Medium Trust Level with Included License.licx file failing

[DaleBingham]

We have a .NET 4.0 ASP C# project that is a web app using dotConnect to connect to Oracle 11g. We are now moving to a Win2K8 R2 IIS 7.5 server and the data center we use has the site for us set to Medium Trust for .NET. We did the steps to include the Properties/license.licx file in our builds and the files are deployed to the server with proper read access. However we still get this error below saying we do not have access to read the registry for some reason. If we set it at High_Trust we get the same problem. Only at Full Trust does it work correctly.

We are using VS.NET 2012 and we have the latest dotConnect for Oracle installed if that matters. Any help is appreciated! We can get the same error to duplicate on our local test server under Win2K8 medium_trust as well.

*****************************************************
Here is the info from the event log:

Exception type: OracleException
Exception message: Cannot retrieve information from registry to check if the Devart provider is installed. This issue occurs when generating or validating the license resource. The details of the problem: Request for the permission of type 'System.Security.Permissions.RegistryPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
at Devart.Data.Oracle.OracleConnection.Open()
at Devart.Data.Oracle.Linq.Provider.OracleDataProvider.Initialize(Object connection)
at Devart.Data.Linq.DataProvider.a(IDataServices A_0, Object A_1)
at Devart.Data.Linq.DataContext.a(Object A_0, MappingSource A_1, Type A_2)

[Pinturiccio]

The following permissions are required by dotConnect for Oracle in a partially trusted environment (this mostly concerns web projects):
I. Direct mode - medium trust plus SocketPermission.
For more information, please refer to http://www.devart.com/dotconnect/oracle ... yment.html

So, you should do the following:
1) Open the C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config folder(the 'v4.0.30319' folder should correspond to the Framework version, in which the application is executed;
2) Open the web_mediumtrust.config file;
3) Add the following record to the <SecurityClasses> section:

Code: Select all

<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=4.0.0.0, 
Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

4) Add the following record to the <NamedPermissionSets> section:

Code: Select all

<IPermission
	class="SocketPermission"
        version="1"
        Unrestricted="true"
/>

II. OCI mode - medium trust plus ReflectionPermission, RegistryPermission, EnvironmentPermission for PATH environment variable, FileIOPermission for Oracle Client.

So, you should do the following:
1) Open the C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config folder(the 'v4.0.30319' folder should correspond to the Framework version, in which the application is executed;
2) Open the web_mediumtrust.config file;
3) Add the following record to the <SecurityClasses> section:

Code: Select all

<SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
yClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

4) Add the following record to the <NamedPermissionSets> section:

Code: Select all

<IPermission
	class="ReflectionPermission"
        version="1"
        Unrestricted="true"
/>
<IPermission
	class="RegistryPermission"
        version="1"
        Unrestricted="true"
/>
<IPermission
	class="EnvironmentPermission"
        version="1"
        Read="PATH"
/>
<IPermission
	class="FileIOPermission"
        version="1"
        Read="Oracle Client location folder"
        Write="Oracle Client location folder"
        Append="Oracle Client location folder"
        PathDiscovery="Oracle Client location folder"
/>

[DaleBingham]

We are in direct mode so I will work with my admins on that to see if that will be allowed. I will let you know. Thank you much for the quick reply!!

[DaleBingham]

I did these modifications in both the Framework and Framework64 config directory files. I get the same exact error still so that did not work.

"Cannot retrieve information from registry to check if the Devart provider is installed. This issue occurs when generating or validating the license resource. The details of the problem: Request for the permission of type System.Security.Permissions.RegistryPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed."

I verified in the ./bin/Properties/ directory we have the licenses.licx file and it has the version 8.1.45.0 listed in there.

Our connection string is below, minus the real information of course.

Code: Select all

<connectionStrings>
	<add name="DBConnectionString" connectionString="User Id=XXXXXXXXXX;Password=YYYYYYYYYY;Server=nn.nn.nn.nn;Direct=True;Sid=MYORACLESIDNAME;" />
</connectionStrings>

[DaleBingham]

If I do the High Trust, I get this error even though we followed the steps on the licensing.

"License not found. Please view "Licensing" topic in dotConnect for Oracle documentation for details or contact Devart technical support. "

Only in "Full Trust" does it work, and it works 100% in Full Trust.

