Web.Config / Security Settings for sites NOT on sys partition

Grant Harmeyer · Grant Harmeyer

I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
development test sites on this server for deployment elsewhere. Up until
now, there was no issue with the sites residing in the Inetpub directory on
the sys partition. However, we are starting to consume valuable disk space
on the sys partition. So, I have moved one of the sites (a low priority one)
to a network drive (and different partition) that is still on the same
physical server, just not the sys partition.

The .NET runtime now has what I beleive to be a security problem with the
site when it is being hosted from this location. It states that it can't
load the type (ASPX CodeBehind) of the page because of a SecurityException
that can be fixed by adding a node to my Web.Config file. But I am unable to
find any documentation as to what this node is, or where it is to be placed
in the Web.Config file. If I were to guess, I would say this may be an
instance where the web application needs to impersonate an account with the
correct tokens for the app to run, but I'm a bit lost right now. Any quick
fixes for hosting sites off of a network drive?

P.S. I have ensured my ACL file settings on the site are correct, as well as
IIS perms ( twice ;-) )

Grant Harmeyer

Jim Cheshire [MSFT] · Jim Cheshire [MSFT]

Hi Grant,

This is actually a Common Language Runtime security policy issue. The
Common Language Runtime is not allowing assemblies located on your remote
share the permissions necessary to run. The solution is to create a new
Code Group to allow them to run correctly.

* Open the .NET Framework Configuration tool from Administrative Tools.
* Expand the Runtime Security Policy node.
* Expand the Machine node.
* Expand the Code Groups node.
* Right-click on the All_Code node and choose New.
* In the Name box, enter a name of your choice for this new code group.
* Click Next.
* Select URL from the checkbox.
* In the URL box, enter the UNC share in the following format:
file:///\\SERVER\SHARE\*
In other words, if your UNC share is \\server\share, you would enter it
exactly as above. Make sure you add the "\*" at the end.
* Click Next.
* Select Full Trust from the dropdown.
* Click Next.
* Click Finish.

After you've done that, go to a command line and run IISRESET to restart
the worker process. You should now be able to run your app.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>Reply-To: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>From: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>Subject: Web.Config / Security Settings for sites NOT on sys partition
>Date: Fri, 10 Oct 2003 15:22:32 -0500
>Lines: 24
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <elFavy2jDHA.744@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7112

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
>development test sites on this server for deployment elsewhere. Up until
>now, there was no issue with the sites residing in the Inetpub directory on
>the sys partition. However, we are starting to consume valuable disk space
>on the sys partition. So, I have moved one of the sites (a low priority

one)

>to a network drive (and different partition) that is still on the same
>physical server, just not the sys partition.
>
>The .NET runtime now has what I beleive to be a security problem with the
>site when it is being hosted from this location. It states that it can't
>load the type (ASPX CodeBehind) of the page because of a SecurityException
>that can be fixed by adding a node to my Web.Config file. But I am unable

to

>find any documentation as to what this node is, or where it is to be placed
>in the Web.Config file. If I were to guess, I would say this may be an
>instance where the web application needs to impersonate an account with the
>correct tokens for the app to run, but I'm a bit lost right now. Any quick
>fixes for hosting sites off of a network drive?
>
>P.S. I have ensured my ACL file settings on the site are correct, as well

as

>IIS perms ( twice ;-) )
>
>Grant Harmeyer
>
>
>

Grant Harmeyer · Grant Harmeyer

Worked like a charm. Another trick added to the toolbox. Thanks

Grant Harmeyer

"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:icK1Wr3jDHA.1716@cpmsftngxa06.phx.gbl...

> Hi Grant,
>
> This is actually a Common Language Runtime security policy issue. The
> Common Language Runtime is not allowing assemblies located on your remote
> share the permissions necessary to run. The solution is to create a new
> Code Group to allow them to run correctly.
>
> * Open the .NET Framework Configuration tool from Administrative Tools.
> * Expand the Runtime Security Policy node.
> * Expand the Machine node.
> * Expand the Code Groups node.
> * Right-click on the All_Code node and choose New.
> * In the Name box, enter a name of your choice for this new code group.
> * Click Next.
> * Select URL from the checkbox.
> * In the URL box, enter the UNC share in the following format:
> file:///\\SERVER\SHARE\*
> In other words, if your UNC share is \\server\share, you would enter

it

> exactly as above. Make sure you add the "\*" at the end.
> * Click Next.
> * Select Full Trust from the dropdown.
> * Click Next.
> * Click Finish.
>
> After you've done that, go to a command line and run IISRESET to restart
> the worker process. You should now be able to run your app.
>
> Jim Cheshire [MSFT]
> Developer Support
> ASP.NET
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------

> >Reply-To: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
> >From: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
> >Subject: Web.Config / Security Settings for sites NOT on sys partition
> >Date: Fri, 10 Oct 2003 15:22:32 -0500
> >Lines: 24
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <elFavy2jDHA.744@tk2msftngp13.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 7112

> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
> >development test sites on this server for deployment elsewhere. Up until
> >now, there was no issue with the sites residing in the Inetpub directory

on

> >the sys partition. However, we are starting to consume valuable disk

space

> >on the sys partition. So, I have moved one of the sites (a low priority

> one)

> >to a network drive (and different partition) that is still on the same
> >physical server, just not the sys partition.
> >
> >The .NET runtime now has what I beleive to be a security problem with the
> >site when it is being hosted from this location. It states that it can't
> >load the type (ASPX CodeBehind) of the page because of a

SecurityException

> >that can be fixed by adding a node to my Web.Config file. But I am unable

> to

> >find any documentation as to what this node is, or where it is to be

placed

> >in the Web.Config file. If I were to guess, I would say this may be an
> >instance where the web application needs to impersonate an account with

the

> >correct tokens for the app to run, but I'm a bit lost right now. Any

quick

> >fixes for hosting sites off of a network drive?
> >
> >P.S. I have ensured my ACL file settings on the site are correct, as well

> as

> >IIS perms ( twice ;-) )
> >
> >Grant Harmeyer
> >
> >
> >

>

Grant Harmeyer · Grant Harmeyer

I have to recant my "Worked Like a charm." statement. It worked for all but
1 site, and this site still tells me that I have a security exception. I
know I have set up the Code Groups correctly, and I am also 100% sure my ACL
settings are correct for the ASPNET worker process and IUSR accounts
(they've been set up identical to the working ACL/Code Group settings on the
other sites). I am a bit baffled why it works on the other sites and not
this particular one.

The way the code was written for all these sites follows the same coding
standard, so that can almost be ruled out I would think.
It's almost as if the Code Group is not being applied. I have created the
Code Group, and deleted then re-created it several times to no avail. I have
also restarted the IIS services on each occassion of the new Code Group, but
nothing seems to work. Anyone have a similar issue? In the mean time I'll
see what the Knowledge base has on this. TIA.

Grant

"Grant Harmeyer" <gn_harmeyer@hotmail.com> wrote in message
news:uEKOMtYkDHA.1488@TK2MSFTNGP12.phx.gbl...

> Worked like a charm. Another trick added to the toolbox. Thanks
>
>
> Grant Harmeyer
>
>
> "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
> news:icK1Wr3jDHA.1716@cpmsftngxa06.phx.gbl...

> > Hi Grant,
> >
> > This is actually a Common Language Runtime security policy issue. The
> > Common Language Runtime is not allowing assemblies located on your

remote

> > share the permissions necessary to run. The solution is to create a new
> > Code Group to allow them to run correctly.
> >
> > * Open the .NET Framework Configuration tool from Administrative Tools.
> > * Expand the Runtime Security Policy node.
> > * Expand the Machine node.
> > * Expand the Code Groups node.
> > * Right-click on the All_Code node and choose New.
> > * In the Name box, enter a name of your choice for this new code group.
> > * Click Next.
> > * Select URL from the checkbox.
> > * In the URL box, enter the UNC share in the following format:
> > file:///\\SERVER\SHARE\*
> > In other words, if your UNC share is \\server\share, you would enter

