Article ID: 910449 - View products that this article applies to.
ASP.NET Support Voice column
Troubleshooting common permissions and security-related issues in Microsoft ASP.NETTo customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It
(http://support.microsoft.com/common/survey.aspx?scid=sw;en;1176&p0=&p1=&p2=&p3=&p4=)form. There's also a link to the form at the bottom of this column.
Hello, this is Vignesh A.G from the ASP.NET team. Welcome to the ASP.NET Support Voice column! I have been a Developer Support Engineer for over two years now at Microsoft, and I have spent my time focusing on ASP.NET and Microsoft Internet Information Services (IIS).
The focus of this column will not be to explain ASP.NET security, but to outline a few troubleshooting techniques and tips that will help you isolate and resolve some of the common permissions and security scenarios that we see here at PSS. Permissions and security-related issues in ASP.NET are very well documented. In fact, there will be a good number of people who might have run into the same issue prior to you. So, the intent is for this column to be a good place to find relevant and exhaustive information on ASP.NET security. There is no better feeling than fixing the issue yourself.
Useful toolsBefore you attempt to fix anything that is broken, you need to familiarize yourself with a few tools which will help you narrow down the issue. In our case, we would be interested in tools like FileMon, RegMon, and Security Auditing. For more information about FileMon, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspxFor more information about RegMon, visit the following Microsoft Web site:
Drill down to isolate the problem
What is the exact error message?The first question we ask customers is, "What is the exact error message?" If you have a clear description of the error message thrown by the Microsoft .NET Framework, you can skip this section. If your application masks the actual error message and gives you a friendly error message instead, such as, "An unexpected error has occurred. Please contact the website administrator for details," it's not of much use to anyone. Here are a few steps which will help you get the actual error message.
Once you get the actual error message, read it to determine if the error is caused by missing permissions on a local resource or on a remote resource that your ASP.NET application is trying to access.
Tip You can contact your developer to find out how to see the actual error message. It's possible that your developer may be logging it to a file or getting e-mail notifications. Always remember to make a backup of any file that you are going to change. With a backup available, you can always roll back any changes.
Issue occurs because of missing permissions on a local resource that the ASP.NET application tries to accessIf you are unable to get a clear description of the problem because of a custom error message, run FileMon and reproduce the problem. Stop and save the capture as FileMon.xls and open the file in Microsoft Excel. On the Data menu, click Filter, and then click AutoFilter to use the filtering capabilities of Excel. Now select the drop-down list in column F and look for "ACCESS DENIED" errors.
A sample FileMon output is shown below.
As you can see from the filtered results, we have narrowed down the cause of the problem. FileMon shows that the NT AUTHORITY\NETWORK SERVICE account is missing NTFS permissions on the C:\Winnt\Microsoft.net\Framework\v1.1.4322\Temporary ASP.NET Files folder. This should be straight forward to fix. For more information about using FileMon to troubleshoot ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:
10381 1:01:11 PM w3wp.exe:2320 OPEN C:\winnt\microsoft.net\framework\v1.1.4322\Temporary ASP.NET Files\sessiontest\8832e585\275ec327\global.asax.xml ACCESS DENIED NT AUTHORITY\NETWORK SERVICE
890960Tip A good step would be to change the ASP.NET process account to an Admin account to see if it fixes the problem. In IIS 5.x you would change the userName to "SYSTEM" in the process model section of the machine.config file and in IIS 6.0 you would change the IIS AppPool identity to "Local System" to see if the application works.
(http://support.microsoft.com/kb/890960/ )Troubleshooting ASP.NET using FileMon
Note This should not be used as a solution, but only as a troubleshooting step.
Most people would tend to reinstall the Microsoft .NET Framework or even go to the extent of reinstalling the operating system. This is not a recommended troubleshooting step and does not guarantee that the issue will not reoccur. I will provide one such example. Intermittent issues are often hard to isolate and troubleshoot. In this scenario the customer's application would work fine for a few hours, and then all of a sudden it would fail with the error below. The customer had already tried reinstalling the .NET Framework as well as the operating system. This seemed to fix the problem for a few days, but then it reappeared.
Collapse this imageExpand this image
Running FileMon did not show any ACCESS DENIED errors. All the necessary permissions for the ASPNET account were in place. The only way to recover from the problem is to reboot the box. Even an IIS reset would not help. You are thinking "Ah, Microsoft Software always needs a reboot to recover?" Well, you are wrong!
The key here is to look closely at the error message. The error clearly says "cannot open a file for writing," and not the usual ACCESS DENIED error, so I am thinking that it's some other process that is holding a lock on a file or folder and not allowing ASP.NET to write to it. It makes sense that a reboot was killing the other process and the ASP.NET application starts working again until the rogue process locks the file again. The logical thing to do would be to turn off all antivirus programs, third-party spyware, or any other file monitoring software that runs on the server. I do not want to point out any specific third-party software. But, in general, antivirus software is known to cause a lot of grief for IIS and ASP.NET applications. Another known issue caused by antivirus software is session loss due to AppDomain recycles when the Bin folder or the .config files are touched.
Tip The easiest way to turn off third-party services is to:
Note If the same error is reproducible 100 percent of the time, your antivirus software may not be the cause. There can be other causes for this error. Try creating a simple ASP.NET test application to isolate whether the same error occurs for a Test.aspx page. If it does, then verify that the required Access Control Lists (ACLs) are all in place for ASP.NET.
See ASP.NET Required Access Control Lists (ACLs): http://msdn2.microsoft.com/en-us/library/kwzs111e.aspx
Tip The %SystemRoot%\Assembly folder is the global assembly cache. You cannot directly use Windows Explorer to edit ACLs for this folder. Instead, use a command prompt and run the following command:
cacls %windir%\assembly /e /t /p domain\useraccount:rAlternatively, prior to using Windows Explorer, unregister Shfusion.dll with the following command to give permissions via the GUI:
C:\WINDOWS\Microsoft.NET\Framework\VersionNumber>regsvr32–u shfusion.dllAfter setting permissions with Windows Explorer, re-register Shfusion.dll with the following command:
Issue occurs because of missing permissions on a remote resource that the ASP.NET application is trying to accessWhen your ASP.NET application is accessing a remote resource like Microsoft SQL Server or a Universal Naming Convention (UNC) share, there are many things that can go wrong. Also, many things may be incorrectly set up on the remote resource. You'll need to troubleshoot those issues in order to get the resource working. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
891031Your first step would be to see if you can connect to the remote server through Windows Explorer.
(http://support.microsoft.com/kb/891031/ )Common security issues when you access remote resources from ASP.NET applications
(http://support.microsoft.com/kb/907272/ )Kerberos authentication and troubleshooting delegation issues
326985For more information on IIS authentication methods, see the following Microsoft Developer Network (MSDN) Web site:
(http://support.microsoft.com/kb/326985/ )How to troubleshoot Kerberos-related issues in IIS
Tip If you can connect to the remote UNC share but you can not connect to the remote server that is running SQL Server from the ASP.NET application, then you might have to check or set the Service Principal Names (SPNs) for SQL Server. Try enabling only Basic Authentication for your application in IIS and see if you are able to connect to the remote server that is running SQL Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/319723/ )How to use Kerberos authentication in SQL Server
316989Tip It's never recommended to use mapped drives to connect to a remote resource because drive mappings are an extension of the net use command and are created on a per-user basis. The preferred method of accessing content for the Web server that exists on a remote computer is to use shares that follow the UNC. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/316989/ )Error message when you create a trusted data connection from ASP.NET to SQL Server: "Login failed for user: 'AccountName'"
(http://support.microsoft.com/kb/257174/ )Using mapped drives with IIS
Code Access Security (CAS) related issueError messages in ASP.NET are detailed and, more often than not, tell you exactly what the problem is. In some cases, FileMon or RegMon may not capture anything useful. Let's take a look at one such scenario.
ScenarioWhile trying to browse an ASP.NET application, it fails with a generic error such as the following infamous error:
The event log shows:
Collapse this imageExpand this image
When an ASP.NET application domain is created, ASP.NET reads the value specified for the level attribute of the trust configuration element, creates an instance of the AspNetHostingPermission class with the specified Level attribute, and then adds the class to the permission set for the application domain. You will see the above error if the trust levels are incorrectly configured or modified. For more information, see "ASP.NET Trust Levels and Policy Files" at the following MSDN Web site:
Event Type: Error
Event Source: ASP.NET 1.1.4322.0
Event Category: None
Event ID: 1088
Time: 10:54:04 PM
Failed to execute request because the App-Domain could not be created. Error: 0x8013150a
http://msdn2.microsoft.com/en-us/library/wyts434y.aspxTo resolve this issue, you can try this Tip in the "Issue occurs because of missing permissions on a local resource that the ASP.NET application tries to access" section, but do not get disheartened if the application does not work with an Administrator or SYSTEM account. You need to check to see if the issue can be caused by Code Access Security. This can easily be done by turning off Code Access Security using the Caspol.exe utility.
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>caspol -s offOnce you have runcaspol –s off, reset IIS and try to browse the application. If this step works, you then need to check the permission set for the code groups. You can access the code groups in the Microsoft .NET Framework VersionNumber Configuration tool that is found in Administrative Tools.
Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
In this scenario, the Permission Set for the My_Computer_Zone code group was set to Nothing. Changing it to Full Trust resolved the issue
Note To access the My_Computer_Zone code group, follow these steps:
For more information, see ASP.NET Code Access Security: http://msdn2.microsoft.com/en-us/library/87x8e4d1.aspx
There are numerous other causes for the "Server Application Unavailable" error message. The event log is your best bet to get more details on the cause of your issue.
IIS-related errorsThe IIS logs are very useful in cases of IIS authentication-related errors. A common scenario is when the user would typically see the following:
What you need to look for is the status and sub status codes for this particular error.
Collapse this imageExpand this image
We see a 401 with the sub-status 3, which indicates "Unauthorized due to ACL on resource."
2006-10-12 22:47:28 W3SVC1 220.127.116.11 GET /MyAPP/login.aspx - 80 MyDomain\UserID_91 18.104.22.168 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 3 5
This indicates missing NTFS permissions on a file or folder. This error may occur even if the permissions are correct for the file that you are trying to access, but the default permissions and user rights may be missing on other SYSTEM and IIS folders. For example, you may see this error if the IUSR_ComputerName account does not have access to the C:\Winnt\System32\Inetsrv directory. For more information about IIS status codes, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/318380/ )Description of Microsoft Internet Information Services (IIS) 5.0 and 6.0 status codes
(http://support.microsoft.com/kb/812614/ )Default permissions and user rights for IIS 6.0
271071Tip Click Start, click Run, and then type logfiles to open the folder that contains the IIS logs. Alternatively, on the properties page for your Website in IIS, click the WebSiteName tab, and under Active log format, click Properties to see the Log file directory and name.
(http://support.microsoft.com/kb/271071/ )How to set required NTFS permissions and user rights for an IIS 5.0 Web server
The other thing of interest here is the status code 5. You can use the net helpmsg command to get more info on this status code:
C:\Documents and Settings\User>net helpmsg 5
Let's try another common status code, code 50:
Access is denied.
C:\Documents and Settings\User>net helpmsg 50For more information about how to disable friendly HTTP error messages, click the following article number to view the article in the Microsoft Knowledge Base:
Tip Whenever you get another generic infamous "500 Internal Server Error" message, then it's a good idea to disable friendly HTTP error messages, so that you receive a detailed description of the error. Don't forget to look in the event viewer as it may also contain more information.
The request is not supported.
294807The idea is to use all the logged information available to get maximum details on the problem at hand.
(http://support.microsoft.com/kb/294807/ )Turn off the Internet Explorer 5.x and 6.x "show friendly HTTP error messages" feature on the server side
ResourcesFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/306590/ )ASP.NET security overview
(http://support.microsoft.com/kb/317012/ )Process and request identity in ASP.NET
How to create a service account for an ASP.NET 2.0 applicationI hope that these simple techniques are useful in helping you resolve security and permissions related problems. Remember, the Support Voice columns are for you! As always, feel free to use the Ask For It
ASP.NET identity matrix
Previous ASP.NET Support Voice columns
(http://support.microsoft.com/common/survey.aspx?scid=sw;en;1176&p0=&p1=&p2=&p3=&p4=)form to submit ideas on topics that you want to see addressed in future columns or in the Knowledge Base.