Windows Azure Application launch failed with an error "This access control list is not in canonical form and therefore cannot be modified"

Environment: Visual Studio 2010 Professional SP1 & Windows Azure SDK 1.5


While working on an issue, I found an interesting issue with a new hello worlds ASP.NET based web role. When launching this application with or without debugger, the exception was generated as below:


System.ServiceModel.FaultException`1 was unhandled
Message=This access control list is not in canonical form and therefore cannot be modified.
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at IConfigurator.Deploy(String roleId, WebAppModel webAppModelPath, String roleRootDirectory, String sitesDestinationRootDirectory, String diagnosticsRootDirectory, String roleGuid, Dictionary`2 globalEnvironment)
at Microsoft.WindowsAzure.Hosts.WaIISHost.Program.Main(String[] args)



At this point when exception occurred, if you open IIS Management application (Inetmgr.exe) you will see the site is actually running and it also has binding set to IP address similar to and if you browse this URL, it does show your ASP.NET web application. So the problem is mainly related with the interaction between compute emulator and IIS components. After digging a few more minutes, I was not able to find the actual root cause however found  a workaround.


Here is what I tried which did not work:

  • Reinstalling Windows Azure SDK 1.5
  • Disabling and then enabling IIS from Program and Features, did not help


What worked:

-           When I run the web role to legacy mode (HWC) by commenting whole sites section in CSDEF the exception disappeared.

<Added on 10/20/2011> Solution:

After more investigation it was clear that this issue is caused by a registry key permission issue.  To fix this particular issue try:

  1. open regedit
  2. right-click on HKLM\Software\Microsoft\Windows Azure, and choosing Re-Order

Unfortunately, if HWC is not your option then the faster method is to get a new OS and tools to get you going.


Comments (5)

  1. Anon says:

    Your suggestion to do the 're-order' under the above registry key helped me get rid of this issue – and I can continue to run under full IIS.


  2. Thanks!! I am glad your could solve your problem.


  3. stevenh-msft says:

    Your suggestion also worked for me; I didn't find the "re-order" command immediately , but got it after selecting the permissions menu.

    Thanks a lot !

  4. VBNeo says:

    Thank you Thank you Thank you.  Also, thank you to stevenh64 for pointing out the reorder is in the permissions feature.  Fixed my problem.  🙂

  5. Cameron says:

    Thank you! The "re-order" solution did the trick for me.

Skip to main content