> it

> > exactly as above. Make sure you add the "\*" at the end.
> > * Click Next.
> > * Select Full Trust from the dropdown.
> > * Click Next.
> > * Click Finish.
> >
> > After you've done that, go to a command line and run IISRESET to restart
> > the worker process. You should now be able to run your app.
> >
> > Jim Cheshire [MSFT]
> > Developer Support
> > ASP.NET
> > [email]jamesche@online.microsoft.com[/email]
> >
> > This post is provided as-is with no warranties and confers no rights.
> >
> > --------------------

> > >Reply-To: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
> > >From: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
> > >Subject: Web.Config / Security Settings for sites NOT on sys partition
> > >Date: Fri, 10 Oct 2003 15:22:32 -0500
> > >Lines: 24
> > >X-Priority: 3
> > >X-MSMail-Priority: Normal
> > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> > >Message-ID: <elFavy2jDHA.744@tk2msftngp13.phx.gbl>
> > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
> > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
> > >Xref: cpmsftngxa06.phx.gbl

> > microsoft.public.dotnet.framework.aspnet.security: 7112

> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > >
> > >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
> > >development test sites on this server for deployment elsewhere. Up

until

> > >now, there was no issue with the sites residing in the Inetpub

directory

> on

> > >the sys partition. However, we are starting to consume valuable disk

> space

> > >on the sys partition. So, I have moved one of the sites (a low priority

> > one)

> > >to a network drive (and different partition) that is still on the same
> > >physical server, just not the sys partition.
> > >
> > >The .NET runtime now has what I beleive to be a security problem with

the

> > >site when it is being hosted from this location. It states that it

can't

> > >load the type (ASPX CodeBehind) of the page because of a

> SecurityException

> > >that can be fixed by adding a node to my Web.Config file. But I am

unable

> > to

> > >find any documentation as to what this node is, or where it is to be

> placed

> > >in the Web.Config file. If I were to guess, I would say this may be an
> > >instance where the web application needs to impersonate an account with

> the

> > >correct tokens for the app to run, but I'm a bit lost right now. Any

> quick

> > >fixes for hosting sites off of a network drive?
> > >
> > >P.S. I have ensured my ACL file settings on the site are correct, as

well

> > as

> > >IIS perms ( twice ;-) )
> > >
> > >Grant Harmeyer
> > >
> > >
> > >

> >

>
>

Jim Cheshire [MSFT] · Jim Cheshire [MSFT]

Grant,

Could be that you have a CLR issue on that box. In order to troubleshoot
this more thoroughly, you'd need to open a case with us.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>Reply-To: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>From: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>References: <elFavy2jDHA.744@tk2msftngp13.phx.gbl>

<icK1Wr3jDHA.1716@cpmsftngxa06.phx.gbl>
<uEKOMtYkDHA.1488@TK2MSFTNGP12.phx.gbl>

>Subject: Re: Web.Config / Security Settings for sites NOT on sys partition
>Date: Mon, 13 Oct 2003 15:00:41 -0500
>Lines: 128
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <ONafwSckDHA.2500@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7154

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have to recant my "Worked Like a charm." statement. It worked for all but
>1 site, and this site still tells me that I have a security exception. I
>know I have set up the Code Groups correctly, and I am also 100% sure my

ACL

>settings are correct for the ASPNET worker process and IUSR accounts
>(they've been set up identical to the working ACL/Code Group settings on

the

>other sites). I am a bit baffled why it works on the other sites and not
>this particular one.
>
>The way the code was written for all these sites follows the same coding
>standard, so that can almost be ruled out I would think.
>It's almost as if the Code Group is not being applied. I have created the
>Code Group, and deleted then re-created it several times to no avail. I

have

>also restarted the IIS services on each occassion of the new Code Group,

but

>nothing seems to work. Anyone have a similar issue? In the mean time I'll
>see what the Knowledge base has on this. TIA.
>
>Grant
>
>
>"Grant Harmeyer" <gn_harmeyer@hotmail.com> wrote in message
>news:uEKOMtYkDHA.1488@TK2MSFTNGP12.phx.gbl...

>> Worked like a charm. Another trick added to the toolbox. Thanks
>>
>>
>> Grant Harmeyer
>>
>>
>> "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>> news:icK1Wr3jDHA.1716@cpmsftngxa06.phx.gbl...

