Web.Config / Security Settings for sites NOT on sys partition

G

Grant Harmeyer

I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
development test sites on this server for deployment elsewhere. Up until
now, there was no issue with the sites residing in the Inetpub directory on
the sys partition. However, we are starting to consume valuable disk space
on the sys partition. So, I have moved one of the sites (a low priority one)
to a network drive (and different partition) that is still on the same
physical server, just not the sys partition.

The .NET runtime now has what I beleive to be a security problem with the
site when it is being hosted from this location. It states that it can't
load the type (ASPX CodeBehind) of the page because of a SecurityException
that can be fixed by adding a node to my Web.Config file. But I am unable to
find any documentation as to what this node is, or where it is to be placed
in the Web.Config file. If I were to guess, I would say this may be an
instance where the web application needs to impersonate an account with the
correct tokens for the app to run, but I'm a bit lost right now. Any quick
fixes for hosting sites off of a network drive?

P.S. I have ensured my ACL file settings on the site are correct, as well as
IIS perms ( twice ;-) )

Grant Harmeyer
 
J

Jim Cheshire [MSFT]

Hi Grant,

This is actually a Common Language Runtime security policy issue. The
Common Language Runtime is not allowing assemblies located on your remote
share the permissions necessary to run. The solution is to create a new
Code Group to allow them to run correctly.

* Open the .NET Framework Configuration tool from Administrative Tools.
* Expand the Runtime Security Policy node.
* Expand the Machine node.
* Expand the Code Groups node.
* Right-click on the All_Code node and choose New.
* In the Name box, enter a name of your choice for this new code group.
* Click Next.
* Select URL from the checkbox.
* In the URL box, enter the UNC share in the following format:
file:///\\SERVER\SHARE\*
In other words, if your UNC share is \\server\share, you would enter it
exactly as above. Make sure you add the "\*" at the end.
* Click Next.
* Select Full Trust from the dropdown.
* Click Next.
* Click Finish.

After you've done that, go to a command line and run IISRESET to restart
the worker process. You should now be able to run your app.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
 
G

Grant Harmeyer

Worked like a charm. Another trick added to the toolbox. Thanks


Grant Harmeyer


Jim Cheshire said:
Hi Grant,

This is actually a Common Language Runtime security policy issue. The
Common Language Runtime is not allowing assemblies located on your remote
share the permissions necessary to run. The solution is to create a new
Code Group to allow them to run correctly.

* Open the .NET Framework Configuration tool from Administrative Tools.
* Expand the Runtime Security Policy node.
* Expand the Machine node.
* Expand the Code Groups node.
* Right-click on the All_Code node and choose New.
* In the Name box, enter a name of your choice for this new code group.
* Click Next.
* Select URL from the checkbox.
* In the URL box, enter the UNC share in the following format:
file:///\\SERVER\SHARE\*
In other words, if your UNC share is \\server\share, you would enter it
exactly as above. Make sure you add the "\*" at the end.
* Click Next.
* Select Full Trust from the dropdown.
* Click Next.
* Click Finish.

After you've done that, go to a command line and run IISRESET to restart
the worker process. You should now be able to run your app.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
Reply-To: "Grant Harmeyer" <[email protected]>
From: "Grant Harmeyer" <[email protected]>
Subject: Web.Config / Security Settings for sites NOT on sys partition
Date: Fri, 10 Oct 2003 15:22:32 -0500
Lines: 24
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7112
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
development test sites on this server for deployment elsewhere. Up until
now, there was no issue with the sites residing in the Inetpub directory on
the sys partition. However, we are starting to consume valuable disk space
on the sys partition. So, I have moved one of the sites (a low priority one)
to a network drive (and different partition) that is still on the same
physical server, just not the sys partition.

The .NET runtime now has what I beleive to be a security problem with the
site when it is being hosted from this location. It states that it can't
load the type (ASPX CodeBehind) of the page because of a SecurityException
that can be fixed by adding a node to my Web.Config file. But I am unable to
find any documentation as to what this node is, or where it is to be placed
in the Web.Config file. If I were to guess, I would say this may be an
instance where the web application needs to impersonate an account with the
correct tokens for the app to run, but I'm a bit lost right now. Any quick
fixes for hosting sites off of a network drive?

P.S. I have ensured my ACL file settings on the site are correct, as well as
IIS perms ( twice ;-) )

Grant Harmeyer
 
G

Grant Harmeyer

I have to recant my "Worked Like a charm." statement. It worked for all but
1 site, and this site still tells me that I have a security exception. I
know I have set up the Code Groups correctly, and I am also 100% sure my ACL
settings are correct for the ASPNET worker process and IUSR accounts
(they've been set up identical to the working ACL/Code Group settings on the
other sites). I am a bit baffled why it works on the other sites and not
this particular one.

The way the code was written for all these sites follows the same coding
standard, so that can almost be ruled out I would think.
It's almost as if the Code Group is not being applied. I have created the
Code Group, and deleted then re-created it several times to no avail. I have
also restarted the IIS services on each occassion of the new Code Group, but
nothing seems to work. Anyone have a similar issue? In the mean time I'll
see what the Knowledge base has on this. TIA.

