CASPOL, Webfarms & content located on remote network devices

This article covers CAS (Code Access Security) challenges we had when ASPFree.com was moved to Orcsweb.com.    We’ll discuss setting up web server(s) using IIS 6.0 and Windows .NET 2003 RC 1 and how CAS was the issue when publishing content was stored on a remote NAS (Network Appliance Server/Storage) or Windows File Share.  Our intention isn’t to make you an expert in the architecture of CAS, there is a very good White Paper already published by Microsoft.   This article explains the issue we experienced with CAS and what steps we used to help resolve them.  This is intended for any person(s) responsible for configuring, developing or deploying .NET applications using a web-farm or a winforms applications where the .NET framework is installed on a client and part or all of the .NET application is deployed on the network.   

Original Hosting Setup

Before diving into the details, it will help to understand how ASPFree.com used to be setup before moving to Orcsweb.com.   This was a very simple architecture, there was one web server running windows 2000, .NET framework w/SP 2 and single database server running Windows 2000 w/MS SQL Server 7.0.    The content was on the web server, when code changes were published, all content, DLL’s and objects were on the same server running the .NET framework where CAS rules would only apply locally.

Here is a picture of the original ASPFree.com hosting setup. 

Moving ASPFree.com to a Web-Farm or Web Cluster?

A web-farm is multiple web servers acting as one to service client requests.  In theory, this should provide better scalability, redundancy and performance.  Many of managed hosting providers and enterprises are using solutions that have code running on more than 1 server to service applications.    One of the reasons ASPFree.com was moved to Orcsweb was to get a hi-availability solution using redundant servers.  Define redundant servers you ask?  There are some differences between a Web-Farm and a Cluster, this is a term that is a pet peave of mine and is often perceived wrongly.

A Web-farm allows for redundant servers to provide hi-availability but doesn’t provide fault tolerance.   When Clustering Services is deployed, this provide a hi-availability solution that also includes fault-tolerance and intelligence to handle failures.  What is the big difference you ask?  When an outage occurs in a web-farm, if people are attached to that particular server,  they are impacted.  In a Cluster Services scenario, their transactions would be continued on another server acting as a backup. (More information on Cluster Services)   

IT managers and business customers here the term "clustering" and assume because their application is deployed in a "cluster" there won’t be outages.   Many things  depend on how applications that are coded and deployed.  If Session State is used, COM+, Load-balancing devices, NLB) or whatever.  When coding enterprise applications, understanding the architecture of how the application may or may not be deployed is a must.   

Managing/Deploying Content in a Web-farm

There are a couple of options when deploying applications using multiple servers that execute .NET applications.   Option one requires every server to be loaded the same including the same software, content, code and objects.  There are technology such as RoboCopy, Application Center 2000, XCOPY scripts to deploy the files to all servers in the web-farm.   If your have deployed a win-forms application, the scenerio is also the same.  All servers that are serving the application have to be configured the same.  

The second option using IIS 6 having content deployed to one location on the network that would access using a UNC path.  All web servers are loaded with the same software as they are in option one with one major difference: All content is stored on a NAS (Network attached storage or Windows File Share) and configured to access via a UNC path.   Both of these architectures provide advantages and disadvantages.  From a developers perspective, having multiple web-servers and only one location where the code is deployed is easier to understand and troubleshoot.  Content isn’t replicated to multiple servers acting as one.  In option one,  when troubleshooting an application, the developer has to put his faith in the network administrators deploying everything the same.   This can get very complicated if multiple components need to be added or changed on more than one server.  

Content Deployed on All Web Servers

Content deployed on NAS Device/Windows File Share accessed by all servers in web-farm

Option two has one major drawback, Security when accessing files across the network.  This is what we ran into on ASPFree.com.  Our site is deployed on multiple servers running Windows .NET 2000 RC 1 and content is on a NAS device.  Everything was working but there was some web-pages getting the following error when they tried to execute.   

