"System.Security.SecurityException: Security error" error message when the virtual directory points to a remote share in ASP.NET

Article translations Article translations
Article ID: 320268 - View products that this article applies to.
This article was previously published under Q320268
Expand all | Collapse all

On This Page

SYMPTOMS

When you use a virtual directory that points to a remote share to host a Microsoft ASP.NET-based application, you may receive an error message that is similar to one of the following:

Message 1
Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Security error.

Source Error:

Line 30: private static bool __intialized = false; Line 31: Line 32: public Global_asax() { Line 33: if ((ASP.Global_asax.__intialized == false)) { Line 34: ASP.Global_asax.__intialized = true;
Message 2
Server Error in '/ApplicationName' Application.

Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Could not load type 'ApplicationName.Global'.

Source Error: Line 1: <%@ Application Codebehind="Global.asax.cs" Inherits="ApplicationName.Global" %> Source File: Path of Application \global.asax Line: 1

CAUSE

The System.Web namespace does not have the AllowPartiallyTrustedCallersAttribute applied to it. For more information, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/ms994923.aspx
Any code that is not in the My_Computer_Zone code group that does not have this attribute requires the FullTrust user right. Therefore, the remote share that holds the Web applications content requires FullTrust.

RESOLUTION

To resolve this behavior, grant the FullTrust right to the remote share:
  1. On the Web server, open Administrative Tools, and then double-click Microsoft .NET Framework Configuration.
  2. Expand Runtime Security Policy, expand Machine, and then expand Code Groups.
  3. Right-click All_Code, and then click New.
  4. Select Create a new code group. Give your code group a relevant name, such as the name of the applications share. Click Next.
  5. In the Choose the condition type for this code group list, select URL.
  6. In the URL box, type the path of the share in the following format:
    file:////\\computername\sharename\*
    Note Replace computername with the name of the computer that is hosting the remote share. Replace sharename with the name of the share.
  7. Click Next. On the next page, select Use an existing permission set, and then select FullTrust.
  8. Click Next, and then click Finish.
  9. Restart Microsoft Internet Information Services (IIS) to restart the ASP.NET worker process.
If Microsoft .NET Framework Configuration is not displayed under Administrative Tools, you can install the .NET Framework SDK to add Microsoft .NET Framework Configuration. Alternatively, you can run the following command to make the change:
Drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe -m -ag 1 -url "file:////\\computername\sharename\*" FullTrust -exclusive on
Note For more information about what these arguments do, run the following command:
caspol.exe -?

STATUS

This behavior is by design.

MORE INFORMATION

In this configuration, the account under which the ASP.NET worker process runs must have sufficient rights to the remote share. You can set the account under which the worker process runs by using the Processmodel tag in the Machine.config file.

Steps to reproduce the behavior

  1. Create a new virtual directory that points to a remote share.
  2. Create an application for the virtual directory. Make sure that the user who connects to the share has read access to the remote content.
  3. In the Processmodel tag of the Machine.config file, change the user to a domain user who has list, read, and execute permissions on the remote share.
  4. Create an inline .aspx file, and then put the file in the remote share.
  5. Make a request for the page.

REFERENCES

For more information about the permissions that the ASPNET account requires to run ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base:
317012 Process and request identity in ASP.NET
For more information about ASP.NET security, click the following article number to view the article in the Microsoft Knowledge Base:
306590 ASP.NET security overview

Properties

Article ID: 320268 - Last Review: December 16, 2009 - Revision: 6.0
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
Keywords: 
kbsecurity kbwebserver kbprb KB320268

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com