Run ado.net application from network share requires FullTrust permission set?

TheMSsForum.com: The Microsoft Software Forum

This is a multi-part message in MIME format.

------=_NextPart_000_0008_01C462E0.D5FA17F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Is there any way to get an assembly to run from a network share with =
less than FullTrust permission set? I've tried adding SQL Client =
permission to the permission set that's assigned to the LocalIntranet =
but that I still get a SecurityException thrown for SqlClientPermission.

Here's the error:
An unhandled exception of type 'System.Security.SecurityException' =
occurred in system.data.dll
Additional information: Request for the permission of type =
System.Data.SqlClient.SqlClientPermission, System.Data, =
Version=3D1.0.5000.0, Culture=3Dneutral, =
PublicKeyToken=3Db77a5c561934e089 failed.

I've also tried signing the assembly and granting it LocalIntranet + SQL =
Client, Everything or FullTrust permissions. The only way it will run =
correctly is if I give it the FullTrust permission set. Is it possible =
to run an ado.net application without assigning the FullTrust permission =
set?




------=_NextPart_000_0008_01C462E0.D5FA17F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.3790.118" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#d8d0c8 background=3D"">
<DIV><FONT face=3DArial size=3D2>Is there any way to get an assembly to =
run from a=20
network share with less than FullTrust permission set?&nbsp; I've tried =
adding=20
SQL Client permission to the permission set that's assigned to the =
LocalIntranet=20
but that I still get a SecurityException thrown for=20
SqlClientPermission.<BR><BR>Here's the error:<BR>An unhandled exception =
of type=20
'System.Security.SecurityException' occurred in =
system.data.dll<BR>Additional=20
information: Request for the permission of type=20
System.Data.SqlClient.SqlClientPermission, System.Data, =
Version=3D1.0.5000.0,=20
Culture=3Dneutral, PublicKeyToken=3Db77a5c561934e089 failed.<BR><BR>I've =
also tried=20
signing the assembly and granting it LocalIntranet + SQL Client, =
Everything or=20
FullTrust permissions.&nbsp; The only way it will run correctly is if I =
give it=20
the FullTrust permission set.&nbsp; Is it possible to run an ado.net =
application=20
without assigning the FullTrust permission set?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0008_01C462E0.D5FA17F0--
Top

Re: Run ado.net application from network share requires FullTrust permission set? by Nicole

Nicole
Tue Jul 06 06:55:38 CDT 2004

In version 1.0 of the .NET Framework, the SqlClient provider did not permit
partially trusted callers (see, for example,
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcodeaccesssecurityadonet.asp).
This is no longer the case in version 1.1 of the .NET Framework. Unless
you're willing to either run your application as a fully trusted assembly or
create and distribute a fully trusted intermediate proxy, upgrading to 1.1
might be your best bet.


"Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
message news:uhTgDuxYEHA.2736@TK2MSFTNGP10.phx.gbl...
Is there any way to get an assembly to run from a network share with less
than FullTrust permission set? I've tried adding SQL Client permission to
the permission set that's assigned to the LocalIntranet but that I still get
a SecurityException thrown for SqlClientPermission.

Here's the error:
An unhandled exception of type 'System.Security.SecurityException' occurred
in system.data.dll
Additional information: Request for the permission of type
System.Data.SqlClient.SqlClientPermission, System.Data, Version=1.0.5000.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

I've also tried signing the assembly and granting it LocalIntranet + SQL
Client, Everything or FullTrust permissions. The only way it will run
correctly is if I give it the FullTrust permission set. Is it possible to
run an ado.net application without assigning the FullTrust permission set?





Top

Re: Run ado.net application from network share requires FullTrust permission set? by Jahyen

Jahyen
Tue Jul 06 17:16:43 CDT 2004

I thought I was running version 1.1 -- All the dependent framework dlls
(including system.data.dll) are 1.0.5000.0.
Is there something else that I ought to be checking?

thanks!

"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
news:#veXuA1YEHA.2972@tk2msftngp13.phx.gbl...
> In version 1.0 of the .NET Framework, the SqlClient provider did not
permit
> partially trusted callers (see, for example,
>
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcodeaccesssecurityadonet.asp).
> This is no longer the case in version 1.1 of the .NET Framework. Unless
> you're willing to either run your application as a fully trusted assembly
or
> create and distribute a fully trusted intermediate proxy, upgrading to 1.1
> might be your best bet.
>
>
> "Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
> message news:uhTgDuxYEHA.2736@TK2MSFTNGP10.phx.gbl...
> Is there any way to get an assembly to run from a network share with less
> than FullTrust permission set? I've tried adding SQL Client permission to
> the permission set that's assigned to the LocalIntranet but that I still
get
> a SecurityException thrown for SqlClientPermission.
>
> Here's the error:
> An unhandled exception of type 'System.Security.SecurityException'
occurred
> in system.data.dll
> Additional information: Request for the permission of type
> System.Data.SqlClient.SqlClientPermission, System.Data,
Version=1.0.5000.0,
> Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
>
> I've also tried signing the assembly and granting it LocalIntranet + SQL
> Client, Everything or FullTrust permissions. The only way it will run
> correctly is if I give it the FullTrust permission set. Is it possible to
> run an ado.net application without assigning the FullTrust permission set?
>
>
>
>
>


