19

After deployment of new version of our ASP.NET 2.0 application, it started to raise security exception: „System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.“.

After quick research on internet we were able to resolve this isse by setting „Load User Profile“ to True in IIS 7.5 application pool. This solution is also mentioned several times here on stackoverflow:

However we were unable to find reason why it has to be true. We reviewed all changes in new version (gladly there were only a few), but didn’t find anything suspicious (no access to registry or temp data as some articles suggested etc). Could anybody give us hints when an ASP.NET application hosted in IIS 7.5 needs „Load User Profile“ option set to True?

Details:

  • Application pool: .NET 2.0; Managed Pipeline Mode - Classic; Identity – custom domain account
  • In IIS 6.0 (W2K3): Old and new version of application work fine
  • In IIS 7.5 (W2K8-R2): Old version of application works fine; new version of application raises security exception – it starts to work after setting „Load User Profile“ to True

Thank you!

EDIT: We have finally found the cause of this problem! Our admin used different technique to copy the new version of application from staging environment to production environment. He used web server as intermediary. After donwloading zipped release build artifacts to production environment and then unzipping the files, they were still marked as "blocked" because they came from different computer. See also https://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a. ASP.NET then logically executes these binaries in partial trust instead of full trust and that was actually causing mentioned security exceptions in our application.

Setting "Load User Profile" to True fixed the security exceptions as a side-effect. If "Load User Profile" is set to False, then our application (not our code, maybe some .NET BCL or external assembly) is trying to query basic info about directory "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files" which the identity of application pool is not allowed to:

  • With full trust: access denied to this query operation doesn't raise any exception
  • With partial trust: access denied to this query operation raises security exception

If "Load User Profile" is set to True, then temporary profile in Users directory is created every time when application pool starts. Our application is then trying to query info about "Temporary Internet Files" directory of this profile, which the identity of application pool is allowed to. Thus no exception is raised even with partial trust.

Really nice troubleshooting session! :)

Community
  • 1
  • 1
Peter
  • 193
  • 1
  • 1
  • 6
  • Thanks for the investigation work Peter, I had the same problem and the streams utility (listed in the superuser.com question) was how I unblocked all the files in my webapp's directory. And now I can turn off the Load User Profile option! – David McClelland Aug 18 '10 at 19:32
  • 1
    Totally excellent, we just ran into this issue and couldn't properly explain it. – Andrew Barrett Nov 17 '10 at 17:24
  • below answer has the detailed explanation http://stackoverflow.com/questions/17149132/what-exactly-happens-when-i-set-loaduserprofile-of-iis-pool – Nikhil K S Dec 21 '16 at 07:18

3 Answers3

7

One more example when "Load User Profile" setting could helps you is usage of temporary files. Sometime this usege can be indirect. SQL Express for example can do this in some situations.

So my advice. Switch off "Load User Profile" and examine %TEMP%. Then try to give domain account used for application pool the full access (or change access) to the directory from %TEMP%. Probably it fix your problem.

One more advice is usage of Process Monitor (see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to locale which parts of user profile will be used (or receive "access denied" error) at the moment when you receive "System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission" exception.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • 1
    Thank you for your advice. It helped us troubleshoot the problem. The application pool identity needs read access to "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files" directory. The application just queries basic info for this directory and that's it. Probably it is caused by one of external assemblies that we use (we suspect iTextSharp). Anyway your advice helped us explain the situation, so thank you again. – Peter Jun 21 '10 at 12:54
  • Is it possible to set `LoadUserProfile=true` in IIS and change the default temp folder %TEMP% location from `C:\Users\C:\Users\AccountName\AppData\Local\Temp` to somewhere else? – Murali Murugesan Jul 18 '16 at 10:17
  • @MuraliMurugesan: I think yes. If you have "True" in "Load User Profile" settings of the application pool (see "Advanced Settings") then IIS just loads the user profile of the corresponding user account. You can interactively login as the user on the server and to change the value of the Environment Variable TEMP of the user to any other value as the default `%USERPROFILE%\AppData\Local\Temp`. It should work. – Oleg Jul 18 '16 at 10:28
  • Thanks Oleg. May I know where the value `%USERPROFILE%\AppData\Local\Temp` is stored in IIS? Or is it somewhere in the registry? I have the LoadUserProfile set to true already but want to change my temp folder location – Murali Murugesan Jul 18 '16 at 11:16
  • 1
    @MuraliMurugesan: The value `%USERPROFILE%\AppData\Local\Temp` will be stored **not in IIS**. It will be stored in the registry (`HKEY_CURRENT_USER\Environment`) of the user account. It's exist in the user profile of the user, which you use for the application pool. The most easy way to modify the registry value is loading interactively as the user and changing TEMP in the user context (or changing the registry after logging as the user). – Oleg Jul 18 '16 at 11:21
  • Yeah. Got it. I believe they also same as Computer environment variable TEMP. But if the IIS application pool use a different windows account, I need to login with that account and change the setting I guess – Murali Murugesan Jul 18 '16 at 11:29
1

Another area where LoadUserProfile might help is when configuring a trusted MSMQ binding in WCF. If the app pool is running under a trusted account, this won't load the SID unless the Application pool load user profile setting is set to true, and hence authentication will fail.

Mark Cooper
  • 6,738
  • 5
  • 54
  • 92
1

I also ran into the same problem and could resolve the problem by setting load user profile=true. However i have reverted the load user profile = false and restarted the app pool but now i dont get any exception. I have gone through all the relavents posts on stackoverflow and also on Asp.net and iis forum pages.

Rahul
  • 21
  • 2