Microsoft KB Archive/320268

= &quot;System.Security.SecurityException: Security error&quot; error message when the virtual directory points to a remote share in ASP.NET =

Article ID: 320268

Article Last Modified on 3/22/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.1
 * Microsoft ASP.NET 1.0

-



This article was previously published under Q320268



SYMPTOMS
When you use a virtual directory that points to a remote share to host a Microsoft ASP.NET-based application, you may receive an error message that is similar to one of the following:

Message 1

Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Security error.

Source Error:

Line 30: private static bool __intialized = false; Line 31: Line 32: public Global_asax { Line 33: if ((ASP.Global_asax.__intialized == false)) { Line 34: ASP.Global_asax.__intialized = true;

Message 2

Server Error in '/ ' Application.

Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Could not load type ' .Global'.

Source Error: Line 1: <%@ Application Codebehind=&quot;Global.asax.cs&quot; Inherits=&quot; .Global&quot; %> Source File:  \global.asax Line: 1



CAUSE
The System.Web namespace does not have the AllowPartiallyTrustedCallersAttribute applied to it. For more information, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms994923.aspx

Any code that is not in the My_Computer_Zone code group that does not have this attribute requires the FullTrust user right. Therefore, the remote share that holds the Web applications content requires FullTrust.



RESOLUTION
To resolve this behavior, grant the FullTrust right to the remote share:  On the Web server, open Administrative Tools, and then double-click Microsoft .NET Framework Configuration. Expand Runtime Security Policy, expand Machine, and then expand Code Groups. Right-click All_Code, and then click New. Select Create a new code group. Give your code group a relevant name, such as the name of the applications share. Click Next. In the Choose the condition type for this code group list, select URL. In the URL box, type the path of the share in the following format:

file:////\\ \ \*

Note Replace  with the name of the computer that is hosting the remote share. Replace  with the name of the share.</li> Click Next. On the next page, select Use an existing permission set, and then select FullTrust.

</li> Click Next, and then click Finish.</li> Restart Microsoft Internet Information Services (IIS) to restart the ASP.NET worker process.</li></ol>

If Microsoft .NET Framework Configuration is not displayed under Administrative Tools, you can install the .NET Framework SDK to add Microsoft .NET Framework Configuration. Alternatively, you can run the following command to make the change:

 :\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe -m -ag 1 -url &quot;file:////\\ \ \*&quot; FullTrust -exclusive on

Note For more information about what these arguments do, run the following command:

caspol.exe -?

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
In this configuration, the account under which the ASP.NET worker process runs must have sufficient rights to the remote share. You can set the account under which the worker process runs by using the Processmodel tag in the Machine.config file.

Steps to reproduce the behavior

 * 1) Create a new virtual directory that points to a remote share.
 * 2) Create an application for the virtual directory. Make sure that the user who connects to the share has read access to the remote content.
 * 3) In the Processmodel tag of the Machine.config file, change the user to a domain user who has list, read, and execute permissions on the remote share.
 * 4) Create an inline .aspx file, and then put the file in the remote share.
 * 5) Make a request for the page.

<div class="references_section">