Top

Re: Run ado.net application from network share requires FullTrust permission set? by Nicole

Nicole
Wed Jul 07 08:42:42 CDT 2004

Sorry, I didn't read your original post carefully enough. The problem is
not that your assembly requires full trust. It needs an appropriate
SqlClientPermission, and it looks like the problem lies with how you are
attempting to set the policy to allow this permission to be granted. Try
these steps:

1. Revert your policy settings back to their previous settings.
2. At the machine policy level...
a. Create a new permission set that grants an appropriate
SqlClientPermission.
b. Under the LocalIntranet_Zone code group, create a new child group
that uses your strong name for its membership condition.
c. Use the permission set created in step 2.a for the new code group.

With the above setup, your assembly should be granted the
SqlClientPermission if it meets the criteria for both the intranet zone and
the targeted strong name.

HTH,
Nicole



"Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
message news:ekDBsb6YEHA.1356@TK2MSFTNGP09.phx.gbl...
>I thought I was running version 1.1 -- All the dependent framework dlls
> (including system.data.dll) are 1.0.5000.0.
> Is there something else that I ought to be checking?
>
> thanks!
>
> "Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
> news:#veXuA1YEHA.2972@tk2msftngp13.phx.gbl...
>> In version 1.0 of the .NET Framework, the SqlClient provider did not
> permit
>> partially trusted callers (see, for example,
>>
> http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcodeaccesssecurityadonet.asp).
>> This is no longer the case in version 1.1 of the .NET Framework. Unless
>> you're willing to either run your application as a fully trusted assembly
> or
>> create and distribute a fully trusted intermediate proxy, upgrading to
>> 1.1
>> might be your best bet.
>>
>>
>> "Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
>> message news:uhTgDuxYEHA.2736@TK2MSFTNGP10.phx.gbl...
>> Is there any way to get an assembly to run from a network share with less
>> than FullTrust permission set? I've tried adding SQL Client permission
>> to
>> the permission set that's assigned to the LocalIntranet but that I still
> get
>> a SecurityException thrown for SqlClientPermission.
>>
>> Here's the error:
>> An unhandled exception of type 'System.Security.SecurityException'
> occurred
>> in system.data.dll
>> Additional information: Request for the permission of type
>> System.Data.SqlClient.SqlClientPermission, System.Data,
> Version=1.0.5000.0,
>> Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
>>
>> I've also tried signing the assembly and granting it LocalIntranet + SQL
>> Client, Everything or FullTrust permissions. The only way it will run
>> correctly is if I give it the FullTrust permission set. Is it possible
>> to
>> run an ado.net application without assigning the FullTrust permission
>> set?
>>
>>
>>
>>
>>
>
>


Top

Re: Run ado.net application from network share requires FullTrust permission set? by Jahyen

Jahyen
Sun Jul 11 20:27:11 CDT 2004

Thank you so much for your help so far.

I've tried the steps you outline below but now get a SecurityException
without the SQLClient message. Unfortunately, catching the exception and
trying to debug is unhelpful as trying to access any useful fields in the
exception such as GrantedSet, PermissionState, RefusedSet and TargetSite
result in another SecurityException.

My custom permission set is based on the LocalIntranet permission set,
adding the SQL client permission (unrestricted).

Using caspol -rsg confirms that the membership is set up as described in
your message, using caspol -rsp I can see a SQLClientPermission in the
permission set. I've attached the results of running caspol -rsg and -rsp
below.

Let me know if you have any other suggestions.

thanks!

Jahyen.
-----
caspol -rsg
Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web.
1.2.2. All code: Same directory FileIO - Read, PathDiscovery
1.2.3. StrongName -
002400000480000094000000060200000024000052534131000400000100010025714CFA96F5
C44412EAA70F06EA6474D61B5B5FE22F723D9E944A8BF96F3655271DF7EF481FBEDB16D32D1C
B317ED03FA3A4CC2F4F79DC74D54822D66935AFED5AEC84EE47FD89A29DA78C70F0D76207160
0C86509081BDE1BF82B509B0A0893CC9E03D08CB999AAF3E1A609460AEAEEF5A8448E977CDE7
07BF42C4242861C2: LocalIntranet + SQL Client


Level = User

Code Groups:

1. All code: FullTrust

Success
-------------------------------------
caspol -rsp

Microsoft (R) .NET Framework CasPol 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

Resolving permissions for level = Enterprise
Resolving permissions for level = Machine
Resolving permissions for level = User

