======== REPOSTED w/MSDN ALIAS ======== We have a custom assembly used by our reports that needs to access SQL
Server and the Registry. In code, prior to making our SQL server
connection, we assert the System.Data.SqlClient.SqlClientPermission and we
are able to connect just fine. Prior to opening the registry key, we assert
the System.Security.Permissions.RegistryPermission, but on the subsequent
call to open the subkey, we get the following exception:
Request for the permission of type
System.Security.Permissions.RegistryPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
* We created a code group in the policy config file giving our assembly full
trust.
* The Everyone group has permissions to read the registry key and the value.
* We executed Sysinternal's registry monitor tool and it doesn't appear to
even log the call to open the key.
Environment: Visual Studio.NET 1.1, Reporting Services 1.1, Windows XP
====[BEGIN CODE SNIPPET]============== RegistryKey regTest = null;
try {
RegistryPermission regPermission = new
RegistryPermission(RegistryPermissionAccess.Read,
"HKEY_LOCAL_MACHINE\\SOFTWARE\\0");
regPermission.Assert();
regTest = Registry.LocalMachine;
regTest = regTest.OpenSubKey("SOFTWARE"); // This call fails with the
exception above
return (string)regTest.GetValue("TestVal");
} finally {
if (regTest != null) {
regTest.Close();
}
}
====[END CODE SNIPPET]==============
I don't think this is a registry permission issue since it says the
"request" for the permission failed. However, I would have expected the
request to fail on the assert, not on the subsequent OpenSubKey call.
Does anyone have any suggestions on how to troubleshoot this?
Thanks,
ChrisHi Chris,
Thank you for posting.
Regarding on the SSRS custom assembly registry accessing issue, I think we
should still troubleshoot from the permission setting. And what we can
check is the below things:
1. raw win32 registry access permission
2. .NET CAS permission setting.
For win32 registry access permission, the regmon tool should be able to
capture the failure error
For .NET CAS permission problem, you can consider temporarly turn off the
.net framework's CAS setting through the caspol.exe tool:
#Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
After turn off the CAS and test the custom assembly again to see whether it
works.
Hope this helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||I have copied code out of the help file that opens the LocalMachine key and
calls GetSubKeys(). This fails with the same permissions error. I have
granted the Everyone group Full Control on the LocalMachine key. Using the
caspol.exe tool noted below, I have turned off CAS.
I have been running registry monitor from system internals, and unless I'm
using the tool incorrectly, I don't see any failures or successes. I am
using the RSReportHost to be able to execute the report and step through my
assembly. I don't know what process it would be using to access the
registry.
In regards to the suggestions below:
1. What other pemissions could I add in addition to granting the Everyone
group Full Control? I am still getting the exception.
2. As stated above, I executed the caspol.exe turning off CAS. I am still
getting the exception.
- Chris
=================================Taken from the Registry.LocalMachine field help file sample:
public static string PrintKeys() {
StringBuilder sbResult = new StringBuilder();
RegistryKey rk = Registry.LocalMachine;
// Retrieve all the subkeys for the specified key.
String [] names;
try {
names = rk.GetSubKeyNames(); <=== BOOM
} catch (Exception e) {
return e.Message;
}
int icount = 0;
// Print the contents of the array to the console.
foreach (String s in names) {
sbResult.Append(s);
// The following code puts a limit on the number
// of keys displayed. Comment it out to print the
// complete list.
icount++;
if (icount >= 10)
break;
}
return sbResult.ToString();
}
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
> Hi Chris,
> Thank you for posting.
> Regarding on the SSRS custom assembly registry accessing issue, I think we
> should still troubleshoot from the permission setting. And what we can
> check is the below things:
> 1. raw win32 registry access permission
> 2. .NET CAS permission setting.
> For win32 registry access permission, the regmon tool should be able to
> capture the failure error
> For .NET CAS permission problem, you can consider temporarly turn off the
> net framework's CAS setting through the caspol.exe tool:
> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
> After turn off the CAS and test the custom assembly again to see whether
> it
> works.