Grant


Grant Harmeyer said:
Worked like a charm. Another trick added to the toolbox. Thanks


Grant Harmeyer


Jim Cheshire said:
Hi Grant,

This is actually a Common Language Runtime security policy issue. The
Common Language Runtime is not allowing assemblies located on your remote
share the permissions necessary to run. The solution is to create a new
Code Group to allow them to run correctly.

* Open the .NET Framework Configuration tool from Administrative Tools.
* Expand the Runtime Security Policy node.
* Expand the Machine node.
* Expand the Code Groups node.
* Right-click on the All_Code node and choose New.
* In the Name box, enter a name of your choice for this new code group.
* Click Next.
* Select URL from the checkbox.
* In the URL box, enter the UNC share in the following format:
file:///\\SERVER\SHARE\*
In other words, if your UNC share is \\server\share, you would enter it
exactly as above. Make sure you add the "\*" at the end.
* Click Next.
* Select Full Trust from the dropdown.
* Click Next.
* Click Finish.

After you've done that, go to a command line and run IISRESET to restart
the worker process. You should now be able to run your app.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
Reply-To: "Grant Harmeyer" <[email protected]>
From: "Grant Harmeyer" <[email protected]>
Subject: Web.Config / Security Settings for sites NOT on sys partition
Date: Fri, 10 Oct 2003 15:22:32 -0500
Lines: 24
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7112
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
development test sites on this server for deployment elsewhere. Up until
now, there was no issue with the sites residing in the Inetpub
directory
on unable
to well
as
 
J

Jim Cheshire [MSFT]

Grant,

Could be that you have a CLR issue on that box. In order to troubleshoot
this more thoroughly, you'd need to open a case with us.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
Reply-To: "Grant Harmeyer" <[email protected]>
From: "Grant Harmeyer" <[email protected]>
References: <[email protected]>
Subject: Re: Web.Config / Security Settings for sites NOT on sys partition
Date: Mon, 13 Oct 2003 15:00:41 -0500
Lines: 128
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7154
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have to recant my "Worked Like a charm." statement. It worked for all but
1 site, and this site still tells me that I have a security exception. I
know I have set up the Code Groups correctly, and I am also 100% sure my ACL
settings are correct for the ASPNET worker process and IUSR accounts
(they've been set up identical to the working ACL/Code Group settings on the
other sites). I am a bit baffled why it works on the other sites and not
this particular one.

The way the code was written for all these sites follows the same coding
standard, so that can almost be ruled out I would think.
It's almost as if the Code Group is not being applied. I have created the
Code Group, and deleted then re-created it several times to no avail. I have
also restarted the IIS services on each occassion of the new Code Group, but
nothing seems to work. Anyone have a similar issue? In the mean time I'll
see what the Knowledge base has on this. TIA.

Grant


Grant Harmeyer said:
Worked like a charm. Another trick added to the toolbox. Thanks


Grant Harmeyer


Jim Cheshire said:
Hi Grant,

This is actually a Common Language Runtime security policy issue. The
Common Language Runtime is not allowing assemblies located on your remote
share the permissions necessary to run. The solution is to create a new
Code Group to allow them to run correctly.

* Open the .NET Framework Configuration tool from Administrative Tools.
* Expand the Runtime Security Policy node.
* Expand the Machine node.
* Expand the Code Groups node.
* Right-click on the All_Code node and choose New.
* In the Name box, enter a name of your choice for this new code group.
* Click Next.
* Select URL from the checkbox.
* In the URL box, enter the UNC share in the following format:
file:///\\SERVER\SHARE\*
In other words, if your UNC share is \\server\share, you would
enter
it
exactly as above. Make sure you add the "\*" at the end.
* Click Next.
* Select Full Trust from the dropdown.
* Click Next.
* Click Finish.

After you've done that, go to a command line and run IISRESET to restart
the worker process. You should now be able to run your app.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------
Reply-To: "Grant Harmeyer" <[email protected]>
From: "Grant Harmeyer" <[email protected]>
Subject: Web.Config / Security Settings for sites NOT on sys partition
Date: Fri, 10 Oct 2003 15:22:32 -0500
Lines: 24
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:7112
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
development test sites on this server for deployment elsewhere. Up until
now, there was no issue with the sites residing in the Inetpub
directory
on
the sys partition. However, we are starting to consume valuable disk space
on the sys partition. So, I have moved one of the sites (a low priority
one)
to a network drive (and different partition) that is still on the same
physical server, just not the sys partition.

The .NET runtime now has what I beleive to be a security problem with the
site when it is being hosted from this location. It states that it can't
load the type (ASPX CodeBehind) of the page because of a SecurityException
that can be fixed by adding a node to my Web.Config file. But I am unable
to
find any documentation as to what this node is, or where it is to be placed
in the Web.Config file. If I were to guess, I would say this may be an
instance where the web application needs to impersonate an account
with
the
correct tokens for the app to run, but I'm a bit lost right now. Any quick
fixes for hosting sites off of a network drive?

P.S. I have ensured my ACL file settings on the site are correct, as well
as
IIS perms ( twice ;-) )

Grant Harmeyer
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top