > > >Reply-To: "Grant Harmeyer" <>
    > > >From: "Grant Harmeyer" <>
    > > >Subject: Web.Config / Security Settings for sites NOT on sys partition
    > > >Date: Fri, 10 Oct 2003 15:22:32 -0500
    > > >Lines: 24
    > > >X-Priority: 3
    > > >X-MSMail-Priority: Normal
    > > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > > >Message-ID: <>
    > > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > > >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
    > > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    > > >Xref: cpmsftngxa06.phx.gbl

    > > microsoft.public.dotnet.framework.aspnet.security:7112
    > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > > >
    > > >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
    > > >development test sites on this server for deployment elsewhere. Up

    until
    > > >now, there was no issue with the sites residing in the Inetpub

    directory
    > on
    > > >the sys partition. However, we are starting to consume valuable disk

    > space
    > > >on the sys partition. So, I have moved one of the sites (a low priority

    > > one)
    > > >to a network drive (and different partition) that is still on the same
    > > >physical server, just not the sys partition.
    > > >
    > > >The .NET runtime now has what I beleive to be a security problem with

    the
    > > >site when it is being hosted from this location. It states that it

    can't
    > > >load the type (ASPX CodeBehind) of the page because of a

    > SecurityException
    > > >that can be fixed by adding a node to my Web.Config file. But I am

    unable
    > > to
    > > >find any documentation as to what this node is, or where it is to be

    > placed
    > > >in the Web.Config file. If I were to guess, I would say this may be an
    > > >instance where the web application needs to impersonate an account with

    > the
    > > >correct tokens for the app to run, but I'm a bit lost right now. Any

    > quick
    > > >fixes for hosting sites off of a network drive?
    > > >
    > > >P.S. I have ensured my ACL file settings on the site are correct, as

    well
    > > as
    > > >IIS perms ( twice ;-) )
    > > >
    > > >Grant Harmeyer
    > > >
    > > >
    > > >

    > >

    >
    >
    Grant Harmeyer, Oct 13, 2003
    #4
  5. Grant,

    Could be that you have a CLR issue on that box. In order to troubleshoot
    this more thoroughly, you'd need to open a case with us.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Reply-To: "Grant Harmeyer" <>
    >From: "Grant Harmeyer" <>
    >References: <>

    <>
    <>
    >Subject: Re: Web.Config / Security Settings for sites NOT on sys partition
    >Date: Mon, 13 Oct 2003 15:00:41 -0500
    >Lines: 128
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7154
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >I have to recant my "Worked Like a charm." statement. It worked for all but
    >1 site, and this site still tells me that I have a security exception. I
    >know I have set up the Code Groups correctly, and I am also 100% sure my

    ACL
    >settings are correct for the ASPNET worker process and IUSR accounts
    >(they've been set up identical to the working ACL/Code Group settings on

    the
    >other sites). I am a bit baffled why it works on the other sites and not
    >this particular one.
    >
    >The way the code was written for all these sites follows the same coding
    >standard, so that can almost be ruled out I would think.
    >It's almost as if the Code Group is not being applied. I have created the
    >Code Group, and deleted then re-created it several times to no avail. I

    have
    >also restarted the IIS services on each occassion of the new Code Group,

    but
    >nothing seems to work. Anyone have a similar issue? In the mean time I'll
    >see what the Knowledge base has on this. TIA.
    >
    >Grant
    >
    >
    >"Grant Harmeyer" <> wrote in message
    >news:...
    >> Worked like a charm. Another trick added to the toolbox. Thanks
    >>
    >>
    >> Grant Harmeyer
    >>
    >>
    >> "Jim Cheshire [MSFT]" <> wrote in message
    >> news:...
    >> > Hi Grant,
    >> >
    >> > This is actually a Common Language Runtime security policy issue. The
    >> > Common Language Runtime is not allowing assemblies located on your

    >remote
    >> > share the permissions necessary to run. The solution is to create a

    new
    >> > Code Group to allow them to run correctly.
    >> >
    >> > * Open the .NET Framework Configuration tool from Administrative

    Tools.
    >> > * Expand the Runtime Security Policy node.
    >> > * Expand the Machine node.
    >> > * Expand the Code Groups node.
    >> > * Right-click on the All_Code node and choose New.
    >> > * In the Name box, enter a name of your choice for this new code

    group.
    >> > * Click Next.
    >> > * Select URL from the checkbox.
    >> > * In the URL box, enter the UNC share in the following format:
    >> > file:///\\SERVER\SHARE\*
    >> > In other words, if your UNC share is \\server\share, you would

    enter
    >> it
    >> > exactly as above. Make sure you add the "\*" at the end.
    >> > * Click Next.
    >> > * Select Full Trust from the dropdown.
    >> > * Click Next.
    >> > * Click Finish.
    >> >
    >> > After you've done that, go to a command line and run IISRESET to

    restart
    >> > the worker process. You should now be able to run your app.
    >> >
    >> > Jim Cheshire [MSFT]
    >> > Developer Support
    >> > ASP.NET
    >> >
    >> >
    >> > This post is provided as-is with no warranties and confers no rights.
    >> >
    >> > --------------------
    >> > >Reply-To: "Grant Harmeyer" <>
    >> > >From: "Grant Harmeyer" <>
    >> > >Subject: Web.Config / Security Settings for sites NOT on sys

    partition
    >> > >Date: Fri, 10 Oct 2003 15:22:32 -0500
    >> > >Lines: 24
    >> > >X-Priority: 3
    >> > >X-MSMail-Priority: Normal
    >> > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >> > >Message-ID: <>
    >> > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> > >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
    >> > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
    >> > >Xref: cpmsftngxa06.phx.gbl
    >> > microsoft.public.dotnet.framework.aspnet.security:7112
    >> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >> > >
    >> > >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
    >> > >development test sites on this server for deployment elsewhere. Up

    >until
    >> > >now, there was no issue with the sites residing in the Inetpub

    >directory
    >> on
    >> > >the sys partition. However, we are starting to consume valuable disk

    >> space
    >> > >on the sys partition. So, I have moved one of the sites (a low

    priority
    >> > one)
    >> > >to a network drive (and different partition) that is still on the same
    >> > >physical server, just not the sys partition.
    >> > >
    >> > >The .NET runtime now has what I beleive to be a security problem with

    >the
    >> > >site when it is being hosted from this location. It states that it

    >can't
    >> > >load the type (ASPX CodeBehind) of the page because of a

    >> SecurityException
    >> > >that can be fixed by adding a node to my Web.Config file. But I am

    >unable
    >> > to
    >> > >find any documentation as to what this node is, or where it is to be

    >> placed
    >> > >in the Web.Config file. If I were to guess, I would say this may be an
    >> > >instance where the web application needs to impersonate an account

    with
    >> the
    >> > >correct tokens for the app to run, but I'm a bit lost right now. Any

    >> quick
    >> > >fixes for hosting sites off of a network drive?
    >> > >
    >> > >P.S. I have ensured my ACL file settings on the site are correct, as

    >well
    >> > as
    >> > >IIS perms ( twice ;-) )
    >> > >
    >> > >Grant Harmeyer
    >> > >
    >> > >
    >> > >
    >> >

    >>
    >>

    >
    >
    >
    Jim Cheshire [MSFT], Oct 14, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=

    Web.Config Get Config settings at runtime.

    =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=, Feb 5, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,243
    Kevin Spencer
    Feb 6, 2004
  2. CSharpner
    Replies:
    0
    Views:
    1,000
    CSharpner
    Apr 9, 2007
  3. leeanne
    Replies:
    0
    Views:
    1,842
    leeanne
    Sep 24, 2008
  4. donet programmer
    Replies:
    3
    Views:
    1,518
    Gregory A. Beamer
    Nov 20, 2009
  5. bolega
    Replies:
    1
    Views:
    675
    Stan Bischof
    Mar 28, 2011
Loading...

Share This Page