>> > Hi Grant,
>> >
>> > This is actually a Common Language Runtime security policy issue. The
>> > Common Language Runtime is not allowing assemblies located on your

>remote

>> > share the permissions necessary to run. The solution is to create a

new

>> > Code Group to allow them to run correctly.
>> >
>> > * Open the .NET Framework Configuration tool from Administrative

Tools.

>> > * Expand the Runtime Security Policy node.
>> > * Expand the Machine node.
>> > * Expand the Code Groups node.
>> > * Right-click on the All_Code node and choose New.
>> > * In the Name box, enter a name of your choice for this new code

group.

>> > * Click Next.
>> > * Select URL from the checkbox.
>> > * In the URL box, enter the UNC share in the following format:
>> > file:///\\SERVER\SHARE\*
>> > In other words, if your UNC share is \\server\share, you would

enter

>> it

>> > exactly as above. Make sure you add the "\*" at the end.
>> > * Click Next.
>> > * Select Full Trust from the dropdown.
>> > * Click Next.
>> > * Click Finish.
>> >
>> > After you've done that, go to a command line and run IISRESET to

restart

>> > the worker process. You should now be able to run your app.
>> >
>> > Jim Cheshire [MSFT]
>> > Developer Support
>> > ASP.NET
>> > [email]jamesche@online.microsoft.com[/email]
>> >
>> > This post is provided as-is with no warranties and confers no rights.
>> >
>> > --------------------
>> > >Reply-To: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>> > >From: "Grant Harmeyer" <gn_harmeyer@hotmail.com>
>> > >Subject: Web.Config / Security Settings for sites NOT on sys

partition

>> > >Date: Fri, 10 Oct 2003 15:22:32 -0500
>> > >Lines: 24
>> > >X-Priority: 3
>> > >X-MSMail-Priority: Normal
>> > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> > >Message-ID: <elFavy2jDHA.744@tk2msftngp13.phx.gbl>
>> > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> > >NNTP-Posting-Host: 208-131-234-237.internetapollo.com 208.131.234.237
>> > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
>> > >Xref: cpmsftngxa06.phx.gbl
>> > microsoft.public.dotnet.framework.aspnet.security: 7112
>> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> > >
>> > >I have a Win2K server set up with .NET 1.1, IIS5, and I run a few
>> > >development test sites on this server for deployment elsewhere. Up

>until

>> > >now, there was no issue with the sites residing in the Inetpub

>directory

>> on

>> > >the sys partition. However, we are starting to consume valuable disk

>> space

>> > >on the sys partition. So, I have moved one of the sites (a low

priority

>> > one)
>> > >to a network drive (and different partition) that is still on the same
>> > >physical server, just not the sys partition.
>> > >
>> > >The .NET runtime now has what I beleive to be a security problem with

>the

>> > >site when it is being hosted from this location. It states that it

>can't

>> > >load the type (ASPX CodeBehind) of the page because of a

>> SecurityException

>> > >that can be fixed by adding a node to my Web.Config file. But I am

>unable

>> > to
>> > >find any documentation as to what this node is, or where it is to be

>> placed

>> > >in the Web.Config file. If I were to guess, I would say this may be an
>> > >instance where the web application needs to impersonate an account

with

>> the

>> > >correct tokens for the app to run, but I'm a bit lost right now. Any

>> quick

>> > >fixes for hosting sites off of a network drive?
>> > >
>> > >P.S. I have ensured my ACL file settings on the site are correct, as

>well

>> > as
>> > >IIS perms ( twice ;-) )
>> > >
>> > >Grant Harmeyer
>> > >
>> > >
>> > >
>> >

>>
>>

>
>
>

Web.Config / Security Settings for sites NOT on sys partition

Thread Tools

Display

Web.Config / Security Settings for sites NOT on sys partition

Similar Questions and Discussions

Change Flash Security Settings? Security ManagerOffline?

Need Help With Flash Sites & Settings

Web config security settings

Config settings.

problem with security settings (trusted sites)

RE: Web.Config / Security Settings for sites NOT on sys partition

Re: Web.Config / Security Settings for sites NOT on sys partition

Re: Web.Config / Security Settings for sites NOT on sys partition

Re: Web.Config / Security Settings for sites NOT on sys partition

Posting Permissions