Security exceptions in ASP.NET and Load User Profile option in IIS 7.5

Question

After deployment of new version of our ASP.NET 2.0 application, it started to raise security exception: „System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.".

After quick research on internet we were able to resolve this isse by setting „Load User Profile" to True in IIS 7.5 application pool. This solution is also mentioned several times here on stackoverflow:

• Strange ASP.NET error !
• System.Web.AspNetHostingPermission Exception on New Deployment
• Running a asp.net web application project on IIS7 throws exception

However we were unable to find reason why it has to be true. We reviewed all changes in new version (gladly there were only a few), but didn’t find anything suspicious (no access to registry or temp data as some articles suggested etc). Could anybody give us hints when an ASP.NET application hosted in IIS 7.5 needs „Load User Profile" option set to True?

Details:

• Application pool: .NET 2.0; Managed Pipeline Mode - Classic; Identity – custom domain account
• 在IIS 6.0(W2K3)中:新旧版本的应用程序工作正常
• 在IIS 7.5(W2K8-R2)中:旧版本的应用程序正常工作; 新版本的应用程序引发安全异常 - 它在将"加载用户配置文件"设置为True后开始工作

谢谢!

EDIT: We have finally found the cause of this problem! Our admin used different technique to copy the new version of application from staging environment to production environment. He used web server as intermediary. After donwloading zipped release build artifacts to production environment and then unzipping the files, they were still marked as "blocked" because they came from different computer. See also https://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a. ASP.NET then logically executes these binaries in partial trust instead of full trust and that was actually causing mentioned security exceptions in our application.

Setting "Load User Profile" to True fixed the security exceptions as a side-effect. If "Load User Profile" is set to False, then our application (not our code, maybe some .NET BCL or external assembly) is trying to query basic info about directory "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files" which the identity of application pool is not allowed to:

• With full trust: access denied to this query operation doesn't raise any exception
• With partial trust: access denied to this query operation raises security exception

如果"加载用户配置文件"设置为True,则每次启动应用程序池时都会创建Users目录中的临时配置文件.然后,我们的应用程序尝试查询此配置文件的"Temporary Internet Files"目录的信息,该目录允许应用程序池的标识.因此即使部分信任也不会引发异常.

非常好的故障排除会话!:)

Answer 1

"加载用户配置文件"设置可以帮助您使用临时文件的另一个示例.有时这个用途可以是间接的.例如,SQL Express可以在某些情况下执行此操作.

所以我的建议.关闭"加载用户配置文件"并检查%TEMP%.然后尝试为应用程序池提供域帐户对%TEMP%目录的完全访问权限(或更改访问权限).可能它可以解决你的问题.

另一个建议是使用Process Monitor(请参阅http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)来定位用户配置文件的哪些部分将被使用(或接收"访问被拒绝"错误)当您收到"System.Security.SecurityException:请求类型'System.Web.AspNetHostingPermission'的权限"异常时.