[Pinturiccio]

You need to apply the following changes in order to use the Direct mode in medium trust applications:
1) Open the C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config folder(the 'v4.0.30319' folder should correspond to the Framework version, in which the application is executed;
2) Open the web_mediumtrust.config file;
3) Add the following record to the <SecurityClasses> section:

Code: Select all

<SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=4.0.0.0, 
Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

4) Add the following record to the <NamedPermissionSets> section:

Code: Select all

<IPermission
	class="RegistryPermission"
        version="1"
        Unrestricted="true"
/>
<IPermission class="SocketPermission" version="1" Unrestricted="true" />

Additionally change the existing record in the following way:

Code: Select all

<IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration, SkipVerification, UnmanagedCode, SerializationFormatter"/>

If I do the High Trust, I get this error even though we followed the steps on the licensing.

We have reproduced the issue with the high trust level. The same exception is now reproduced with the medium trust level. We will investigate it and post here about the results as soon as possible.

As a temporary workaround, you can tweak the medium trust level or use the high trust level and install dotConnect for Oracle with the "Minimal installation" setting on your Win2K8 R2 computer.

[DaleBingham]

I did all this, changed the trust level back to Medium for that app. And restarted the box.

Now I don't get the security permission, I get the "license not found" error under medium trust. And the license is in the app root/bin/Properties/licenses.licx file as required.

[Pinturiccio]

Now I don't get the security permission, I get the "license not found" error under medium trust. And the license is in the app root/bin/Properties/licenses.licx file as required.

This means you have made correct changes for medium trust level. The "License not found..." exception is caused by an error in our provider.

We have fixed this bug with deserialization of a license resource in ASP.NET applications, running with medium or high trust level. We will post here when the corresponding build of dotConnect for Oracle is available for download.

As a temporary workaround, you can tweak the medium trust level or use the high trust level and install dotConnect for Oracle with the "Minimal installation" setting on your Win2K8 R2 computer.

[Pinturiccio]

We have fixed the bug with deserialization of a license resource in ASP.NET applications, running with medium or high trust level. New build of dotConnect for Oracle 8.3.161 is available for download!
It can be downloaded from http://www.devart.com/dotconnect/oracle/download.html (trial version) or from Registered Users' Area (for users with valid subscription only).
For more information, please refer to http://forums.devart.com/viewtopic.php?t=29592

[DaleBingham]

We are at a point now in our DEV cycle that I can test this. I am working on it today on Win2K8 to see if our problem is resolved. Thank you!

[DaleBingham]

A little better. Now with the latest DLL and the medium trust config file updates above it can load under HIGH Trust for the app. Medium Trust however just gives a generic error with no specifics about it after the "details:"

So no go with medium trust still for some reason. And this is the only error I can find in the event logs on the box. I recompiled the project and made sure all updated DLLs were out there.

---------------------------------------------------------------------

Event code: 4010
Event message: An unhandled security exception has occurred.
Event time: 6/2/2014 1:24:56 PM
Event time (UTC): 6/2/2014 5:24:56 PM
Event ID: cbb597afd9d5413e8535beb741e31453
Event sequence: 2
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/2/ROOT-1-130462034946256714
Trust level: Medium
Application Virtual Path: /
Application Path: C:\websites\xxxxxxx.xxxxxxx.com\
Machine name: DEV-SERVERNAME

Process information:
Process ID: 1244
Process name: w3wp.exe
Account name: IIS APPPOOL\xxxxxxx.xxxxxxx.com

Request information:
Request URL: http://xxxxxxx.xxxxxxx.com/
Request path: /
User host address: 10.xx.xx.xx
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\xxxxxxx.xxxxxxx.com

Custom event details:

[Pinturiccio]

Please send us your web_mediumtrust.config file.

Please also try getting the message and and stack trace of the exception and all inner exceptions. For this try attaching a Visual Studio instance to your application and debug it:
1. Run Visual Studio instance;
2. In the open Visual Studio instance on the Debug menu click Attach to Process.
3. In the displayed window, select the process of the IIS;
4. Run your application;
5. When the exception is raised, Visual Studio must catch it and display this information.
Please send us this information.