> Hope this helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>|||Clarification - When running the RegMon tool, I do see a lot of activity
from other processes, but nothing that I can identify being associated with
my custom assembly.
"Chris Walls" <chwalls2@.community.nospam> wrote in message
news:OIlWD$WXGHA.3492@.TK2MSFTNGP05.phx.gbl...
>I have copied code out of the help file that opens the LocalMachine key and
>calls GetSubKeys(). This fails with the same permissions error. I have
>granted the Everyone group Full Control on the LocalMachine key. Using the
>caspol.exe tool noted below, I have turned off CAS.
> I have been running registry monitor from system internals, and unless I'm
> using the tool incorrectly, I don't see any failures or successes. I am
> using the RSReportHost to be able to execute the report and step through
> my assembly. I don't know what process it would be using to access the
> registry.
> In regards to the suggestions below:
> 1. What other pemissions could I add in addition to granting the Everyone
> group Full Control? I am still getting the exception.
> 2. As stated above, I executed the caspol.exe turning off CAS. I am still
> getting the exception.
> - Chris
> =================================> Taken from the Registry.LocalMachine field help file sample:
> public static string PrintKeys() {
> StringBuilder sbResult = new StringBuilder();
> RegistryKey rk = Registry.LocalMachine;
> // Retrieve all the subkeys for the specified key.
> String [] names;
> try {
> names = rk.GetSubKeyNames(); <=== BOOM
> } catch (Exception e) {
> return e.Message;
> }
> int icount = 0;
> // Print the contents of the array to the console.
> foreach (String s in names) {
> sbResult.Append(s);
> // The following code puts a limit on the number
> // of keys displayed. Comment it out to print the
> // complete list.
> icount++;
> if (icount >= 10)
> break;
> }
> return sbResult.ToString();
> }
>
> "Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
> news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
>> Hi Chris,
>> Thank you for posting.
>> Regarding on the SSRS custom assembly registry accessing issue, I think
>> we
>> should still troubleshoot from the permission setting. And what we can
>> check is the below things:
>> 1. raw win32 registry access permission
>> 2. .NET CAS permission setting.
>> For win32 registry access permission, the regmon tool should be able to
>> capture the failure error
>> For .NET CAS permission problem, you can consider temporarly turn off the
>> net framework's CAS setting through the caspol.exe tool:
>> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
>> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
>> After turn off the CAS and test the custom assembly again to see whether
>> it
>> works.
>> Hope this helps.
>> Regards,
>> Steven Cheng
>> Microsoft Online Community Support
>>
>> ==================================================>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> ==================================================>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>|||Thanks for your followup Chris,
This seems strange, so far I can not consider any other particular security
related setting either. Should be a environment specific issue. Have you
tried creating a new custom assembly which access some certain registry to
see whether it also suffer the probelm on ths machine?
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.|||I got a little further. I created a new assembly that only had my registry
code. I ran it as a console application and it successfully read my
registry values. I saw in RegMon that the keys where opened, queried, etc.
I then changed it to a class library and referenced it with a test report.
I was receiving the same permission errors. I turned off security via the
caspol utility and then I was able to successfully read my values. I then
modified my test report to reference my first assembly and it too now works.
Clearly I didn't disable security the last time like I thought I did.
So cleary my entries in the rspreviewpolicy.config file is incorrect. I
thought I was granting full trust to my assembly. Here is my entries. They
are at the end of the file just before the </policy> end tag.
<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"
Name="TSIRegistryTest">
<IMembershipCondition
class="UrlMembershipCondition"
version="1" Url="C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll" />
</CodeGroup>
Any help would be greatly appreciated.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:N9KImB8XGHA.888@.TK2MSFTNGXA01.phx.gbl...
> Thanks for your followup Chris,
> This seems strange, so far I can not consider any other particular
> security
> related setting either. Should be a environment specific issue. Have you
> tried creating a new custom assembly which access some certain registry to
> see whether it also suffer the probelm on ths machine?
