Article ID: 894903
Article Last Modified on 9/7/2006
APPLIES TO
- Microsoft Windows SharePoint Services
SYMPTOMS
Consider the following scenario. You install Microsoft Windows SharePoint Services on a server. Microsoft Internet Information Services (IIS) 6.0 is configured for use with Microsoft ASP.NET 2.0 on that server. When you connect to the home page of a Windows SharePoint Services Web site, you receive the following error message:
Note that the xxxxx in ASP.NET 2.0.xxxxx.0 indicates the version of ASP.NET 2.0 that you are running.
CAUSE
ASP.NET 2.0 implements a new security change that helps lock down security for a virtual server in IIS 6.0. In earlier versions of ASP.NET, code runs at the trust level that is assigned to it. The trust level is determined by the code access security policy file. The Wss_minimaltrust.config file is an example of a code access security policy file that is specified in the Web.config file.
The new security change in ASP.NET 2.0 restricts the permissions of Web pages, Web parts, and controls to the intersection between the ASP.NET PermissionSet and the trust level at which the code runs. In this configuration, the ASP.NET PermissionSet is a declarative representation of a PermissionSet instance. By default, Windows SharePoint Services gives only minimal privileges to the ASP.NET PermissionSet. The security change that is implemented in ASP.NET 2.0 causes some code to run with reduced privileges. For example, code from assemblies in the global assembly cache previously ran at a full-trust level. When you configure the virtual server in IIS 6.0 to use ASP.NET 2.0, the code runs with the privileges that are assigned to the ASP.NET PermissionSet. The lockdown is incompatible with Windows SharePoint Services. Therefore, the lockdown must be disabled in the Web.config file.
ASP.NET 2.0 also includes a new capability called event validation. Event validation monitors callbacks to the ASP.NET infrastructure to make sure that the source of a callback equals the control target. Some Windows SharePoint Services pages use callbacks that are not associated with a particular control. Callbacks that are not associated with a particular control can cause page execution errors. Therefore, Windows SharePoint Services 2.0 is not compatible with the ASP.NET 2.0 event validation capability. When you configure a Windows SharePoint Services-extended Web application on a server that has ASP.NET 2.0 installed, you must turn off ASP.NET 2.0 event validation.
RESOLUTION
Use the Windows SharePoint Services Stsadm.exe command-line tool to update the settings in the Web.config file. To do this, use the following command:
stsadm -o upgrade -forceupgrade -url http://URLOftheVirtualServer
The command updates the Web.config file that is located in the root folder of the virtual server. For example, the command updates the Web.config file that is located in the Drive:\Inetpub\Wwwroot folder. The upgrade operation makes the following changes:
- The command adds the processRequestInApplicationTrust attribute to the following trust tag:
<trust level="WSS_Minimal" originUrl="" />
After you run the command, the trust tag appears as follows:
<trust level="WSS_Minimal" originUrl="" processRequestInApplicationTrust="false" />
- The command adds the following element under the pages tag:
<namespaces> <remove namespace="System.Web.UI.WebControls.WebParts" /> </namespaces>
- The command adds anenableEventValidation attribute to the <pages> tag, where the original tag is as follows:
<pages enableSessionState="false" enableViewState="true" enableViewStateMac="true" validateRequest="false"> </pages>
After the attribute has been added, the tag is as follows:
<pages enableSessionState="false" enableViewState="true" enableViewStateMac="true" validateRequest="false" enableEventValidation="false"> <namespaces> <remove namespace="System.Web.UI.WebControls.WebParts" /> </namespaces> </pages>
MORE INFORMATION
If you change the version of ASP.NET that the virtual server uses from ASP.NET 2.0 to ASP.NET 1.1, you must use the Stsadm.exe command-line tool to update the settings in the Web.config file. To do this, use the following command:
stsadm -o upgrade -forceupgrade -url http://URLOftheVirtualServer
The command removes the elements that were previously added to the Web.config file. That is, the following changes are made to the Web.config file:
- The command removes the processRequestInApplicationTrust attribute from the following trust tag:
<trust level="WSS_Minimal" originUrl="" processRequestInApplicationTrust="false" />
After you run the command, the trust tag appears as follows:
<trust level="WSS_Minimal" originUrl="" />
- The command removes the following element that is under the pages tag:
<namespaces> <remove namespace="System.Web.UI.WebControls.WebParts" /> </namespaces>
If you do not run the command after you configure the virtual server to use ASP.NET 1.1, you receive the following error message:
Or, if the CustomErrors feature is enabled, you receive the following error message:
REFERENCES
For more information about the Stsadm.exe command-line tool, see the "Command-Line Operations" topic, the "Command-Line Parameters" topic, and the Command-Line-Properties" topic in the "Reference" chapter of the Microsoft Windows SharePoint Services Administrator's Guide. To obtain the Microsoft Windows SharePoint Services Administrator's Guide, visit the following Microsoft Web site:
Additional query words: wss
Keywords: kberrmsg kbtshoot kbprb kbconfig KB894903