[DaleBingham]

The config file is pasted below. I cannot remotely connect to the server to attach to the IIS process unfortunately. We have Win2K8 on 64-bit so the mediumtrust config files in the framework and framework64 were both updated.
================================================================================

Code: Select all

<configuration>
    <mscorlib>
        <security>
            <policy>
                <PolicyLevel version="1">
                    <SecurityClasses>
                        <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="FirstMatchCodeGroup" Description="System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="IsolatedStorageFilePermission" Description="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
                        <SecurityClass Name="PrintingPermission" Description="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
                        <SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SmtpPermission" Description="System.Net.Mail.SmtpPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SqlClientPermission" Description="System.Data.SqlClient.SqlClientPermission, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="StrongNameMembershipCondition" Description="System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="TypeDescriptorPermission" Description="System.Security.Permissions.TypeDescriptorPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="UIPermission" Description="System.Security.Permissions.UIPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="UnionCodeGroup" Description="System.Security.Policy.UnionCodeGroup, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="UrlMembershipCondition" Description="System.Security.Policy.UrlMembershipCondition, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="WebPermission" Description="System.Net.WebPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="ZoneMembershipCondition" Description="System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
			<SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
			<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                    </SecurityClasses>
                    <NamedPermissionSets>
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Unrestricted="true"
                                Name="FullTrust"
                                Description="Allows full access to all resources"
                        />
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Name="Nothing"
                                Description="Denies all resources, including the right to execute"
                        />
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Name="ASP.Net">
                            <IPermission
                                    class="AspNetHostingPermission"
                                    version="1"
                                    Level="Medium"
                            />
                            <IPermission
                                    class="DnsPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="EnvironmentPermission"
                                    version="1"
                                    Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"
                            />
                            <IPermission
                                    class="FileIOPermission"
                                    version="1"
                                    Read="$AppDir$"
                                    Write="$AppDir$"
                                    Append="$AppDir$"
                                    PathDiscovery="$AppDir$"
                            />
                            <IPermission
                                    class="IsolatedStorageFilePermission"
                                    version="1"
                                    Allowed="AssemblyIsolationByUser"
                                    UserQuota="9223372036854775807"
                            />
                            <IPermission
                                    class="PrintingPermission"
                                    version="1"
                                    Level="DefaultPrinting"
                            />
                            <IPermission
                                    class="SecurityPermission"
                                    version="1"
                                    Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration, SkipVerification, UnmanagedCode, SerializationFormatter"
                            />
                            <IPermission
                                    class="SmtpPermission"
                                    version="1"
                                    Access="Connect"
                            />
                            <IPermission
                                    class="SqlClientPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="TypeDescriptorPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="WebPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="ReflectionPermission"
                                    version="1"
                                    Flags="RestrictedMemberAccess"/>
			    <IPermission class="RegistryPermission" version="1" Unrestricted="true" />
			    <IPermission class="SocketPermission" version="1" Unrestricted="true" />
                        </PermissionSet>
                    </NamedPermissionSets>
                    <CodeGroup
                            class="FirstMatchCodeGroup"
                            version="1"
                            PermissionSetName="Nothing">
                        <IMembershipCondition
                                class="AllMembershipCondition"
                                version="1"
                        />
                        <CodeGroup
                                class="UnionCodeGroup"
                                version="1"
                                PermissionSetName="ASP.Net">
                            <IMembershipCondition
                                    class="UrlMembershipCondition"
                                    version="1"
                                    Url="$AppDirUrl$/*"
                            />
                        </CodeGroup>
                        <CodeGroup
                                class="UnionCodeGroup"
                                version="1"
                                PermissionSetName="ASP.Net">
                            <IMembershipCondition
                                    class="UrlMembershipCondition"
                                    version="1"
                                    Url="$CodeGen$/*"
                            />
                        </CodeGroup>
                    </CodeGroup>
                </PolicyLevel>
            </policy>
        </security>
    </mscorlib>
</configuration>

[Pinturiccio]

We could not reproduce the issue. You have a correct web_mediumtrust.config file. Unfortunately without the exception message and stack trace we can't investigate the issue.

Try reproducing it with a local IIS server. Is it reproduced in such case? If yes, try debugging it and get the message and and stack trace of the exception and all inner exceptions.

Please also try executing the code on the server where the issue is reproduced with medium trust level, not using dotConnect for Oracle. Is it reproduced without dotConnect for Oracle?

[DaleBingham]

I do not have IIS with 64-bit Oracle client locally. I will have to see if I can do that in between a development cycle. And w/o dotconnect we would have to rewrite a lot of our code. We have no other software using Oracle that is not 100% tied to dotConnect for our DB work.