This project has moved. For the latest updates, please go here.

Running in Medium Trust

Jul 12, 2009 at 11:55 AM

Ok, I have the application running as an asp.net 3.5 application inside my parent website on an IIS7/Vista test machine and it's all good.

To do this I had to:

  • Integrate the membership/roles/profile provider as per the documentation
  • Point TicketDesk at a new SQL database I created for the tickets.

My problem is, when I deploy this to live, which is to say I leave the membership database where it is and also the Ticket Desk database, I just put TicketDesk onto my live IIS install. I should say that I'm running this on Mosso, a Medium Trust clustered provider. TheElmah stuff must be writing to the DB because I can access that from my test machine IIS install of TicketDesk (!), which gives me the (bowlderized) trace below.

Anyway, looks like I have a Medium Trust issue to work around here which is an IIS problem not a TicketDesk one particularly, but has anyone done this already? For sure TicketDesk can't need to do anything which requires higher trust, so it's just a question of finding which setting to change in the web.config.


Phil


System.Security.SecurityException: Request for ConfigurationPermission failed while attempting to access configuration section 'system.web/authentication'. To allow all callers to access the data for this section, set section attribute 'requirePermission' equal 'false' in the configuration file where this section is declared. ---> System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Configuration.BaseConfigurationRecord.CheckPermissionAllowed(String configKey, Boolean requirePermission, Boolean isTrustedWithoutAptca)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Configuration.ConfigurationPermission
The first permission that failed was:
<IPermission
version="1"
Unrestricted="true"/>

The demand was for:
<IPermission
version="1"
Unrestricted="true"/>

The granted set of the failing assembly was:
<PermissionSet
version="1">
<IPermission
version="1"
Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"/>
<IPermission
version="1"

[...]

The assembly or AppDomain that failed was:
TicketDesk, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
The method that caused the failure was:
Void Page_Load(System.Object, System.EventArgs)
The Zone of the assembly that failed was:
Intranet
The Url of the assembly that failed was:
[...]
--- End of inner exception stack trace ---
at System.Configuration.BaseConfigurationRecord.CheckPermissionAllowed(String configKey, Boolean requirePermission, Boolean isTrustedWithoutAptca)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey, Boolean getLkg, Boolean checkPermission)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
at System.Web.HttpContext.GetSection(String sectionName)
at System.Web.Configuration.HttpConfigurationSystem.GetSection(String sectionName)
at System.Web.Configuration.HttpConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String configKey)
at System.Configuration.ConfigurationManager.GetSection(String sectionName)
at TicketDesk.TicketDeskMain.Page_Load(Object sender, EventArgs e) in C:\Users\stephenr\Desktop\TicketDesk\TicketDesk\TicketDeskMain.Master.cs:line 28
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.ticketcenter2_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ticketdesk\0363c5c6\562a8f59\App_Web_aa7jzk41.1.cs:line 0
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
The Zone of the assembly that failed was:
MyComputer

 

Jul 13, 2009 at 8:01 AM

Well I'm learning more than I'd like about asp.net I guess. I chased this down some more.

I looked at all the stuff in the web.config, and stripped out everything I don't need, specifically all that which references stuff I already have in the "parent"
website (remember I'm running this as a web application within the parent web site). Then I tested it again on my test IIS7 machine, no problems there.
I loaded it onto the live (Medium Trust) site, and it barfs on:

file://**/web/content/TicketDesk/bin/TicketDesk.DLL
--- End of inner exception stack trace ---
at System.Configuration.BaseConfigurationRecord.CheckPermissionAllowed(String configKey, Boolean requirePermission, Boolean isTrustedWithoutAptca)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey, Boolean getLkg, Boolean checkPermission)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)

So that's the compiled DLL trying to pull some configuration data. I only have Visual Web Express so I can't muck with the source releas e (when I try, it barfs on me), so I'm not sure what this is.

On another tack I tried another approach... this was built with the old Ajax Control toolkit, the one with lots of separate files.
So I took that lot out, because my site already has the up to date (single DLL) version of the toolkit in it. Then I get a version clash on the AjaxControlToolkit, which I think
means that the TicketDesk.DLL was built with the old version, which of course makes sense.

So... not sure what to try next. I think I will have to try to make the source code version work on my Visual Web Developer Express, so I can rebuild it with the latest asp.net/ AjaxToolkit, and
then perhaps find out what's trying to read what configuration in the crash above. I know I can force "medium trust" on my test machine, which kind of helps, although I need your ELMAH for the
stack dumps, because the built-in yellow screens are rather less informative for security/ trust errros.
Coordinator
Jul 13, 2009 at 7:34 PM

The problem is that your application doesn't have permissions to read the "system.web/authentication"part of web.config.

TicketDesk reads this configuration setting to detemine if the app is running in an AD environment or not.

There are a couple of options.

  • You may simply be able to tell the application to run in full trust mode by explicitly declaring it in web.config. See this article at CodeBetter for more info. This assumes your host did not explicitly disallow overrides too, which they may have.
     
  • You can customize the code so it doesn't need to check this setting, but you'll have to make the change in several places.

    All of those places have this line of code:

    AuthenticationSection authenticationSection = (AuthenticationSection)ConfigurationManager.GetSection("system.web/authentication");
    
    

    That line is also the one throwing the error. In the same block, there is usually a simple if or switch statement that checks properties of the authenticationSection. You can hard-code the if statement depending on what your environment uses then just remove the offending line. Just remember, you have to make that change in several places (search the text for "system.web/authentication" to find them all)
     
  • Move to a less restrictive host that will allow you to use full trust, or negotiate with your host to setup a specific exception in your case.

I've been pretty unhappy with this technique overall, and your issue adds just one more reason to dislike it. In the next version of TicketDesk I will likely change this mechanism so it doesn't have to read directly from config. The problem is, the only other technique I've found to detect what kind of security the app is using at runtime doesn't work outside of a user initiated request.... which means the notification system (which runs on timers) can't use them. I'll have to make my own work around.

 

 

Jul 13, 2009 at 7:45 PM

Thanks... yes, I sussed that out and simply commented out all the bits where it tests the auth mode - I'm using forms, so I don't need the flexibility, and as you point out it's excluded by Medium Trust.

Mosso/Rackspace use Medium Trust deliberately; ya can't switch it up that easily I'm afraid.

Then it barfs on notificationService lines 356, 357... the generation of a second context for Elmah I think. I commented that out too. So that works with trust set to medium on my IIS7 test machine, and also on Mosso.

I think you'll find more hosters go Medium Trust in future - it's a pain, but only with third-party software I've found. I've only done forms auth so I don't know a smart way to tell which you're using other than the obvious.

It was somewhat more complicated than that:

  • I had to hack out the old AjaxToolkit (which doesn't run on Medium...) and replace with the latest version. Alaso Elmah, although I'm not sure that was actually broken.
  • I hacked pretty much everything out of the web.config (I'm running in an application so I don't need it)
  • Got the authentication sections as above, thanks to Elmah because the yellow screens don't show it.
  • Commented out that "mock" context stuff.

Now it runs, although it's extremely slow. I will muck about with it a bit more, as I'm not sure what the slowness is and it may be easy to fix. It's not slow HTTP - either it's SQL or there's something in here with a delay in it.

 

thanks