Re: Faillure to run .NET 2.0 app from UNC

Hello Kevin,

I've done some more investigation (using caspol.exe), but I've found out
some interesting behaviour that I can't explain.

I've done a CASPOL -rsg 'assemblyname' on my machine, where everything runs
perfect and issued the same command on the machine where it went wrong.

Examine the following results on my machine:
caspol -lg
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is ON

Level = Machine

Code Groups:

1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. StrongName -
002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust
1.1.2. StrongName - 00000000000000000400000000000000: FullTrust
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://devnov/TrademarkDirectory/*: FullTrust <-- the
added trust...
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web
Success

And now resolve the appropriate group...

caspol -rsg \\devnov\trademarkdirectory\TMD.exe
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://devnov/TrademarkDirectory/*: FullTrust <-- is OK


Level = User

Code Groups:

1. All code: FullTrust

Success

On the other hand, the results of caspol -rsg differ on the machine where
TMD.exe won't run (I've omitted the results of caspol -lg, because they are
the same)

caspol -rsg \\devnov\trademarkdirectory\TMD.exe
Microsoft (R) .NET Framework CasPol 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.


Level = Enterprise

Code Groups:

1. All code: FullTrust


Level = Machine

Code Groups:

1. All code: Nothing
1.5. Zone - Trusted: Internet
1.5.1. All code: Same site Web


Level = User

Code Groups:

1. All code: FullTrust

Success

It seems to be that the application runs in a different zone. I can't figure
out what causes this...

--
Adri
Programmers do it Bit by Bit


"Kevin Yu [MSFT]" wrote:

Hi Adri,

Could you also try to check the minimum grand set of permission your
TMD.EXE requires. The following Permission Calculator tools can do it for
you.

http://msdn2.microsoft.com/en-us/library/ms165077.aspx

I used

permcalc -sandbox tmd.exe

on my machine and it returns the following.

<?xml version="1.0" ?>
<Sandbox>
<PermissionSet version="1" class="System.Security.PermissionSet">
<IPermission version="1"
class="System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.ReflectionPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.RegistryPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Flags="UnmanagedCode, Execution, ControlEvidence, ControlPrincipal,
ControlAppDomain" />
<IPermission Window="AllWindows" Clipboard="OwnClipboard" version="1"
class="System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<IPermission version="1"
class="System.Security.Permissions.KeyContainerPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Data.SqlClient.SqlClientPermission, System.Data,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1" class="System.Diagnostics.EventLogPermission,
System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
</PermissionSet>
</Sandbox>

Please check if these permission sets are met. If not, add them.

If that still doesn't work, you can also add a strong name key to the .exe
file and make the machine trust the key instead of trusting the shared
folder.

Please let me know the results after you try it.

Kevin Yu
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)


.

Relevant Pages

  • RE: VSTO Security - cannot run or debug any VSTO documents
    ... I have Whidbey installed, and found that I needed to adjust ... caspol manually for Whidbey to get VSTO applications to run. ... manually add your own code groups and trust levels for Office applications. ... Zone - Intranet: LocalIntranet ...
    (microsoft.public.vsnet.vstools.office)
  • Re: Code Group Security policy deployment
    ... I've been using caspol for testing and development, but want to have a nicer ... solution than run batch files on every system. ... Using the Code Access Security Policy tool you can write ... >> the installer on another system, where settings of existing code groups ...
    (microsoft.public.dotnet.security)
  • Re: Automating the roll-out of permission sets & code groups
    ... Caspol allows groups to be referenced by names as well as by numeric id ... Zone - MyComputer: FullTrust ... All code: Same site Web ... Zone - Internet: Internet ...
    (microsoft.public.dotnet.security)
  • Re: Automating the roll-out of permission sets & code groups
    ... The problem is that caspol -listgroups doesn't display the ... zone names that you need to use with caspol -addgroup. ... Zone - Internet: Internet ... All code: Same site Web ...
    (microsoft.public.dotnet.security)
  • RE: caspol & local intranet security
    ... I am Luke and I am review this issue ... Changing Code Groups ... Caspol -machine -chggroup LocalIntranet_Zone Fulltrust ... This will grant full trust to local intranet code group. ...
    (microsoft.public.dotnet.framework.aspnet.security)