Problems and Solutions of Asp.net running permissions on Virtual Hosts

Sometimes we write Asp.net applications Program Is running on the VM. Some virtual hosts may be configured with permissions for Asp.net due to security considerations, which will cause the normal operation of our applications.

Symptom:
For some reason, Asp.net cannot load some DLL files and the following error occurs:

Server Error in '/'application.
--------------------------------------------------------------------------------

Required permissions cannot be acquired.
Description: An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception details: system. Security. Policy. policyexception: required permissions cannot be acquired.

Source error:

An unhandled exception was generated during the execution of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack trace:


[Policyexception: required permissions cannot be acquired.]
System. Security. securitymanager. resolvepolicy (evidence, permissionset reqdpset, permissionset optpset, permissionset denypset, permissionset & denied, Boolean checkexecutionpermission) + 2738293
System. Security. securitymanager. resolvepolicy (evidence, permissionset reqdpset, permissionset optpset, permissionset denypset, permissionset & denied, int32 & forbidden, Boolean checkexecutionpermission) + 57

[Fileloadexception: cocould not load file or assembly 'Microsoft. practices. objectbuilder, version = 1.0.51205.0, culture = neutral, publickeytoken = null' or one of its dependencies. failed to grant minimum permission requests. (exception from hresult: 0x80131417)]
System. reflection. Assembly. nload (assemblyname filename, string codebase, evi1_assemblysecurity, assembly locationhint, stackcrawlmark & stackmark, Boolean throwonfilenotfound, Boolean forintrospection) + 0
System. reflection. Assembly. internalload (assemblyname assemblyref, evidence assemblysecurity, stackcrawlmark & stackmark, Boolean forintrospection) + 211
System. reflection. Assembly. internalload (string assemblystring, evidence assemblysecurity, stackcrawlmark & stackmark, Boolean forintrospection) + 141
System. reflection. Assembly. Load (string assemblystring) + 25
System. Web. configuration. compilationsection. loadassemblyhelper (string assemblyname, Boolean stardirective) + 32

Problem Analysis:
According to my observations, the DLL directly generated by the Asp.net application can be loaded normally, and the external DLL directly called by Asp.net can also be loaded normally, however, only other external DLL referenced by the external DLL cannot be loaded. My guess is: Because the permissions are incomplete, the DLL generated by the Asp.net application itself and the directly referenced dll can be obtained through permission inheritance, other external DLL referenced by external DLL cannot inherit permissions due to permission restrictions, so the permission is insufficient.

Solution:
Through a test on my computer, I guess the root web. config on the VM is modified (its location on my computer isC: \ windows \ Microsoft. NET \ framework \ v2.0.50727 \ config .
The default web. config permission settings section is as follows: < Location AllowOverride = "True" >
< System . Web >
< SecurityPolicy >
< Trustlevel Name = "Full" Policyfile = "Internal"   />
< Trustlevel Name = "High" Policyfile = "Web_hightrust.config"   />
< Trustlevel Name = "Medium" Policyfile = "Web_mediumtrust.config"   />
< Trustlevel Name = "Low" Policyfile = "Web_lowtrust.config"   />
< Trustlevel Name = "Minimal" Policyfile = "Web_minimaltrust.config"   />
</ SecurityPolicy >
< Trust Level = "Full" Originurl = ""   />
</ System. Web >
</ Location >

Speculate on the modified settings on the VM:

< Location AllowOverride = "False" >
< System . Web >
< SecurityPolicy >
< Trustlevel Name = "Full" Policyfile = "Internal"   />
< Trustlevel Name = "High" Policyfile = "Web_hightrust.config"   />
< Trustlevel Name = "Medium" Policyfile = "Web_mediumtrust.config"   />
< Trustlevel Name = "Low" Policyfile = "Web_lowtrust.config"   />
< Trustlevel Name = "Minimal" Policyfile = "Web_minimaltrust.config"   />
</ SecurityPolicy >
< Trust Level = "High" Originurl = ""   />
</ System. Web >
</ Location >

He first setAllowOverrideIf this parameter is set to false, the permission can be redefined in Web. config. Then, it defines the trust level as high, rather than the default full. After my tests, as long as the trust level is not full, other external DLL files referenced by the external DLL cannot be loaded. Therefore, we recommend that youAllowOverrideSection to true. In this way, I can re-specify permissions in Web. config.
Example: <trust level = "full" originurl = ""/>

I have not studied aps.net recently, so I have not carefully searched for the underlying reasons. Maybe my understanding is wrong. I hope that the expert can tell the reason or correct my mistakes.