System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission … failed

This Monday I was trying to deploy an ASP.net website that contained the ASP.net AJAX toolkit inside to a server running Windows 2008 R2 (64 bits) and IIS 7.5. This was the first time that I had attempted to do so on such a server.

The way in which I went about copying the site to the server (which is live on the internet) was the following:

  • I made myself a ZIP file containing all the assemblies of the site which I had precompiled with Visual Studio 2008 beforehand.
  • I placed these files inside my Skydrive and the proceeded to download the on the Windows 2008 R2 server where I wanted to deploy.
  • I unzipped the files and proceeded to place them in the C:\inetpub\wwwroot folder (as it happened I was deploying to the Default Web Site).

Now normally, what we tell our customers is that just doing an X-Copy on an ASP.net application inside IIS will just work – there is nothing else to do. I guess Monday mornings are a bit different. When trying to load the site I immediately had an error message stating that:

 
 Server Error in / Application.
 Security Exception

 Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration
file.

 Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′ failed.

 

Now there are several ways around this problem, and this problem is NOT only limited to the AJAX Control Toolkit. I ran into the same problem today when deploying an MVC application onto another Windows 2008 R2 server. But I would like to explain a bit the root cause of the problem.

Root Cause:

In my application from Monday morning I had just added a reference to the AjaxControlToolkit.dll that I had downloaded from the Microsoft ASP.net website directly. Visual Studio 2008 copied the .dll into the bin folder of my application following this addition.

However, the file was copied from another machine, and notably from another zone (the Internet Zone). Had I compiled the toolkit in Visual Studio along with my site, the newly generated .dll would have been in the same Zone (the My Computer Zone) as the rest of the .Net assemblies for my site. However this was not the case.

When copying the site to the server, these settings were preserved, and thus the assemblies from my website did not have the same trust level as the AjaxControlToolkit.dll that I had downloaded from the Internet. The Ajax Control Toolkit assembly had fewer privileges than the rest of my assemblies, and thus posed a problem.

In IIS 7.5, the default application pool is no longer Network Service , like in IIS 6 (that came with Windows 2003) and IIS 7 (that comes with Windows 2008), but rather a built in account called ApplicationPoolIdentity. This is even more restrictive than Network Service, in that required trust levels for .Net assemblies to be loaded inside an application pool have to be greater than what was permitted with Network Service.

Solutions:

The easy way out is just to go back to using Network Service as an application pool identity instead of the ApplicationPoolIdentity used by IIS 7.5. However, this undermines the new security enforcements that the IIS team has created, and kind of defeats the purpose of using IIS 7.5 as opposed to IIS 7.

The way to achieve this is to ensure that the assembly in question has the necessary privileges for the .Net Runtime to load inside the application pool when the application is started. To grant the assembly the needed trust level, the simplest way to proceed is to open a Windows Explorer and locate the assembly and then do a right click on the file.

Inside the properties window that appears you should have the same warning as highlighted in the screenshot. The solution to the problem is as simple as clicking on the Unlock button next to the warning message and all will start working as promised.

By Paul Cociuba – ASP.net Dev Support Team

Follow what I read via Linqto.me

Comments

  • Anonymous
    September 07, 2010
    Hi, Thank you for this infomarion. It was really usefull. I was able to resolve the issue i was facing with one of my application. Thank you. With regards, Nitesh

  • Anonymous
    September 10, 2010
    After copying some DLL files from another computer to my computer running Windows 7 and IIS 7 - my app decided not to work. This did the trick. Thank you very much!

  • Anonymous
    September 30, 2010
    The comment has been removed

  • Anonymous
    October 08, 2010
    @Rovastar, Setting you network service is your simplest choice. The other way of getting this to work is to understand the security restrictions related to .Net assemblies. By default, all assemblies you copy off of the Internet code group - which is somewhat limited, and turn out not to be trusted by the AppPoolIdentity. Hence the other way of achieving this is to create a .Net code group of your assemblies (based on a proof like the assembly location). Then you need to grant the needed permissions to the code group, and make sure that the targeted assemblies only inherit the permissions from this code group, and don't combine permissions from other code groups they belong to. You need to have a good understanding of .Net code groups, and this is more complicated. Paul

  • Anonymous
    October 21, 2010
    Thanks very much for this info, it fixed the problem for me. I wish I had discovered it sooner!

  • Anonymous
    May 16, 2011
    Like the others, this issue was causing major frustration, but your solution fixed it....after a restart of IIS and IE Thank you

  • Anonymous
    September 13, 2011
    Thank you, Thank you, Thank you, saved me a lot of pain

  • Anonymous
    October 02, 2011
    Excellent Article!!! This helped me solved my problem and has been written very clear and concisely. One thing to note, once I unblocked my DLLs, I had to stop and restart IIS before it started working for me again. May not be required by everyone but make sure to give that a try if you're still getting the exception.

  • Anonymous
    October 20, 2011
    Thank you very much for the concise and thorough post - I only wish this post came further up in Google results. The resoultion to at least some instances of that message prior to Windows 7 / IIS 7 was very different, and I hadn't encountered the "Unblock" option yet. The solution worked perfectly.

  • Anonymous
    October 24, 2011
    Very usefull information with great explanation. It saved me a lot of time. As many guys, I moved my web site from development Windows 7x64 to Web server and in my case my first page worked ok (no Ajax aplied), but navigate to the other page (page that I have applied Ajax tool kit) failed with security exception. Your explanation gave me a clue. With regards, Brano Brano

  • Anonymous
    April 17, 2012
    It solve my problem. The issue was that when i zip the build and unzip on the production, the permission of its dll got change. I have to unblock it then code start running. Best Regard Abhishek Sengar

  • Anonymous
    June 05, 2012
    hi thanx for this solution

  • Anonymous
    July 10, 2012
    Exactly fixed! Best and great explanation!! Thanks Suriya

  • Anonymous
    July 29, 2012
    Hi Paul, This solution helped me. Thank you! Ken

  • Anonymous
    November 14, 2012
    Have you ever had the situation where the Unblock did not persist? We have an ASP.NET software application that is generally deployed using an msi. We have a customer that needs an update, so we would like to just replace an existing dll in the web site with a new one. I asked him to try the suggestion above and his response was: I went to the properties, clicked on the Unblock button, clicked on the Apply button, clicked on OK and still got the Security error. I then executed the iisreset just for good measure and tried again. Still getting the Security error. It changes when I click the Unblock but when I go back in it still has the same message, the Unblock did not persist

  • Anonymous
    October 31, 2013
    Thank you very much for this post. it helped me.

  • Anonymous
    December 23, 2013
    You saved my week. Nice article. Your the best

  • Anonymous
    January 03, 2014
    Unfortunately, neither fix worked for me. although My situation is a little different. my ASPX and toolkit dll are on a remote share(the IIS 7.5 server) and I get the security exception when I debug an ajax page from my local machine(not the server). I also already set the caspol in framework and framework64 to full trust.

  • Anonymous
    April 15, 2014
    Any idea how to find out which DLL is blocked? I have 300...

  • Anonymous
    June 16, 2016
    Hi,Thank you very much for your detailed information and which helped us to solve the issueRegardsSiva

  • Anonymous
    November 10, 2016
    Excellent - this resolved our issue also!

    • Anonymous
      January 03, 2017
      Happy to be of service.
  • Anonymous
    March 06, 2017
    Exactly my problem! Thank you very much!

    • Anonymous
      May 04, 2017
      Happy to help on this one.