1and1 Help Centre Categories

print article

Common Causes of ASP.NET Errors

If you are frequently receiving errors using ASP.NET, refer to the instructions below to resolve the error.

Restrictions through Code Access Security

In a shared hosting environment ASP.NET has been restricted for security reasons. These restrictions are based on the .NET feature Code Access Security (CAS). In dedicated hosting (e.g. 1&1 Server Windows) these restrictions are not necessary, as ASP.NET Code can work FullTrust.

CAS will grant ASP.NET only access to the following critical resources that hold particular CAS permissions:

  • DnsPermission to perform DNS queries
  • FileIOPermission to read and write files within application directory (if not restricted by Windows ACLs)
  • ReflectionPermission to reflect public members of a type with "NoFlags"
  • SecurityPermission with Execution, ControlThread and ControlPrincipal
  • SqlClientPermission to access SQL Server with classes of System.Data.SqlClient
  • WebPermission to perform HTTP requests, e.g. to use external XML Web Services. (The access must be done using a proxy server.)

If ASP.NET code tries to access restricted resources or to use restricted functions that required more than the given permissions, an exception will be raised. To receive a detailed error message, set the option "CustomErrors" to value "off" in file "web.config".

Please note:
Refer to the other information about the correct location of "web.config" in combination with IIS application borders as well as security relevant implications.

CAS error messages will be raised as "SecurityException: The application attempted to perform an operation not allowed by the security policy." The item "Exception Details" will refer to the missing permission: "Request for the permission of type XYZ failed".

"Stack Trace" indicates which part of the code caused the exception. Use .NET Framework Documentation to check which CAS Permission the respective code will require. There are alternatives like using a relative path within application directory instead of an absolute path.

Error Messages caused by Fulltrust Issues

The .NET Framework that will only work in a FullTrust environment, an environment that has no restrictions with CAS permissions. This function is not used in a protected environment.

The following functionality will not be available in a protected environment:

  • Classes that explicitly demand FullTrust like classes in namespaces "System.Data.OleDb" and "System.Data.Odbc"
  • Pre-installed Assemblies in Global Assembly Cache (GAC), that are not marked with Attribute "AllowPartiallyTrustedCallers", e.g. "System.EnterpriseServices.dll"
  • Custom, uploaded assemblies that carry a "StrongName" but are not marked with Attribute "AllowPartiallyTrustedCallers" (many components of third party vendors and Microsoft additions).

With "System.Security.SecurityException: Security error", the item "Exception Details" will wrongly indicate that debugging should be activated.

To access SQL Server, use the specialised classes from System.Data.SqlClient. To use a component that carries a strong name, you can apply the attribute "AllowPartiallyTrustedCallers" or remove the strong name before compiling your own version.
Use the .NET Framework tool "secutil.exe" to determine if an Assembly carries a StrongName: secutil -s [Assembly.dll]

Please note:
The .NET Framework tool "ildasm.exe" gives you inside into the Assembly Manifest to see if the attribute "AllowPartiallyTrustedCallers" has been applied: ildasm [Assembly.dll]
Error Messages caused by Declarative Security Attributes

If an Assembly is marked with declarative Security Attributes, you can express the special CAS permissions with the .NET Framework tool "permview.exe": permview /decl [Assembly.dll]

If the stated permissions cannot be granted, the respective Assembly will not be loaded. The resulting error message misleadingly points to the global configuration file "machine.config".
The real cause is the declarative Security Attributes. The removal of those attributes followed by recompiling normally will not help. The functionality inside the component must be changed to work without the critical permissions.

For additional information, you may want to reference: