Security Policy Error - Windows App to Shared Network Server.

[Ann McCall]

My App is getting this error when I try to deploy it on a network shared server:
The application attempted to perform an operation not allowed by the security policy. The operation required the SecurityException. To grant this application the required permission please contact your system administrator,....... and so on


Can you please step me thru exactly what I need to do to get rid of the security policy erro my app (C# vb.net Framework 1.1) is getting?

This is what I understand I need to do:

1. Create a command prompt for .net
Execute the following line:

sn.exe -k KeyFile.snk
Put KeyFile.snk in a folder my app can access.

2. Add this to my AssemblyInfo.cs file:

[assembly: AssemblyKeyFile("KeyFile.snk")]

3. Rebuild my app.

4. Redeploy my app on network server.
Copy KeyFile.snk to folder my apps expects it in.

5. On network server:
Add new code group - "AnyName"
Choose "Strong Name" as condition.
Import my exe and give it full trust.


Now my app should work?

Please let me know if I left anything out.
I am only a mere developer not a network guru and I need to get my app working quickly.

mccalla

 

[JohnH]

4. Don't expose your keypair file containing the private key.
5. Configure each computer that you want to enable to run your application from an untrusted location (like network). When you Import the public key is extracted from the assembly (app). The alternative is to use Sn.exe with -p switch to generate a public key file from the keypair file, the public key file can be published to clients. Creating a intranet code group by strong name enable you to deploy updates or other applications signed with the same keypair file and they will run within this trust without need for further client configuration. You can also only trust the single assembly by selecting "Increase Assembly Trust" instead of creating code group. You can also go the other way if you don't care too much about security within intranet zone, by "Adjust Zone Security" and increase it to Full Trust. For automated deployment you can't be running around configuring lots of computers yourself and you can't expect the network users to get their hands dirty, so you use a setup project or other configuration script to make the .Net tool Caspol.exe to set the needed security.

 

[Ann McCall]

Hi John,
Thanks so much for replying to my question.

1. Create a command prompt for .net
Execute the following line:

sn.exe -k KeyFile.snk

sn.exe -p KeyFile.snk PublicKeyFile.snk
(this will create the public key file.

Put KeyFile.snk in a folder my app can access.

2. Add this to my AssemblyInfo.cs file:
Do I need to set anything else in my AssemblyInfo.cs file?
<Assembly: AssemblyKeyFileAttribute("KeyFile.snk")>

3. Rebuild my app.

4. Redeploy my app on network server.
Copy KeyFile.snk to folder my apps expects it in.

------------------------------------------------------------
Your response.

4. Don't expose your keypair file containing the private key.
(Do not copy KeyFile.snk to folder my apps expects it in.


5. Configure each computer that you want to enable to run your application from an untrusted location (like network).
Configure what?

When you Import the public key is extracted from the assembly (app). The alternative is to use Sn.exe with -p switch to generate a public key file from the keypair file, the public key file can be published to clients.
(Refer to step 1 )

Creating a intranet code group by strong name enable you to deploy updates or other applications signed with the same keypair file and they will run within this trust without need for further client configuration.
I prefer this option - to create an intranet code group by name.
I will do this as follows:

On network server:

Add new code group - "AnyName"
Choose "Strong Name" as condition.
Import my exe and give it full trust
( I guess when I import, the public key will be extracted from the assembly?)

These are the other options - which I do not prefer to do:
You can also only trust the single assembly by selecting "Increase Assembly Trust" instead of creating code group. You can also go the other way if you don't care too much about security within intranet zone, by "Adjust Zone Security" and increase it to Full Trust.

For automated deployment you can't be running around configuring lots of computers yourself and you can't expect the network users to get their hands dirty, so you use a setup project or other configuration script to make the .Net tool Caspol.exe to set the needed security.
Can you tell me exactly (remember I only a lowly developer) what I need to deploy to the client machines? Do I need to copy the public key on their machines...if so, where? I didn't plan on copying any files on their machine. I was just going to create a shortcut on their machines pointing to the executable on the network server.

Exactly how do I use .Net tool Caspool.exe and what machine(s) do I need to run it on and with what options? None of clients are going to have the .net framework installed on them.

Please be kind...this is my first .net app - so I hope you understand my ignorance.


My network server only has the .net framework 1.1 installed on it.

Thanks,
mccalla

 

[JohnH]

You could certainly picked something easier to do with your first application than such a advanced deployment scenario... But you'll probably get through it one way or the other

Configure what?

Code Access Security Policy (which is also what caspol is the abbrev of), which is needed because .Net Framework does by default not fully trust anything outside local machine.

On network server: Add new code group

Why do you want to trust the assembly on server? Is the app supposed to run locally on that machine, because that is the sole purpose of trusting it there. The .Net Framework have to be configured to trust the assembly/group/zone locally on each computer that need to run it off default limits. You can use the control panel configuration tool or the caspol.exe to apply these settings. The equivalent commandline of caspol to the UI configuration tool is this:

caspol -q -m -ag 1.2. -strong -file YourAssembly.exe -noname -noversion FullTrust -name AStrongNameGroup

The switches is explained in documentation. This configuration must be applied using an administrator account. The command can be put in batch file (.bat), and is the least that has to be run by client before access to the network shared application is allowed. I think also I've encountered sometime before that the .bat could not be executed from a network share, it had to be copied to local machine before it would run. Just try it out.

Then onto a few confusions to be cleared:

Do not copy KeyFile.snk to folder my apps expects it in.

It doesn't. The Keypair file is only used when compiling the application, this is when the assembly is signed.

This misunderstanding was brought here by me:

The alternative is to use Sn.exe with -p switch to generate a public key

This is not an alternative for you. Extracting the public key from the keypair file is only used for delayed signing. Not relevant here.

AssemblyInfo.cs

I must remind you that only VB.Net is supported at this site, this kind of configuration is basically the same for all .Net languages, but just so you don't get confused with where you are and confuse other forum users.

 

[Ann McCall]

Hi John,

Does this mean I need to load the .net framework 1.1 on all my client machines?
I'm not sure if this is an option for me.
Are there any other alternatives?

Thanks for all your help!
Annie

 

[JohnH]

Does this mean I need to load the .net framework 1.1 on all my client machines?

Yes, if not already present. A setup project can be configured to detect and only install .Net if needed.

Are there any other alternatives?

No.

 

[Ann McCall]

Ok... Getting it finally. Thanks for your patience.
I am going to do the following:
1. Create a command prompt for .net
Execute the following line:
sn.exe -k KeyFile.snk
Put KeyFile.snk in a folder my app can access.
2. Add this to my AssemblyInfo.vb file:
<Assembly: AssemblyKeyFileAttribute("KeyFile.snk")>

3. Rebuild my app.
4. Redeploy my app on network server.
5. Create a bat file:
First step - check to see if .net 1.1 is installed
if not, install it.
Second step:
caspol -q -machine -remgroup XXXGroup
(remove it first - in case it is there - to prevent duplicate entries)
ok....one more ? on Caspol....
Should I use this:
caspol -quiet -machine -addgroup All_Code -strong -url file://D:/XXX_SHARED/XXXXXX.exe -noname -noversion FullTrust -name XXXGroup -description "Code group granting full trust to applications compiled with KeyFile.snk strong name signature"
or this (like you suggested)
caspol -quiet -machine -addgroup All_Code -strong -file D:/XXX_SHARED/XXXXXX.exe -noname -noversion FullTrust -name XXXGroup -description "Code group granting full trust to applications compiled with KeyFile.snk strong name signature"

(What is the difference....I read somewhere about signed assemblies.... not sure??)

Run bat on Client machine.

Annie

 

[JohnH]

"-strong -url" is not a valid option for Caspol. The "1.2." I used in example meant intranet, equals "LocalIntranet_Zone", these can be listed with "caspol -lg". More specific trust means better security.

 

[Ann McCall]

Hi,

Well I got good news…. I did the steps above – created a strong name, gave it full-trust in the localIntranet_Zone and I got my app to work on one client machine.

But….

When I tried in the other machines I got the following error:

<my exe> - Common Language Runtime Debugging Services
Application has generated an exception that could not be handled.

It then displays a process and thread id -378193 & -291045.

Click OK to terminate the application.
Click CANCEL to debug the application.

When I press CANCEL, I get the following error:

Registered JIT debugger is not available. An attempt to launch a JIT debugger with the following command resulted in an error code of 0x2 (2). Please check your computer settings.
Cordbg.exe !a 0x47c
Click on Retry to have the process wait while attaching a debugger manually.
Click on Cancel to abort the JIT debug request.



I did notice that the one machine that is working successfully is a Windows XP – Home Edition and the other PC are newer, Windows XP – Media Center Edition.

I also noticed that when I go to Control Panel / Administrative Tools/ …. .net 1.1 configuration on the
Newer PC’s I also get an error:

mmc.exe - Common Language Runtime Debugging Services
Application has generated an exception that could not be handled.

It then displays a process and thread id -378193 & -291045.

Click OK to terminate the application.
Click CANCEL to debug the application.

It errors in a program called mmc.


I also tried uninstalling .net 1.1 and re-installing .net 1.1.
It still didn’t work.


Any help would be appreciated.

Thanks.

 

[Ann McCall]

Hi,

Good news! We got the app to work on all machines.

The problem was....
The machines that were working we noticed had IE6 and the problem machines had IE7.

On the machines that had the Common Language Runtime Debugging Services error explained in above post:
We changed the security setting in IE using Tools/Internet Options. Then, we went into the security tab and hit the sites button for the Local Intranet security. A popup appears. We cleared the checkbox on “Automatically detect intranet network” and left all the other boxes checked.

By changing this security setting, we are now able to successfully execute the application on all client machines!