After deployment of new version of our ASP.NET 2.0 application, it started to raise security exception: „System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.“.
After quick research on internet we were able to resolve this isse by setting „Load User Profile“ to True in IIS 7.5 application pool. This solution is also mentioned several times here on stackoverflow:
- Strange ASP.NET error !
- System.Web.AspNetHostingPermission Exception on New Deployment
- Running a asp.net web application project on IIS7 throws exception
However we were unable to find reason why it has to be true. We reviewed all changes in new version (gladly there were only a few), but didn’t find anything suspicious (no access to registry or temp data as some articles suggested etc). Could anybody give us hints when an ASP.NET application hosted in IIS 7.5 needs „Load User Profile“ option set to True?
Details:
- Application pool: .NET 2.0; Managed Pipeline Mode - Classic; Identity – custom domain account
- In IIS 6.0 (W2K3): Old and new version of application work fine
- In IIS 7.5 (W2K8-R2): Old version of application works fine; new version of application raises security exception – it starts to work after setting „Load User Profile“ to True
Thank you!
EDIT: We have finally found the cause of this problem! Our admin used different technique to copy the new version of application from staging environment to production environment. He used web server as intermediary. After donwloading zipped release build artifacts to production environment and then unzipping the files, they were still marked as "blocked" because they came from different computer. See also https://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a. ASP.NET then logically executes these binaries in partial trust instead of full trust and that was actually causing mentioned security exceptions in our application.
Setting "Load User Profile" to True fixed the security exceptions as a side-effect. If "Load User Profile" is set to False, then our application (not our code, maybe some .NET BCL or external assembly) is trying to query basic info about directory "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files" which the identity of application pool is not allowed to:
- With full trust: access denied to this query operation doesn't raise any exception
- With partial trust: access denied to this query operation raises security exception
If "Load User Profile" is set to True, then temporary profile in Users directory is created every time when application pool starts. Our application is then trying to query info about "Temporary Internet Files" directory of this profile, which the identity of application pool is allowed to. Thus no exception is raised even with partial trust.
Really nice troubleshooting session! :)