0

Scenario:

  1. blank win2008 r2 install
  2. the goal was to have a couple of sites running with isolated pool and dedicated users
  3. A new folder for a new website - c:\web\siteA\wwwroot, with the app (asp.net) deployed there in the /bin folder
  4. created a user named "appuser" and added it to the IIS_USERS group
  5. gave the website folder read and execute permissions for IIS_USERS and the appuser
  6. created the IIS site. set the app=pool identity to the appuser
  7. now I'm getting YSOD telling me that the trust-level is too low - SecurityException: That assembly does not allow partially trusted callers
  8. Added <trust level="Full" /> on the web-config, did not help
  9. changing the app-pool user to Administrator makes the site run
  10. Setting "anonymous user identity" to either IUSR or the app pool identity makes no difference

any idea?

why would the selected user has influence on the app's trust level? or is it just a bogous error message?

is there a "step by step" howto guide for setting up users for isolated app pools on IIS7.5?

EDIT: setting the app pool user to NetworkService also makes the site run (see 9.)

Ken Egozi
  • 101
  • 3

2 Answers2

1

Add this attribute declaration to your assembly:

[assembly:AllowPartiallyTrustedCallers]
Massimo
  • 70,200
  • 57
  • 200
  • 323
  • 2
    Of course, this means *any* partially trusted called can use the assembly, so be sure this won't allow privilege escalation. – Richard May 10 '10 at 09:18
  • why should I do that? which is "My" assembly? I would need the whole application *and* dependencies to have APTC? This is working perfectly on another server (win2008) with a custom user. also - Richard's comment is to the point. I do not *Want* to APTC – Ken Egozi May 10 '10 at 10:14
  • Then you should look up what is making this work on the other server and not on this one... – Massimo May 10 '10 at 10:26
  • I did, and as far as I can remember, the steps listed above were what I did on that other server (which is 2008, not 2008R2 as the new one) – Ken Egozi May 10 '10 at 10:29
1

The problem does not sound related to User account, if the message comes from ASP.NET (YSOD) then it means IIS is starting the AppPool correctly (by the way you do not even need to add the user to IIS_USRS, IIS does that auto-magically). It sounds like maybe the assembly being copied is different or maybe there are some policies in the other machine, or just trust level is different. I would use Web Deploy (http://www.iis.net/download/WebDeploy) to do a "Diff" between the working server and the other and see what could be different, it could be the settings in web.config, or security.config or many things.

Carlos Aguilar Mares
  • 1,886
  • 13
  • 8