Zupancic Perspective (v2.0) - Global Assembly Cache Security

Saturday, December 17, 2005

« New Toys | Main | 2nd Utah Geek Dinner »

I've been recently dabbling with the DotNetNuke version 4.0. I'm completely new to it, and wanting to experiment with it having created many web applications myself I wanted to see what it's like - I hear great things.

Any who follows this blog is very aware that I don't run under an administrative account, preferring instead to always run as a low privileged account. Well, most of the web applications that I have on my laptop target the .NET 1.1 framework. All of the .NET 2.0 web applications have run under Cassini and are file-based rather than installed as a virtual directory in IIS, therefore some things had not been configured to run properly using .NET 2.0 and IIS.

Upon setting up DNN and attempting to run it I ran into the 'Server Application Unavailable' error message. I examined the event log and saw the following error message:

Failed to execute the request because the ASP.NET process identity does not have read permissions to the global assembly cache. Error: 0x80070005 Access is denied.

Ok, well doesn't mean that *I* don't have read access to the GAC (which I do)...it's indicating that the account associated with ASP.NET 2.0 applications doesn't have permissions to the GAC. In this case that's MACHINENAME\ASPNET. You might be tempted to open up Windows Explorer, navigate to the %WINDIR%\assembly folder (for that's the location for the GAC), right click it, and change security settings. As it turns out, however, Windows virtualizes this folder and its contents into an aggregated view of the GAC contents rather than actual directories. That option is out.

How then do we grant permissions on the GAC? The answer is pretty easy actually: we use a commandline utility called CACLS. Open up a command window and run the following command (or something similar to it):

CACLS %WINDIR%\assembly /e /t /p [DOMAIN|MACHINENAME]\useraccount:R

Substituting either your domain name (for a domain account) or machine name (for a local account) as appropriate. The command line grants Read permission to the specified account to all files and folders in the specified folder.

You might also need to do something similar to your application's directory.

As it turns out, however, I don't want my web applications to run under ASPNET. Instead I prefer to run them as my personal account so I can debug the applications (being that I'm not an administrator). I had already used the aspnet_setreg utility to encrypt my credentials in the registry. I then simply needed to update the <processModel /> element in the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config file to resemble the following:

<processModel
   autoConfig="true"
   userName="registry:HKLM\Software\ASPNET\Identity\ASPNET_SETREG,userName"
   password="registry:HKLM\Software\ASPNET\Identity\ASPNET_SETREG,password"
/>

By doing this, I don't have to worry about granting the ASPNET account read access to the GAC (which I did anyway) and I ensure that ASP.NET 2.0 applications run under my local account (giving me all the access I need to run and debug them).

Saturday, December 17, 2005 8:08:00 AM (Mountain Standard Time, UTC-07:00)

Disclaimer | Comments [35] | Trackback