Grant =
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Read="USERNAME"/>
<IPermission class="System.Security.Permissions.FileDialogPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Security.Permissions.FileIOPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Read="\\intranet.local\contacts\"
PathDiscovery="\\intranet.local\contacts\"/>
<IPermission
class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Allowed="AssemblyIsolationByUser"
UserQuota="9223372036854775807"
Expiry="9223372036854775807"
Permanent="True"/>
<IPermission class="System.Security.Permissions.ReflectionPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Flags="ReflectionEmit"/>
<IPermission class="System.Security.Permissions.SecurityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Flags="Assertion, Execution, BindingRedirects"/>
<IPermission class="System.Security.Permissions.UIPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Net.DnsPermission, System, Version=1.0.5000.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission class="System.Drawing.Printing.PrintingPermission,
System.Drawing, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
version="1"
Level="DefaultPrinting"/>
<IPermission class="System.Diagnostics.EventLogPermission, System,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1">
<Machine name="."
access="Instrument"/>
</IPermission>
<IPermission class="System.Data.SqlClient.SqlClientPermission,
System.Data, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
<IPermission
class="System.Security.Permissions.StrongNameIdentityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"

PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000
10025714CFA96F5C44412EAA70F06EA6474D61B5B5FE22F723D9E944A8BF96F3655271DF7EF4
81FBEDB16D32D1CB317ED03FA3A4CC2F4F79DC74D54822D66935AFED5AEC84EE47FD89A29DA7
8C70F0D762071600C86509081BDE1BF82B509B0A0893CC9E03D08CB999AAF3E1A609460AEAEE
F5A8448E977CDE707BF42C4242861C2"
Name="Contacts"
AssemblyVersion="1.0.1653.30918"/>
<IPermission class="System.Security.Permissions.UrlIdentityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Url="file://intranet.local/contacts/contacts.exe"/>
<IPermission class="System.Security.Permissions.ZoneIdentityPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Zone="Intranet"/>
</PermissionSet>

Success


"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
news:eLorRhCZEHA.3128@TK2MSFTNGP09.phx.gbl...
> Sorry, I didn't read your original post carefully enough. The problem is
> not that your assembly requires full trust. It needs an appropriate
> SqlClientPermission, and it looks like the problem lies with how you are
> attempting to set the policy to allow this permission to be granted. Try
> these steps:
>
> 1. Revert your policy settings back to their previous settings.
> 2. At the machine policy level...
> a. Create a new permission set that grants an appropriate
> SqlClientPermission.
> b. Under the LocalIntranet_Zone code group, create a new child group
> that uses your strong name for its membership condition.
> c. Use the permission set created in step 2.a for the new code group.
>
> With the above setup, your assembly should be granted the
> SqlClientPermission if it meets the criteria for both the intranet zone
and
> the targeted strong name.
>
> HTH,
> Nicole
>
>
>
> "Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
> message news:ekDBsb6YEHA.1356@TK2MSFTNGP09.phx.gbl...
> >I thought I was running version 1.1 -- All the dependent framework dlls
> > (including system.data.dll) are 1.0.5000.0.
> > Is there something else that I ought to be checking?
> >
> > thanks!
> >
> > "Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
> > news:#veXuA1YEHA.2972@tk2msftngp13.phx.gbl...
> >> In version 1.0 of the .NET Framework, the SqlClient provider did not
> > permit
> >> partially trusted callers (see, for example,
> >>
> >
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcodeaccesssecurityadonet.asp).
> >> This is no longer the case in version 1.1 of the .NET Framework.
Unless
> >> you're willing to either run your application as a fully trusted
assembly
> > or
> >> create and distribute a fully trusted intermediate proxy, upgrading to
> >> 1.1
> >> might be your best bet.
> >>
> >>
> >> "Jahyen" <jahyen@replacethispartwiththemicrosoftnetwork.com> wrote in
> >> message news:uhTgDuxYEHA.2736@TK2MSFTNGP10.phx.gbl...
> >> Is there any way to get an assembly to run from a network share with
less
> >> than FullTrust permission set? I've tried adding SQL Client permission
> >> to
> >> the permission set that's assigned to the LocalIntranet but that I
still
> > get
> >> a SecurityException thrown for SqlClientPermission.
> >>
> >> Here's the error:
> >> An unhandled exception of type 'System.Security.SecurityException'
> > occurred
> >> in system.data.dll
> >> Additional information: Request for the permission of type
> >> System.Data.SqlClient.SqlClientPermission, System.Data,
> > Version=1.0.5000.0,
> >> Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
> >>
> >> I've also tried signing the assembly and granting it LocalIntranet +
SQL
> >> Client, Everything or FullTrust permissions. The only way it will run
> >> correctly is if I give it the FullTrust permission set. Is it possible
> >> to
> >> run an ado.net application without assigning the FullTrust permission
> >> set?
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>


Top