Exception Details: System.Security.SecurityException: Security error.

Source Error:

Line 57:         private static System.Collections.ArrayList
__fileDependencies;
Line 58:
Line 59:         public Default_aspx() {
Line 60:             System.Collections.ArrayList dependencies;
Line 61:             if ((ASP.Default_aspx.__intialized == false)) {


Source File: D:ASPNetTempauthors_gfweis3070428c5b9f07db9nidezwv.0.cs
Line: 59

Stack Trace:

[SecurityException: Security error.]
   GfWeis._Default..ctor() +0
   ASP.Default_aspx..ctor() in
D:ASPNetTempauthors_gfweis3070428c5b9f07db9nidezwv.0.cs:59

CASPOL to the Rescue

What is CASPOL?  This is a command line utility to adjust the security on the CLR and .NET framework.  There is also two MMC’s under the Administrative Tools to help adjust the CAS settings.   In order to see all the settings CASPOL can do, open a command prompt and type in CASPOL /?     Be very careful before adjusting these settings.  This shouldn’t be done on your production server!   Always test on development server to understand what settings are needed before deploying.   There is much more information on MSDN about CASPOL as well as many other tools provided by the .NET framework.  Code Access Security Policy Tool (Caspol.exe) (Allows you to examine and modify machine, user, and enterprise-level code access security policies.)

Here is the command that did the trick!
caspol -m -ag 1 -url “file://\NASSERVERASPFREE*” FullTrust -exclusive on

Here is a couple of troubleshooting command line items used.

  • caspol -s off  //This turns off CAS security
  • caspol -s on //This turns on CAS Security
  • caspol -rs  //Resets CAS security.

 

Some interesting quotes from Erik Olson (Program Manager for Security @ Microsoft.)

"1) ASP.NET V1.0 requires full trust so any code that’s not full trust will fail categorically.  If policy isn’t altered for the NAS share, I would expect it to always fail whenever the URL is in the Intranet zone.  The way you can tell is to type the NAS address into an IE address bar.   Whatever zone IE reports in the bottom is the zone the CLR thinks it’s in.
 
2) It’s in a security.config XML file in %windir%Microsoft.NetFrameworks{version}config.  It does need to be done either once per machine or the file needs to be replicated.
3) It’s up to you.  If you have a single NAS device that everything points at, you could trust the root of the nas device, e.g. \NAS* or \NASsite1*, \NASsite2*, whichever you prefer.   The important thing is that for V1.0, the file location of the code needs to be full trust.  There’s a tool in the snapin available from the control panel that let’s you point at a piece of code and evaluate what matches (right click on the Security node and choose Evaluate assembly).
3c) This is on top of the OS access control–it’s just another layer.  Whatever user you’re using still has to have access–code access security can’t ever elevate your permissions.  It is just another layer on top of OS security.  Saying something is full trust just means that the CLR won’t further sandbox the OS account that’s accessing it.  It doesn’t mean that you have any additional privileges on top of what OS access allows.  The statements we have been showing set machine policy.  There is a user policy level and it is possible to administer things at that level, although I’d generally recommend doing it at the machine level."

In conclusion

I hope this situation will make those involved using the .NET framework troubleshooting applications that are deployed on the network.  This particular scenario applies to ASPFree.com website that involves Windows .NET 2003 Server/IIS 6.  This situation also could apply to a Rich Client application having the .NET framework deployed on a client and the Winforms app on a network file server.  The file server could be a Novell File Server, Windows Share, NAS device or a Citrix/Metaframe/Terminal Server app server acting as the client with the .NET application deployed on a remote server.  Being aware of  how CAS and CLR security works can save hours and weeks of troubleshooting why things aren’t working.   A big thanks to the entire Orcsweb WebTeam helping track this down.  ASPFree.com has been up for 100% since switching over to Orcsweb clustered solutions. So for next time, we’ll see you “IN THE TRENCHES”.