Using Caspol.exe to grant .NET applications rights to a remote network share


When you host a .NET application on a remote network share, you may receive a System.SecurityException exception error message or a security warning message.

The Code Access Security Policy tool (CASPOL) enables administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

Caspol is used to fully trust a remote share, since by default network shares only get LocalIntranet permissions.

The solution for the System.SecurityException exception error message is to use caspol to grant a .NET application the FullTrust right to a network share. To do this:

1. Launch a command prompt with administrative credentials

2. Change to the C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory.

3. Run the following command:

caspol -m -ag 1 -url “file://\\server\share\*” FullTrust -exclusive on

Replace \\server\share\ with the path to your .NET application located on the remote network share.

Running the above command allowed me to resolve the following IIS 7.0 error:

SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′ failed

By the way, .NET Framework 3.5 SP1 allows managed code to be launched from a network share.

References:

http://support.microsoft.com/?id=320268

http://blogs.msdn.com/shawnfa/archive/2004/12/30/344554.aspx

http://books.google.com/books?id=VJOtwMawoswC&pg=PA576&lpg=PA576&dq=iis+7.0+caspol.exe&source=bl&ots=W88GOo1Cfp&sig=U8sBtcNzbaSgPTghAp519S9O3sM&hl=en&ei=o1zSSeafEobmnQfHrbzlBQ&sa=X&oi=book_result&resnum=1&ct=result

http://www.iislogs.com/articles/23/

http://support.microsoft.com/kb/837909

http://www.sharepointblogs.com/ssa/archive/2007/09/06/using-caspol-exe-to-add-assemblies-to-full-trust-assembly-list.aspx

http://www.dotnetjunkies.ddj.com/quickstart/howto/doc/security/SecScripting.aspx

Howto: Export IIS 7.0 web server configuration


To export a backup copy of your IIS 7.0 configuration on a Windows 2008 Server:

Open Server Manager

Expand Roles – Web Server (IIS) – Internet Information Services (IIS) Manager

Highlight the web server name

From the Management category, double click Shared Configuration

Under Actions, select Export Configuration. Accept or change the default export path of C:\Windows\system32\inetsrv\config\export

Click the Connect As button, and enter administrative credentials. If the server is a domain member, you may need to enter your credentials in the format domain\username or username@domain.com

Enter the encryption keys password twice and press OK

You should now have three files in the C:\Windows\system32\inetsrv\config\export directory: administration.config, applicationHost.config, and configEncKey.key. Save the files in a safe place.

Follow

Get every new post delivered to your Inbox.

Join 32 other followers