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Thank you for the response Chris,
So your custom assembly is put in the following location:
C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll
If so, I think the <CodeGroup > element you pasted should be ok. And the
problem is possibly caused by the location where you add the custom
<codeGroup> in the policy file. As you mentioend that you add it at the
end of the file just before the </policy> end tag. Do you mean that it is
not included/nested within other <codeGroup> ?, like below:
======================...other code group here
<!--
Your code group here?
-->
</PolicyLevel>
</policy>
</security>
</mscorlib>
</configuration>
==========================
If so, it is not the correct place since the codegroup in .NET code access
policy file is not a flat structure, they're hierarchical and nested...
And our custom code should be put within a "Local Computer"
firstMatchCodeGroup, it is as below:
================= <CodeGroup
class="FirstMatchCodeGroup"
version="1"
PermissionSetName="Execution"
Description="This code group grants
MyComputer code Execution permission. ">
<IMembershipCondition
class="ZoneMembershipCondition"
version="1"
Zone="MyComputer" />
<!--
many parallel nested sub codegroups here....
-->
</CodeGroup>
==============
You'll find there is many other sub codegroups nested inside it which are
parallel with each other. If you find it, you can try puting your custom
code group as the sub nested codegroup within it. In addition, you can
also try strong-named your assembly and put it in GAC, then use
strong-named membershipCondition to idenitify it for testing.
BTW, here is a good msdn article describing the code access security in
ASP.NET application(including customizing policy file):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
/paght000017.asp
Hope this also helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||Ok, I think I got it. One thing that was screwing me up is that the change
in the rspreviewpolicy.config was not being picked up by the RSReportHost
utility, even when I unloaded and reloaded it. Only when I started
previewing the report with VS.NET did I see a successful execution with CAS
turned on. Now I'm having similar issues on the build server, but I have a
better understanding of how to troubleshoot it.
Thanks for all of the help.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:J8C4%23YEZGHA.6000@.TK2MSFTNGXA01.phx.gbl...
> Thank you for the response Chris,
> So your custom assembly is put in the following location:
> C:\Program Files\Microsoft SQL Server\80\Tools\Report
> Designer\ReportTest.dll
> If so, I think the <CodeGroup > element you pasted should be ok. And the
> problem is possibly caused by the location where you add the custom
> <codeGroup> in the policy file. As you mentioend that you add it at the
> end of the file just before the </policy> end tag. Do you mean that it is
> not included/nested within other <codeGroup> ?, like below:
> ======================> ...other code group here
> <!--
> Your code group here?
> -->
> </PolicyLevel>
> </policy>
> </security>
> </mscorlib>
> </configuration>
> ==========================> If so, it is not the correct place since the codegroup in .NET code access
> policy file is not a flat structure, they're hierarchical and nested...
> And our custom code should be put within a "Local Computer"
> firstMatchCodeGroup, it is as below:
> =================> <CodeGroup
> class="FirstMatchCodeGroup"
> version="1"
> PermissionSetName="Execution"
> Description="This code group grants
> MyComputer code Execution permission. ">
> <IMembershipCondition
> class="ZoneMembershipCondition"
> version="1"
> Zone="MyComputer" />
> <!--
> many parallel nested sub codegroups here....
> -->
> </CodeGroup>
> ==============> You'll find there is many other sub codegroups nested inside it which are
> parallel with each other. If you find it, you can try puting your custom
> code group as the sub nested codegroup within it. In addition, you can
> also try strong-named your assembly and put it in GAC, then use
> strong-named membershipCondition to idenitify it for testing.
> BTW, here is a good msdn article describing the code access security in
> ASP.NET application(including customizing policy file):
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
> /paght000017.asp
> Hope this also helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
>
>
>
>
>|||Thanks for your followup Chris,
I'm very glad that you've made progress on this. Also, it's a pleasure to
be of assistance.
Please feel free to post here when there is anything else we can help you.
Good luck!
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment