3

I have an app written in C# that lies on a network share. When I run it from a local drive, everything works fine. When I start it from the remote share, calls like

try
{
    System.Reflection.Assembly.GetExecutingAssembly();
    System.IO.Directory.GetCurrentDirectory();
}

throw a SecurityException 'Request failed'.

What causes this, what is the difference between an app that is started locally and one that is started from a remote location?

Treb
  • 19,903
  • 7
  • 54
  • 87

3 Answers3

5

This is due to CAS; code started from the local machine has much more trust than code in the intranet, which in turn has more trust that code from the internet.

IIRC, with the latest SP (3.5SP1?) if you have mapped the share (i.e. as F:) it is trusted; otherwise you will need to either:

a: apply a caspol change to all clients (yeuck)

b: use ClickOnce to deploy the app, and run the .application instead (yay!)

The point is that ClickOnce allows you to sign the app and state your security policy (even if you demand full trust).

Marc Gravell
  • 1,026,079
  • 266
  • 2,566
  • 2,900
  • Thanks! The app should only be used from one or two clients on the network, so I think I will use the caspol approach. I just don't know if I should consider is a bug, or feature... – Treb Oct 07 '08 at 08:31
  • Microsoft considers it a feature. The rest of us consider it a PITA. – Robert P Dec 16 '08 at 17:14
  • @MarcGravell - this seems similar to my question here: http://stackoverflow.com/questions/8308312/assembly-loaded-using-assembly-loadfrom-on-remote-machine-causes-securityexcep. Would you mind looking at it and answering there if it's the same issue, and since ClickOnce isn't an option in my case, if there are any programmatic ways to make the network share trusted? Thanks! – Shaul Behr Nov 29 '11 at 10:42
  • @Shaul why isn't ClickOnce an option? you can stick a .application file on a network share and it will all just work? – Marc Gravell Nov 29 '11 at 12:02
  • @Shaul ah, right - I see; you are pulling it in via LoadFrom? in that case indeed ClickOnce is not the way to do this. I thought (incorrectly) the entire app was on the share – Marc Gravell Nov 29 '11 at 12:10
2

Because your application is starting on a shared drive, different execution security policies applies.

This implies to learn how .NET Code Access Security is working.

http://msdn.microsoft.com/en-us/library/aa302422.aspx

A quick and dirty solution consists to go to .NET Framework Configuration, unfold RunTime Security Policy, unfold Machine, then Code Groups, then LocalIntranet Zone, do right click on it, choose Properties, then change Permission Set to FullTrust.

This will allow applications in the intranet zone (including application which runs from the shared network) to run as full trusted.

This is definitely not the recommended way to do. The best would be to learn how .NET Code Access Security is working and to apply a specific security policy depending on your application needs.

For example, you can give a strong name with your application by signing it, define a new code group with the public key and apply full trusted permission on that code group. Then you may sign all "approved" application with this same public key, so the same Code Access Security policy applies.

Larry
  • 17,605
  • 9
  • 77
  • 106
1

They changed this to some degree in .Net Framework 3.5 SP1. See .NET 3.5 SP1 Runs Managed Applications From Network Shares

Jon Adams
  • 24,464
  • 18
  • 82
  • 120
  • Thanks for the tip! Now all I need to do is convince our sysadmin to upgrade to SP1. (Well, maybe converting the app into unmanaged Delphi code would be faster... *sigh*) – Treb Oct 08 '08 at 09:26