Help and Support

Article ID: 320268 - Last Review: March 22, 2007 - Revision: 4.5

"System.Security.SecurityException: Security error" error message when the virtual directory points to a remote share in ASP.NET

View products that this article applies to.
This article was previously published under Q320268

On This Page

Expand all | Collapse all

SYMPTOMS

When you use a virtual directory that points to a remote share to host a Microsoft ASP.NET-based application, you may receive an error message that is similar to one of the following:

Message 1
Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Security error.

Source Error:

Line 30: private static bool __intialized = false; Line 31: Line 32: public Global_asax() { Line 33: if ((ASP.Global_asax.__intialized == false)) { Line 34: ASP.Global_asax.__intialized = true;
Message 2
Server Error in '/ApplicationName' Application.

Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Could not load type 'ApplicationName.Global'.

Source Error: Line 1: <%@ Application Codebehind="Global.asax.cs" Inherits="ApplicationName.Global" %> Source File: Path of Application \global.asax Line: 1
Back to the top

CAUSE

The System.Web namespace does not have the AllowPartiallyTrustedCallersAttribute applied to it. For more information, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/ms994923.aspx (http://msdn2.microsoft.com/en-us/library/ms994923.aspx)
Any code that is not in the My_Computer_Zone code group that does not have this attribute requires the FullTrust user right. Therefore, the remote share that holds the Web applications content requires FullTrust.
Back to the top

RESOLUTION

To resolve this behavior, grant the FullTrust right to the remote share:
  1. On the Web server, open Administrative Tools, and then double-click Microsoft .NET Framework Configuration.
  2. Expand Runtime Security Policy, expand Machine, and then expand Code Groups.
  3. Right-click All_Code, and then click New.
  4. Select Create a new code group. Give your code group a relevant name, such as the name of the applications share. Click Next.
  5. In the Choose the condition type for this code group list, select URL.
  6. In the URL box, type the path of the share in the following format:
    file:////\\computername\sharename\*
    Note Replace computername with the name of the computer that is hosting the remote share. Replace sharename with the name of the share.
  7. Click Next. On the next page, select Use an existing permission set, and then select FullTrust.
  8. Click Next, and then click Finish.
  9. Restart Microsoft Internet Information Services (IIS) to restart the ASP.NET worker process.
If Microsoft .NET Framework Configuration is not displayed under Administrative Tools, you can install the .NET Framework SDK to add Microsoft .NET Framework Configuration. Alternatively, you can run the following command to make the change:
Drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe -m -ag 1 -url "file:////\\computername\sharename\*" FullTrust -exclusive on
Note For more information about what these arguments do, run the following command:
caspol.exe -?
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

In this configuration, the account under which the ASP.NET worker process runs must have sufficient rights to the remote share. You can set the account under which the worker process runs by using the Processmodel tag in the Machine.config file.
Back to the top

Steps to reproduce the behavior

  1. Create a new virtual directory that points to a remote share.
  2. Create an application for the virtual directory. Make sure that the user who connects to the share has read access to the remote content.
  3. In the Processmodel tag of the Machine.config file, change the user to a domain user who has list, read, and execute permissions on the remote share.
  4. Create an inline .aspx file, and then put the file in the remote share.
  5. Make a request for the page.
Back to the top

REFERENCES

For more information about the permissions that the ASPNET account requires to run ASP.NET applications, click the following article number to view the article in the Microsoft Knowledge Base:
317012  (http://support.microsoft.com/kb/317012/ ) Process and request identity in ASP.NET
For more information about ASP.NET security, click the following article number to view the article in the Microsoft Knowledge Base:
306590  (http://support.microsoft.com/kb/306590/ ) ASP.NET security overview
Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
Back to the top
Keywords: 
kbsecurity kbwebserver kbprb KB320268
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations