I am trying to read the WebServices to gather information about the catalog.
When I run the application from my development box and reading from the
Reporting Services server for the Catalog all run fine.
But when I transfer the application (asp.net) to the server it fails with:
System.Web.Services.Protocols.SoapException: The permissions granted to user
'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this
operation. -->
Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The
permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient
for performing this operation. at
Microsoft.ReportingServices.Library.RSService.ListChildren(String item,
Boolean recursive) at
Microsoft.ReportingServices.WebServer.ReportingService.ListChildren(String
Item, Boolean Recursive, CatalogItem[]& CatalogItems) -- End of inner
exception stack trace -- at
Microsoft.ReportingServices.WebServer.ReportingService.ListChildren(String
Item, Boolean Recursive, CatalogItem[]& CatalogItems)
The code is quite simple:
VB.NET
Dim rService As ReportingService = New ReportingService
rService.Credentials = System.Net.CredentialCache.DefaultCredentials
Dim catalogItems As CatalogItem()
catalogItems = rService.ListChildren(Global.ReportPath, True)
C#.NET
ReportingService rService = new ReportingService();
rService.Credentials = System.Net.CredentialCache.DefaultCredentials;
CatalogItem[][0] catalogItems;
catalogItems = rService.ListChildren(Global.ReportPath, true);
--
Regards
<<<Bryan Avery>>Found the problem to be with web.config file.
Adding the following line under
<authentication mode="Windows" />
<identity impersonate="true" />
And it all springs in to life
--
Regards
<<<Bryan Avery>>
"Bryan Avery" wrote:
> I am trying to read the WebServices to gather information about the catalog.
> When I run the application from my development box and reading from the
> Reporting Services server for the Catalog all run fine.
> But when I transfer the application (asp.net) to the server it fails with:
> System.Web.Services.Protocols.SoapException: The permissions granted to user
> 'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this
> operation. -->
> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The
> permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient
> for performing this operation. at
> Microsoft.ReportingServices.Library.RSService.ListChildren(String item,
> Boolean recursive) at
> Microsoft.ReportingServices.WebServer.ReportingService.ListChildren(String
> Item, Boolean Recursive, CatalogItem[]& CatalogItems) -- End of inner
> exception stack trace -- at
> Microsoft.ReportingServices.WebServer.ReportingService.ListChildren(String
> Item, Boolean Recursive, CatalogItem[]& CatalogItems)
> The code is quite simple:
> VB.NET
> Dim rService As ReportingService = New ReportingService
> rService.Credentials => System.Net.CredentialCache.DefaultCredentials
> Dim catalogItems As CatalogItem()
> catalogItems = rService.ListChildren(Global.ReportPath, True)
> C#.NET
> ReportingService rService = new ReportingService();
> rService.Credentials => System.Net.CredentialCache.DefaultCredentials;
> CatalogItem[][0] catalogItems;
> catalogItems = rService.ListChildren(Global.ReportPath, true);
> --
> Regards
> <<<Bryan Avery>>
Showing posts with label reading. Show all posts
Showing posts with label reading. Show all posts
Tuesday, March 20, 2012
Wednesday, March 7, 2012
Permission Reading Registry from Assembly
======== REPOSTED w/MSDN ALIAS ======== We have a custom assembly used by our reports that needs to access SQL
Server and the Registry. In code, prior to making our SQL server
connection, we assert the System.Data.SqlClient.SqlClientPermission and we
are able to connect just fine. Prior to opening the registry key, we assert
the System.Security.Permissions.RegistryPermission, but on the subsequent
call to open the subkey, we get the following exception:
Request for the permission of type
System.Security.Permissions.RegistryPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
* We created a code group in the policy config file giving our assembly full
trust.
* The Everyone group has permissions to read the registry key and the value.
* We executed Sysinternal's registry monitor tool and it doesn't appear to
even log the call to open the key.
Environment: Visual Studio.NET 1.1, Reporting Services 1.1, Windows XP
====[BEGIN CODE SNIPPET]============== RegistryKey regTest = null;
try {
RegistryPermission regPermission = new
RegistryPermission(RegistryPermissionAccess.Read,
"HKEY_LOCAL_MACHINE\\SOFTWARE\\0");
regPermission.Assert();
regTest = Registry.LocalMachine;
regTest = regTest.OpenSubKey("SOFTWARE"); // This call fails with the
exception above
return (string)regTest.GetValue("TestVal");
} finally {
if (regTest != null) {
regTest.Close();
}
}
====[END CODE SNIPPET]==============
I don't think this is a registry permission issue since it says the
"request" for the permission failed. However, I would have expected the
request to fail on the assert, not on the subsequent OpenSubKey call.
Does anyone have any suggestions on how to troubleshoot this?
Thanks,
ChrisHi Chris,
Thank you for posting.
Regarding on the SSRS custom assembly registry accessing issue, I think we
should still troubleshoot from the permission setting. And what we can
check is the below things:
1. raw win32 registry access permission
2. .NET CAS permission setting.
For win32 registry access permission, the regmon tool should be able to
capture the failure error
For .NET CAS permission problem, you can consider temporarly turn off the
.net framework's CAS setting through the caspol.exe tool:
#Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
After turn off the CAS and test the custom assembly again to see whether it
works.
Hope this helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||I have copied code out of the help file that opens the LocalMachine key and
calls GetSubKeys(). This fails with the same permissions error. I have
granted the Everyone group Full Control on the LocalMachine key. Using the
caspol.exe tool noted below, I have turned off CAS.
I have been running registry monitor from system internals, and unless I'm
using the tool incorrectly, I don't see any failures or successes. I am
using the RSReportHost to be able to execute the report and step through my
assembly. I don't know what process it would be using to access the
registry.
In regards to the suggestions below:
1. What other pemissions could I add in addition to granting the Everyone
group Full Control? I am still getting the exception.
2. As stated above, I executed the caspol.exe turning off CAS. I am still
getting the exception.
- Chris
=================================Taken from the Registry.LocalMachine field help file sample:
public static string PrintKeys() {
StringBuilder sbResult = new StringBuilder();
RegistryKey rk = Registry.LocalMachine;
// Retrieve all the subkeys for the specified key.
String [] names;
try {
names = rk.GetSubKeyNames(); <=== BOOM
} catch (Exception e) {
return e.Message;
}
int icount = 0;
// Print the contents of the array to the console.
foreach (String s in names) {
sbResult.Append(s);
// The following code puts a limit on the number
// of keys displayed. Comment it out to print the
// complete list.
icount++;
if (icount >= 10)
break;
}
return sbResult.ToString();
}
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
> Hi Chris,
> Thank you for posting.
> Regarding on the SSRS custom assembly registry accessing issue, I think we
> should still troubleshoot from the permission setting. And what we can
> check is the below things:
> 1. raw win32 registry access permission
> 2. .NET CAS permission setting.
> For win32 registry access permission, the regmon tool should be able to
> capture the failure error
> For .NET CAS permission problem, you can consider temporarly turn off the
> net framework's CAS setting through the caspol.exe tool:
> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
> After turn off the CAS and test the custom assembly again to see whether
> it
> works.
> Hope this helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>|||Clarification - When running the RegMon tool, I do see a lot of activity
from other processes, but nothing that I can identify being associated with
my custom assembly.
"Chris Walls" <chwalls2@.community.nospam> wrote in message
news:OIlWD$WXGHA.3492@.TK2MSFTNGP05.phx.gbl...
>I have copied code out of the help file that opens the LocalMachine key and
>calls GetSubKeys(). This fails with the same permissions error. I have
>granted the Everyone group Full Control on the LocalMachine key. Using the
>caspol.exe tool noted below, I have turned off CAS.
> I have been running registry monitor from system internals, and unless I'm
> using the tool incorrectly, I don't see any failures or successes. I am
> using the RSReportHost to be able to execute the report and step through
> my assembly. I don't know what process it would be using to access the
> registry.
> In regards to the suggestions below:
> 1. What other pemissions could I add in addition to granting the Everyone
> group Full Control? I am still getting the exception.
> 2. As stated above, I executed the caspol.exe turning off CAS. I am still
> getting the exception.
> - Chris
> =================================> Taken from the Registry.LocalMachine field help file sample:
> public static string PrintKeys() {
> StringBuilder sbResult = new StringBuilder();
> RegistryKey rk = Registry.LocalMachine;
> // Retrieve all the subkeys for the specified key.
> String [] names;
> try {
> names = rk.GetSubKeyNames(); <=== BOOM
> } catch (Exception e) {
> return e.Message;
> }
> int icount = 0;
> // Print the contents of the array to the console.
> foreach (String s in names) {
> sbResult.Append(s);
> // The following code puts a limit on the number
> // of keys displayed. Comment it out to print the
> // complete list.
> icount++;
> if (icount >= 10)
> break;
> }
> return sbResult.ToString();
> }
>
> "Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
> news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
>> Hi Chris,
>> Thank you for posting.
>> Regarding on the SSRS custom assembly registry accessing issue, I think
>> we
>> should still troubleshoot from the permission setting. And what we can
>> check is the below things:
>> 1. raw win32 registry access permission
>> 2. .NET CAS permission setting.
>> For win32 registry access permission, the regmon tool should be able to
>> capture the failure error
>> For .NET CAS permission problem, you can consider temporarly turn off the
>> net framework's CAS setting through the caspol.exe tool:
>> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
>> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
>> After turn off the CAS and test the custom assembly again to see whether
>> it
>> works.
>> Hope this helps.
>> Regards,
>> Steven Cheng
>> Microsoft Online Community Support
>>
>> ==================================================>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> ==================================================>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>|||Thanks for your followup Chris,
This seems strange, so far I can not consider any other particular security
related setting either. Should be a environment specific issue. Have you
tried creating a new custom assembly which access some certain registry to
see whether it also suffer the probelm on ths machine?
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.|||I got a little further. I created a new assembly that only had my registry
code. I ran it as a console application and it successfully read my
registry values. I saw in RegMon that the keys where opened, queried, etc.
I then changed it to a class library and referenced it with a test report.
I was receiving the same permission errors. I turned off security via the
caspol utility and then I was able to successfully read my values. I then
modified my test report to reference my first assembly and it too now works.
Clearly I didn't disable security the last time like I thought I did.
So cleary my entries in the rspreviewpolicy.config file is incorrect. I
thought I was granting full trust to my assembly. Here is my entries. They
are at the end of the file just before the </policy> end tag.
<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"
Name="TSIRegistryTest">
<IMembershipCondition
class="UrlMembershipCondition"
version="1" Url="C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll" />
</CodeGroup>
Any help would be greatly appreciated.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:N9KImB8XGHA.888@.TK2MSFTNGXA01.phx.gbl...
> Thanks for your followup Chris,
> This seems strange, so far I can not consider any other particular
> security
> related setting either. Should be a environment specific issue. Have you
> tried creating a new custom assembly which access some certain registry to
> see whether it also suffer the probelm on ths machine?
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Thank you for the response Chris,
So your custom assembly is put in the following location:
C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll
If so, I think the <CodeGroup > element you pasted should be ok. And the
problem is possibly caused by the location where you add the custom
<codeGroup> in the policy file. As you mentioend that you add it at the
end of the file just before the </policy> end tag. Do you mean that it is
not included/nested within other <codeGroup> ?, like below:
======================...other code group here
<!--
Your code group here?
-->
</PolicyLevel>
</policy>
</security>
</mscorlib>
</configuration>
==========================
If so, it is not the correct place since the codegroup in .NET code access
policy file is not a flat structure, they're hierarchical and nested...
And our custom code should be put within a "Local Computer"
firstMatchCodeGroup, it is as below:
================= <CodeGroup
class="FirstMatchCodeGroup"
version="1"
PermissionSetName="Execution"
Description="This code group grants
MyComputer code Execution permission. ">
<IMembershipCondition
class="ZoneMembershipCondition"
version="1"
Zone="MyComputer" />
<!--
many parallel nested sub codegroups here....
-->
</CodeGroup>
==============
You'll find there is many other sub codegroups nested inside it which are
parallel with each other. If you find it, you can try puting your custom
code group as the sub nested codegroup within it. In addition, you can
also try strong-named your assembly and put it in GAC, then use
strong-named membershipCondition to idenitify it for testing.
BTW, here is a good msdn article describing the code access security in
ASP.NET application(including customizing policy file):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
/paght000017.asp
Hope this also helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||Ok, I think I got it. One thing that was screwing me up is that the change
in the rspreviewpolicy.config was not being picked up by the RSReportHost
utility, even when I unloaded and reloaded it. Only when I started
previewing the report with VS.NET did I see a successful execution with CAS
turned on. Now I'm having similar issues on the build server, but I have a
better understanding of how to troubleshoot it.
Thanks for all of the help.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:J8C4%23YEZGHA.6000@.TK2MSFTNGXA01.phx.gbl...
> Thank you for the response Chris,
> So your custom assembly is put in the following location:
> C:\Program Files\Microsoft SQL Server\80\Tools\Report
> Designer\ReportTest.dll
> If so, I think the <CodeGroup > element you pasted should be ok. And the
> problem is possibly caused by the location where you add the custom
> <codeGroup> in the policy file. As you mentioend that you add it at the
> end of the file just before the </policy> end tag. Do you mean that it is
> not included/nested within other <codeGroup> ?, like below:
> ======================> ...other code group here
> <!--
> Your code group here?
> -->
> </PolicyLevel>
> </policy>
> </security>
> </mscorlib>
> </configuration>
> ==========================> If so, it is not the correct place since the codegroup in .NET code access
> policy file is not a flat structure, they're hierarchical and nested...
> And our custom code should be put within a "Local Computer"
> firstMatchCodeGroup, it is as below:
> =================> <CodeGroup
> class="FirstMatchCodeGroup"
> version="1"
> PermissionSetName="Execution"
> Description="This code group grants
> MyComputer code Execution permission. ">
> <IMembershipCondition
> class="ZoneMembershipCondition"
> version="1"
> Zone="MyComputer" />
> <!--
> many parallel nested sub codegroups here....
> -->
> </CodeGroup>
> ==============> You'll find there is many other sub codegroups nested inside it which are
> parallel with each other. If you find it, you can try puting your custom
> code group as the sub nested codegroup within it. In addition, you can
> also try strong-named your assembly and put it in GAC, then use
> strong-named membershipCondition to idenitify it for testing.
> BTW, here is a good msdn article describing the code access security in
> ASP.NET application(including customizing policy file):
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
> /paght000017.asp
> Hope this also helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
>
>
>
>
>|||Thanks for your followup Chris,
I'm very glad that you've made progress on this. Also, it's a pleasure to
be of assistance.
Please feel free to post here when there is anything else we can help you.
Good luck!
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Server and the Registry. In code, prior to making our SQL server
connection, we assert the System.Data.SqlClient.SqlClientPermission and we
are able to connect just fine. Prior to opening the registry key, we assert
the System.Security.Permissions.RegistryPermission, but on the subsequent
call to open the subkey, we get the following exception:
Request for the permission of type
System.Security.Permissions.RegistryPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
* We created a code group in the policy config file giving our assembly full
trust.
* The Everyone group has permissions to read the registry key and the value.
* We executed Sysinternal's registry monitor tool and it doesn't appear to
even log the call to open the key.
Environment: Visual Studio.NET 1.1, Reporting Services 1.1, Windows XP
====[BEGIN CODE SNIPPET]============== RegistryKey regTest = null;
try {
RegistryPermission regPermission = new
RegistryPermission(RegistryPermissionAccess.Read,
"HKEY_LOCAL_MACHINE\\SOFTWARE\\0");
regPermission.Assert();
regTest = Registry.LocalMachine;
regTest = regTest.OpenSubKey("SOFTWARE"); // This call fails with the
exception above
return (string)regTest.GetValue("TestVal");
} finally {
if (regTest != null) {
regTest.Close();
}
}
====[END CODE SNIPPET]==============
I don't think this is a registry permission issue since it says the
"request" for the permission failed. However, I would have expected the
request to fail on the assert, not on the subsequent OpenSubKey call.
Does anyone have any suggestions on how to troubleshoot this?
Thanks,
ChrisHi Chris,
Thank you for posting.
Regarding on the SSRS custom assembly registry accessing issue, I think we
should still troubleshoot from the permission setting. And what we can
check is the below things:
1. raw win32 registry access permission
2. .NET CAS permission setting.
For win32 registry access permission, the regmon tool should be able to
capture the failure error
For .NET CAS permission problem, you can consider temporarly turn off the
.net framework's CAS setting through the caspol.exe tool:
#Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
After turn off the CAS and test the custom assembly again to see whether it
works.
Hope this helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||I have copied code out of the help file that opens the LocalMachine key and
calls GetSubKeys(). This fails with the same permissions error. I have
granted the Everyone group Full Control on the LocalMachine key. Using the
caspol.exe tool noted below, I have turned off CAS.
I have been running registry monitor from system internals, and unless I'm
using the tool incorrectly, I don't see any failures or successes. I am
using the RSReportHost to be able to execute the report and step through my
assembly. I don't know what process it would be using to access the
registry.
In regards to the suggestions below:
1. What other pemissions could I add in addition to granting the Everyone
group Full Control? I am still getting the exception.
2. As stated above, I executed the caspol.exe turning off CAS. I am still
getting the exception.
- Chris
=================================Taken from the Registry.LocalMachine field help file sample:
public static string PrintKeys() {
StringBuilder sbResult = new StringBuilder();
RegistryKey rk = Registry.LocalMachine;
// Retrieve all the subkeys for the specified key.
String [] names;
try {
names = rk.GetSubKeyNames(); <=== BOOM
} catch (Exception e) {
return e.Message;
}
int icount = 0;
// Print the contents of the array to the console.
foreach (String s in names) {
sbResult.Append(s);
// The following code puts a limit on the number
// of keys displayed. Comment it out to print the
// complete list.
icount++;
if (icount >= 10)
break;
}
return sbResult.ToString();
}
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
> Hi Chris,
> Thank you for posting.
> Regarding on the SSRS custom assembly registry accessing issue, I think we
> should still troubleshoot from the permission setting. And what we can
> check is the below things:
> 1. raw win32 registry access permission
> 2. .NET CAS permission setting.
> For win32 registry access permission, the regmon tool should be able to
> capture the failure error
> For .NET CAS permission problem, you can consider temporarly turn off the
> net framework's CAS setting through the caspol.exe tool:
> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
> After turn off the CAS and test the custom assembly again to see whether
> it
> works.
> Hope this helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>|||Clarification - When running the RegMon tool, I do see a lot of activity
from other processes, but nothing that I can identify being associated with
my custom assembly.
"Chris Walls" <chwalls2@.community.nospam> wrote in message
news:OIlWD$WXGHA.3492@.TK2MSFTNGP05.phx.gbl...
>I have copied code out of the help file that opens the LocalMachine key and
>calls GetSubKeys(). This fails with the same permissions error. I have
>granted the Everyone group Full Control on the LocalMachine key. Using the
>caspol.exe tool noted below, I have turned off CAS.
> I have been running registry monitor from system internals, and unless I'm
> using the tool incorrectly, I don't see any failures or successes. I am
> using the RSReportHost to be able to execute the report and step through
> my assembly. I don't know what process it would be using to access the
> registry.
> In regards to the suggestions below:
> 1. What other pemissions could I add in addition to granting the Everyone
> group Full Control? I am still getting the exception.
> 2. As stated above, I executed the caspol.exe turning off CAS. I am still
> getting the exception.
> - Chris
> =================================> Taken from the Registry.LocalMachine field help file sample:
> public static string PrintKeys() {
> StringBuilder sbResult = new StringBuilder();
> RegistryKey rk = Registry.LocalMachine;
> // Retrieve all the subkeys for the specified key.
> String [] names;
> try {
> names = rk.GetSubKeyNames(); <=== BOOM
> } catch (Exception e) {
> return e.Message;
> }
> int icount = 0;
> // Print the contents of the array to the console.
> foreach (String s in names) {
> sbResult.Append(s);
> // The following code puts a limit on the number
> // of keys displayed. Comment it out to print the
> // complete list.
> icount++;
> if (icount >= 10)
> break;
> }
> return sbResult.ToString();
> }
>
> "Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
> news:eeLJoQfWGHA.932@.TK2MSFTNGXA01.phx.gbl...
>> Hi Chris,
>> Thank you for posting.
>> Regarding on the SSRS custom assembly registry accessing issue, I think
>> we
>> should still troubleshoot from the permission setting. And what we can
>> check is the below things:
>> 1. raw win32 registry access permission
>> 2. .NET CAS permission setting.
>> For win32 registry access permission, the regmon tool should be able to
>> capture the failure error
>> For .NET CAS permission problem, you can consider temporarly turn off the
>> net framework's CAS setting through the caspol.exe tool:
>> #Code Access Security Policy Tool (Caspol.exe) (.NET Framework)
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
>> l/cpgrfcodeaccesssecuritypolicyutilitycaspolexe.asp
>> After turn off the CAS and test the custom assembly again to see whether
>> it
>> works.
>> Hope this helps.
>> Regards,
>> Steven Cheng
>> Microsoft Online Community Support
>>
>> ==================================================>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> ==================================================>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> Get Secure! www.microsoft.com/security
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>|||Thanks for your followup Chris,
This seems strange, so far I can not consider any other particular security
related setting either. Should be a environment specific issue. Have you
tried creating a new custom assembly which access some certain registry to
see whether it also suffer the probelm on ths machine?
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.|||I got a little further. I created a new assembly that only had my registry
code. I ran it as a console application and it successfully read my
registry values. I saw in RegMon that the keys where opened, queried, etc.
I then changed it to a class library and referenced it with a test report.
I was receiving the same permission errors. I turned off security via the
caspol utility and then I was able to successfully read my values. I then
modified my test report to reference my first assembly and it too now works.
Clearly I didn't disable security the last time like I thought I did.
So cleary my entries in the rspreviewpolicy.config file is incorrect. I
thought I was granting full trust to my assembly. Here is my entries. They
are at the end of the file just before the </policy> end tag.
<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"
Name="TSIRegistryTest">
<IMembershipCondition
class="UrlMembershipCondition"
version="1" Url="C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll" />
</CodeGroup>
Any help would be greatly appreciated.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:N9KImB8XGHA.888@.TK2MSFTNGXA01.phx.gbl...
> Thanks for your followup Chris,
> This seems strange, so far I can not consider any other particular
> security
> related setting either. Should be a environment specific issue. Have you
> tried creating a new custom assembly which access some certain registry to
> see whether it also suffer the probelm on ths machine?
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Thank you for the response Chris,
So your custom assembly is put in the following location:
C:\Program Files\Microsoft SQL Server\80\Tools\Report
Designer\ReportTest.dll
If so, I think the <CodeGroup > element you pasted should be ok. And the
problem is possibly caused by the location where you add the custom
<codeGroup> in the policy file. As you mentioend that you add it at the
end of the file just before the </policy> end tag. Do you mean that it is
not included/nested within other <codeGroup> ?, like below:
======================...other code group here
<!--
Your code group here?
-->
</PolicyLevel>
</policy>
</security>
</mscorlib>
</configuration>
==========================
If so, it is not the correct place since the codegroup in .NET code access
policy file is not a flat structure, they're hierarchical and nested...
And our custom code should be put within a "Local Computer"
firstMatchCodeGroup, it is as below:
================= <CodeGroup
class="FirstMatchCodeGroup"
version="1"
PermissionSetName="Execution"
Description="This code group grants
MyComputer code Execution permission. ">
<IMembershipCondition
class="ZoneMembershipCondition"
version="1"
Zone="MyComputer" />
<!--
many parallel nested sub codegroups here....
-->
</CodeGroup>
==============
You'll find there is many other sub codegroups nested inside it which are
parallel with each other. If you find it, you can try puting your custom
code group as the sub nested codegroup within it. In addition, you can
also try strong-named your assembly and put it in GAC, then use
strong-named membershipCondition to idenitify it for testing.
BTW, here is a good msdn article describing the code access security in
ASP.NET application(including customizing policy file):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
/paght000017.asp
Hope this also helps.
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||Ok, I think I got it. One thing that was screwing me up is that the change
in the rspreviewpolicy.config was not being picked up by the RSReportHost
utility, even when I unloaded and reloaded it. Only when I started
previewing the report with VS.NET did I see a successful execution with CAS
turned on. Now I'm having similar issues on the build server, but I have a
better understanding of how to troubleshoot it.
Thanks for all of the help.
- Chris
"Steven Cheng[MSFT]" <stcheng@.online.microsoft.com> wrote in message
news:J8C4%23YEZGHA.6000@.TK2MSFTNGXA01.phx.gbl...
> Thank you for the response Chris,
> So your custom assembly is put in the following location:
> C:\Program Files\Microsoft SQL Server\80\Tools\Report
> Designer\ReportTest.dll
> If so, I think the <CodeGroup > element you pasted should be ok. And the
> problem is possibly caused by the location where you add the custom
> <codeGroup> in the policy file. As you mentioend that you add it at the
> end of the file just before the </policy> end tag. Do you mean that it is
> not included/nested within other <codeGroup> ?, like below:
> ======================> ...other code group here
> <!--
> Your code group here?
> -->
> </PolicyLevel>
> </policy>
> </security>
> </mscorlib>
> </configuration>
> ==========================> If so, it is not the correct place since the codegroup in .NET code access
> policy file is not a flat structure, they're hierarchical and nested...
> And our custom code should be put within a "Local Computer"
> firstMatchCodeGroup, it is as below:
> =================> <CodeGroup
> class="FirstMatchCodeGroup"
> version="1"
> PermissionSetName="Execution"
> Description="This code group grants
> MyComputer code Execution permission. ">
> <IMembershipCondition
> class="ZoneMembershipCondition"
> version="1"
> Zone="MyComputer" />
> <!--
> many parallel nested sub codegroups here....
> -->
> </CodeGroup>
> ==============> You'll find there is many other sub codegroups nested inside it which are
> parallel with each other. If you find it, you can try puting your custom
> code group as the sub nested codegroup within it. In addition, you can
> also try strong-named your assembly and put it in GAC, then use
> strong-named membershipCondition to idenitify it for testing.
> BTW, here is a good msdn article describing the code access security in
> ASP.NET application(including customizing policy file):
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html
> /paght000017.asp
> Hope this also helps.
> Regards,
> Steven Cheng
> Microsoft Online Community Support
>
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
>
>
>
>
>|||Thanks for your followup Chris,
I'm very glad that you've made progress on this. Also, it's a pleasure to
be of assistance.
Please feel free to post here when there is anything else we can help you.
Good luck!
Regards,
Steven Cheng
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Monday, February 20, 2012
Permission denied error 2nd Post
New user of SQL
Everything is on the same machine
My error is close to the bottom
After reading it today, I can see there is a problem with 2 dbases
'PUBS' and 'Master'
There are also some comments from the group:
--microsoft.public.sqlserver.odbc-- subject: Permission Denied -- Thanks
for help guys
I was able to find a trial version of the Enterprise Manager.
It was suggested to make the post over in dotnet.framework. I am new to
SQL. I can see the following in the MSDE manager:
sql server(my machine name\'SDK)
after I right click on 'PUBS'
--Users/Roles/Public
--public
--machine_name\aspnet
--guest
guest is the only one with 5 check marks going across from left to right for
the following:
Create Table, Create View, Create SP, Create Default, Create Rule
the following 3 are blank:
Create Function, Backup DB, and Backup Log
public has just 1 check mark on
Create SP
machine_name\aspnet is blank from left to right.
CREATE DBASE right is not displayed.
How can I solve my Permission denied error problem?
Thanks for the help,
Taishi
--Comments--
Hi Tashi!
You can ue Enterprise manager to set the rights. Locate the table, and right
click. Select All Tasks, then Manage Permissions. Locate the user that you
are using in your connection object, and then grant the rights. I agree with
Greg that the web user should not normally have that level of permission.
One false move and your server and data could be toast. If you are really
trying to create a table, or attach a database, you should be doing that
through Enterprise Manager, and not the web interface.
Sloan
"Taishi" <taishi_bak@.hotmail.com> wrote in message
news:u54GDcN7DHA.1428@.TK2MSFTNGP12.phx.gbl...
> How can I check the permissions/rights?
> How can I grant the correct permissions/rights?
> Thanks,
> T
> "Greg Obleshchuk" <greg-n-o-s-p-a-m-@.ag-s-o-f-t-w-a-r-e.com> wrote in
> message news:udfB$CE7DHA.2568@.TK2MSFTNGP10.phx.gbl...
> dbcreator
server
> the
granted;
maintain
> Documentation
Extended
> extraction
in
'D:\Program
not
> a
>You might want to investigate this Open Source solution:
"ASP Enterprise Manager is a web-based interface for Microsoft SQL Server
and MSDE written using ASP.Net, VB.Net and C#.Net. This project was
developed to allow many SQL Server and MSDE design and administration tasks
to be performed from any computer with a web browser. "
http://www.aspenterprisemanager.com/
http://sourceforge.net/projects/asp-ent-man/
"Taishi" <taishi_bak@.hotmail.com> wrote in message
news:edfyhn97DHA.3860@.tk2msftngp13.phx.gbl...
> New user of SQL
> Everything is on the same machine
> My error is close to the bottom
> After reading it today, I can see there is a problem with 2 dbases
> 'PUBS' and 'Master'
> There are also some comments from the group:
> --microsoft.public.sqlserver.odbc-- subject: Permission Denied -- Thanks
> for help guys
> I was able to find a trial version of the Enterprise Manager.
> It was suggested to make the post over in dotnet.framework. I am new to
> SQL. I can see the following in the MSDE manager:
> sql server(my machine name\'SDK)
> after I right click on 'PUBS'
> --Users/Roles/Public
> --public
> --machine_name\aspnet
> --guest
> guest is the only one with 5 check marks going across from left to right
> for
> the following:
> Create Table, Create View, Create SP, Create Default, Create Rule
> the following 3 are blank:
> Create Function, Backup DB, and Backup Log
> public has just 1 check mark on
> Create SP
> machine_name\aspnet is blank from left to right.
> CREATE DBASE right is not displayed.
> How can I solve my Permission denied error problem?
> Thanks for the help,
> Taishi
>
>
>
> --Comments--
> Hi Tashi!
> You can ue Enterprise manager to set the rights. Locate the table, and
> right
> click. Select All Tasks, then Manage Permissions. Locate the user that you
> are using in your connection object, and then grant the rights. I agree
> with
> Greg that the web user should not normally have that level of permission.
> One false move and your server and data could be toast. If you are really
> trying to create a table, or attach a database, you should be doing that
> through Enterprise Manager, and not the web interface.
> Sloan
> "Taishi" <taishi_bak@.hotmail.com> wrote in message
> news:u54GDcN7DHA.1428@.TK2MSFTNGP12.phx.gbl...
> server
> granted;
> maintain
> Extended
> in
> 'D:\Program
> not
>|||Hello! Ken:
I posted that website on my other posting(Permission Denied). I will do
some more research and investigating but you told me that I had to install
it on a ASP.net web server' I am a uninitiated, so I'm trying to grasp
the concept.
Hi Tashi!
You'll have to install it on a local ASP.net web server, and then use your
browser to go to the site.
Sloan
Taishi
"Ken Cox [Microsoft MVP]" <BANSPAMken_cox@.sympatico.ca> wrote in message
news:u2gF5VD8DHA.2524@.TK2MSFTNGP11.phx.gbl...
> You might want to investigate this Open Source solution:
>
> "ASP Enterprise Manager is a web-based interface for Microsoft SQL Server
> and MSDE written using ASP.Net, VB.Net and C#.Net. This project was
> developed to allow many SQL Server and MSDE design and administration
tasks
> to be performed from any computer with a web browser. "
> http://www.aspenterprisemanager.com/
> http://sourceforge.net/projects/asp-ent-man/
>
> "Taishi" <taishi_bak@.hotmail.com> wrote in message
> news:edfyhn97DHA.3860@.tk2msftngp13.phx.gbl...
Thanks
you
permission.
really
dbcreator
of
these
denied
>
Everything is on the same machine
My error is close to the bottom
After reading it today, I can see there is a problem with 2 dbases
'PUBS' and 'Master'
There are also some comments from the group:
--microsoft.public.sqlserver.odbc-- subject: Permission Denied -- Thanks
for help guys
I was able to find a trial version of the Enterprise Manager.
It was suggested to make the post over in dotnet.framework. I am new to
SQL. I can see the following in the MSDE manager:
sql server(my machine name\'SDK)
after I right click on 'PUBS'
--Users/Roles/Public
--public
--machine_name\aspnet
--guest
guest is the only one with 5 check marks going across from left to right for
the following:
Create Table, Create View, Create SP, Create Default, Create Rule
the following 3 are blank:
Create Function, Backup DB, and Backup Log
public has just 1 check mark on
Create SP
machine_name\aspnet is blank from left to right.
CREATE DBASE right is not displayed.
How can I solve my Permission denied error problem?
Thanks for the help,
Taishi
--Comments--
Hi Tashi!
You can ue Enterprise manager to set the rights. Locate the table, and right
click. Select All Tasks, then Manage Permissions. Locate the user that you
are using in your connection object, and then grant the rights. I agree with
Greg that the web user should not normally have that level of permission.
One false move and your server and data could be toast. If you are really
trying to create a table, or attach a database, you should be doing that
through Enterprise Manager, and not the web interface.
Sloan
"Taishi" <taishi_bak@.hotmail.com> wrote in message
news:u54GDcN7DHA.1428@.TK2MSFTNGP12.phx.gbl...
> How can I check the permissions/rights?
> How can I grant the correct permissions/rights?
> Thanks,
> T
> "Greg Obleshchuk" <greg-n-o-s-p-a-m-@.ag-s-o-f-t-w-a-r-e.com> wrote in
> message news:udfB$CE7DHA.2568@.TK2MSFTNGP10.phx.gbl...
> dbcreator
server
> the
granted;
maintain
> Documentation
Extended
> extraction
in
'D:\Program
not
> a
>You might want to investigate this Open Source solution:
"ASP Enterprise Manager is a web-based interface for Microsoft SQL Server
and MSDE written using ASP.Net, VB.Net and C#.Net. This project was
developed to allow many SQL Server and MSDE design and administration tasks
to be performed from any computer with a web browser. "
http://www.aspenterprisemanager.com/
http://sourceforge.net/projects/asp-ent-man/
"Taishi" <taishi_bak@.hotmail.com> wrote in message
news:edfyhn97DHA.3860@.tk2msftngp13.phx.gbl...
> New user of SQL
> Everything is on the same machine
> My error is close to the bottom
> After reading it today, I can see there is a problem with 2 dbases
> 'PUBS' and 'Master'
> There are also some comments from the group:
> --microsoft.public.sqlserver.odbc-- subject: Permission Denied -- Thanks
> for help guys
> I was able to find a trial version of the Enterprise Manager.
> It was suggested to make the post over in dotnet.framework. I am new to
> SQL. I can see the following in the MSDE manager:
> sql server(my machine name\'SDK)
> after I right click on 'PUBS'
> --Users/Roles/Public
> --public
> --machine_name\aspnet
> --guest
> guest is the only one with 5 check marks going across from left to right
> for
> the following:
> Create Table, Create View, Create SP, Create Default, Create Rule
> the following 3 are blank:
> Create Function, Backup DB, and Backup Log
> public has just 1 check mark on
> Create SP
> machine_name\aspnet is blank from left to right.
> CREATE DBASE right is not displayed.
> How can I solve my Permission denied error problem?
> Thanks for the help,
> Taishi
>
>
>
> --Comments--
> Hi Tashi!
> You can ue Enterprise manager to set the rights. Locate the table, and
> right
> click. Select All Tasks, then Manage Permissions. Locate the user that you
> are using in your connection object, and then grant the rights. I agree
> with
> Greg that the web user should not normally have that level of permission.
> One false move and your server and data could be toast. If you are really
> trying to create a table, or attach a database, you should be doing that
> through Enterprise Manager, and not the web interface.
> Sloan
> "Taishi" <taishi_bak@.hotmail.com> wrote in message
> news:u54GDcN7DHA.1428@.TK2MSFTNGP12.phx.gbl...
> server
> granted;
> maintain
> Extended
> in
> 'D:\Program
> not
>|||Hello! Ken:
I posted that website on my other posting(Permission Denied). I will do
some more research and investigating but you told me that I had to install
it on a ASP.net web server' I am a uninitiated, so I'm trying to grasp
the concept.
Hi Tashi!
You'll have to install it on a local ASP.net web server, and then use your
browser to go to the site.
Sloan
Taishi
"Ken Cox [Microsoft MVP]" <BANSPAMken_cox@.sympatico.ca> wrote in message
news:u2gF5VD8DHA.2524@.TK2MSFTNGP11.phx.gbl...
> You might want to investigate this Open Source solution:
>
> "ASP Enterprise Manager is a web-based interface for Microsoft SQL Server
> and MSDE written using ASP.Net, VB.Net and C#.Net. This project was
> developed to allow many SQL Server and MSDE design and administration
tasks
> to be performed from any computer with a web browser. "
> http://www.aspenterprisemanager.com/
> http://sourceforge.net/projects/asp-ent-man/
>
> "Taishi" <taishi_bak@.hotmail.com> wrote in message
> news:edfyhn97DHA.3860@.tk2msftngp13.phx.gbl...
Thanks
you
permission.
really
dbcreator
of
these
denied
>
Subscribe to:
Posts (Atom)