How to configure CAS policy to run application from anywhere within Intranet Zone

Article ID: 948034 - View products that this article applies to.
Expand all | Collapse all
Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Action

This article applies to an application that is deployed over the intranet.  The application may need multiple locations in the intranet from where to run (the dependent assemblies are stored at different locations) or sometimes the entire application is at one location (all the dependencies in the same folder) or the network location from where they load the assembly keeps on changing.

In such scenarios it is very difficult to configure 'Code Access Security' to selectively give FullTrust to particular locations. Also, reconfiguring CAS can become cumbersome as it has to be done on all machines over the network from where it's intended to run the application.

Result

Even when Code Access Security is configured to give fulltrust to selected locations, small changes in the locations can causing System.Security.SecurityException to be thrown when running the remotely deployed application.

Cause

By default .NET Code Acess Security provides 'LocalIntranet Permission Group' to the applications running from within the 'Intranet Zone'. Many times, the applications or their dependent assembly need higher previleges than they get from within 'LocalIntranet Permission Group'.

Whenever such a code is executed from intranet location that needs higher previleges provided by default by 'Local Intranet Permissions', the application throws SecurityException.

Resolution



Configuring FullTrust for all the applications running from within Intranet Zone:



1.     Give FullTrust to the 'IntranetZone' under Machine level security configuration:





1.      If you are using .Net configuration wizard MMC available in Control Panel - Administrative Tools, then you can go to '.Net framework configuration' - My Computer - Runtime Security Policy - Machine - Code Groups - LocalIntranet_Zone. In right pane click on 'Edit Code Group Properties'. In the Property Page go to 'Permission Set' and select FullTrust under 'Permission Set' drop down.





2.      If you do not have the .Net configuration wizard MMC, they open command prompt, go to c:\WINDOWS\Microsoft.NET\Framework\v<Version>\ Directory and run following command:





Caspol -m -addgroup 1.2 -url "file:///\\computername\share\*" FullTrust –n test







 




2.      Add code group within ‘Intranet Zone’ under ‘Machine’ security configuration to give full trust to a particular public key and sign all your assemblies with the given public key.





Caspol -m -addgroup 1.2 –strong -file "< as designated by the file name, the assembly name as a string, and the assembly version in the format major.minor.build.revision>" FullTrust –n test





For example





Caspol -m -addgroup 1.2 –strong -file myAssembly.exe myAssembly 1.2.3.4 FullTrust –n test





More Information

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

Properties

Article ID: 948034 - Last Review: January 22, 2008 - Revision: 1.1
APPLIES TO
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework 2.0 IA64 Edition
  • Microsoft .NET Framework 2.0 x64 Edition
  • Microsoft .NET Framework 3.0
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 1.1
Keywords: 
kbnomt kbrapidpub KB948034

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com