Re: Cannot run .Net app from network drive (System.Security.Policy.PolicyException)
From: Shel Blauman [MSFT] (sheldonb_at_online.microsoft.com)
Date: 09/15/03
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole does not seem to work"
- Previous message: Michel Gallant: ".NET and CryptoAPI key information"
- In reply to: Edward J. Stembler: "Cannot run .Net app from network drive (System.Security.Policy.PolicyException)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Sep 2003 13:36:31 -0700
Here's one way.
Shel
The following applies to a managed executable program (.exe) that executes
with greater permissions than normally would be granted to the zone to which
the assembly belongs. For a program hosted on another computer in a local
area network, this would be the Local Intranet zone. Any file residing on a
mapped network drive is, by default, in the Local Intranet zone and operates
under its permission set. If the assembly to be run does not require any
permissions other than those normally granted to applications running in the
Local Intranet zone, signing and creating a custom code group are not
required. The below steps are only necessary when the assembly causes a
security exception to be thrown when it is executed. It is strongly
recommended that the permissions granted the Local Intranet zone not be
changed to FullTrust as an alternative to the following steps.
Check that the following conditions have been met:
1.. The evidence identifying the executable is used to set the membership
condition in a code group, using either the .NET Configuration Tool
(Mscorcfg.msc) or caspol.exe. Although other membership conditions are
available, the recommended practice is to sign the assembly with a strong
name or a certificate.
To create a strong name use sn.exe:
sn -k keyPair.snk
// This strong name key is used to create a code group that gives //
permissions to this assembly.
[assembly: AssemblyKeyFile("keyPair.snk")]
namespace SignedAssembly
2.. The code group corresponding to the evidence of the executable gives
the permissions the assembly requires. If the executable is identified by a
strong name, the code group will utilize the StrongNameMembershipCondition.
caspol -machine -addgroup All_Code -strong -file signedassembly.exe
FullTrust -name FouthCoffeeStrongName -description "Code group granting
trust to code signed by FourthCoffee"
Alternatively, the code group can be created using the Microsoft .NET
Framework Configuration tool (Mscorcfg.msc) found under Administrative
Tools.
The simplest method of granting permissions to the new code group is by the
use of the existing FullTrust permission set; however, it would be best to
create a custom named permission set only granting the permissions the
assembly requires to execute. Named permission sets are most easily
constructed using the Microsoft .NET Framework Configuration tool mentioned
above. The sequence would be to first create the custom named permission
set, then create the code group, making use of the new permission set.
3.. The runtime version on the host computer is compatible with the
runtime used to compile the assembly.
4.. The code group created for the executable is in the same runtime that
the executable uses.
.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Edward J. Stembler" <ejstembler_NOSPAM_@hotmail.com> wrote in message news:0cc601c37bc2$c30eba20$a001280a@phx.gbl... > I cannot get my C# .Net application to run from a network > folder. I get a "Just-In-Time Debugging" dialog box > which states: "An > exception 'System.Security.Policy.PolicyException' has > occurred in MyApp.exe. > > I'm fairly certain that this is occurring because .Net is > running my application in the LocalIntranet_Zone which > only has limited rights. I believe that I have to > configure my application using "Administrative Tools > > Microsoft .Net Framework 1.1 Configuration", however, > that's where I get lost. How exactly do I configure it? > I was able to create a new fulltrust "code group" > under "Runtime Security Policy > Machine > Code Groups > > All_Code", but I don't see where I can associate my > application with this new code group. I know you can add > your application to the "Applications" section, but I > don't see where I tell it which "code group" to use. > > Anyone know how to do this? Microsoft needs a step-by- > step article for this stuff.
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole does not seem to work"
- Previous message: Michel Gallant: ".NET and CryptoAPI key information"
- In reply to: Edward J. Stembler: "Cannot run .Net app from network drive (System.Security.Policy.PolicyException)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
