My application works from my local machine, but throws a SecurityException when I move it to a network share

Programs that run on the CLR use something called code access security (CAS). CAS is different from traditional security systems in that it assigns trust to code rather than users. To do this, the security system gathers a set of evidence about every assembly it loads.  This evidence is then compared against the security policy, and a permission grant is generated. A good reference CAS can be found here:
One of the pieces of evidence that the security system gathers is the security zone that the code is running from. When you run the code from your local machine, this will be the MyComputer zone, but when you run it off of a server, or even a network share mapped to a drive on your machine, it will be the LocalIntranet zone.

By default any code that is run from the MyComputer zone will get a permission set of FullTrust (unrestricted permission to do anything it pleases). However, by default, there is a more restrictive permission set given to LocalIntranet assemblies.

There are three ways to make an application that works from the MyComputer zone work from the LocalIntranet zone.

  1. Determine what permissions are being demanded that are causing your application to throw, and try to modify your application to not require these permissions any more. The SecurityException that is being thrown should tell you which demand
  2. Give all the assemblies in your application a strong name, and modify the security policy to trust this strong name. (recommended)
  3. Modify the security policy to fully trust the LocalIntranet zone. (generally a bad idea)

In order to modify the security policy to trust a specific strong name, you'll first need to sign the assemblies in your application, and give them a strong name, you'll need to generate a strong name key pair using the sn.exe tool:

  • sn -k mykey.snk

Once you have this key, you'll need to make sure your assemblies are signed with it.  The easiest way to do this is to add an AssemblyKeyFileAttribute to your assembly.  In the above example, my attribute would be [AssemblyKeyFile("mykey.snk")].  Note, if you are using Visual Studio to build your projects, you'll need to put a path relative to the location VS puts your binary assemblies.  So if your assembly is built to bin\Release, you'd need to use "..\..\mykey.snk".

In addition to a signature, assemblies need to have a version number to have a strong name.  Make sure your assemblies have the AssemblyVersionAttribute on them if you are going to use a strong name.  You will also need to make sure that you give all of the assemblies in your application the strong name signature.

If you don't sign your assemblies, and instead decide to modify your security policy to fully trust the Intranet zone, be aware that any applicaiton that somebody puts on a network share will be able to run unchecked on your local machine.  Since this is a pretty large security hole, it is generally recommended that you trust strong names rather than zones.

The easiest way to modify your security policy is by using the Microsoft .NET Framework Configuration utility from the control panel.  You can also run this tool from the command line by running mscorcfg.msc.

  1. Expand the Runtime Security Policy folder
  2. Expand the Machine policy level
  3. Expand the Code Groups folder

To modify the polcy to trust a specific strong name:

  1. Right click on All_Code, and select New
  2. Create a new code group for your strong name, and hit next
  3. Select a strong name membership condition from the drop down box
  4. Hit the import button, and select your assembly.  The configuration tool will import your public key.  If you want to trust everything you sign with this key, leave the name and version boxes unchecked
  5. Select the FullTrust permission set

To modify the policy to allow full trust for all Intranet assemblies:

  1. Expand the All_Code code group
  2. Right click the LocalIntranet_Zone code group, and select properties
  3. Switch to the Permission Set tab, and select FullTrust

Updated 7/30/04: Fixed a typo

Comments (100)
  1. Ann says:

    Good blog!

    Is it true that in order to run an assembly from a network drive with the recommended method, I have to sign every assembly in my company with the same key, and configure every computer manually (including new ones and rebuilt ones) to trust the common key?

    If that’s the case, then the statement "CAS is different from traditional security systems" is pretty right on!

    Anyway, thanks for taking the time to explain this all. I’d love to see some recommendations on the first suggestion (handle Security in code). I’ve seen a lot of posts about Security failures from people trying to read from a DB from the IntranetZone, and their solution is usually just to copy the executable to C:.

  2. Shawn says:

    Yep — the recommended method would require you to modify the policy on all machines (though, you can use AdminUI to create an .MSI file that does this for you automatically). You don’t have to sign everything with the same key, though if you don’t you’ll have to trust every key that you sign assemblies with.

    For handling security in code, you just need to make sure that you know what your application is going to require, and attempt to write it in such a way that it won’t require a large set of permissions. In our upcoming Whidbey release, we’re working on a tool that will help you figure out which permissions your application requires (though it will not be perfect, as this is a very difficult problem to solve).

  3. Andrew Schonberger says:

    I wonder whether granting Full Trust to an application would be a security leak. Even well-meaning, benign applications could be misused. I’d rather define a new permission set. In my case, I intend to have a two-tier and batch apps, which need access to Sql and File I/O.

    My organisation uses a strictly controled shared drive to deploy applications. Executing from a particular shared drive is a trusted operation. On the other hand, applications vary wildly among themselves, and giving the same access to all of them could be counter-productive.

    I’ve worked at another organisation which was using Novell Launcher, which was able to push local copies of executables onto user’s machines. Frankly, this sounds like a better solution, especially when the infrastructure already exists.

    The complex security model is the price we have to pay to all the malicious hackers. Still, Microsoft could have done a better job at explaining and presenting the model. It is the first dark spot I encounter in Dot Net. Otherwise it is excellent. With a bit of exageration, I could say it is the first MS product which stands on its merit.


  4. Shawn says:

    Hi Andrew — that’s a very good point you make there. In fact, I agree that applications should run with the smallest set of permissions they need. While the CAS system does help to prevent overly trusted applications from being tricked by malicious code into doing something bad (since a full stack walk will hit the malicious code, which presumably doesn’t have the level of trust required, and throw), minimizing the set of permissions your application is running with is always a good idea.

    The problem, at least on v1.0 and v1.1, is that it is very hard for developers to figure out exactly what set of permissions they actually need to run with. We’re working very hard to solve that problem on Whidbey in a number of ways. Many of the key improvments are integrated into the Visual Studio environment itself, for instance there will be a "Debug in Zone" feature, that allows developers to say that their app will be run from the intranet, so the debugger should run it with only the intranet set of permissions. This will allow earlier catching of security exceptions, and allow the developer to think of alternate, less-privilaged ways of doing things.

    Another VS improvment will be in debugging the security exceptions themselves. Thee is enhanced security exception support, where the VS debugger will show you what exactly caused the exception and give you tips on solving the problem.

    I plan on writing a post in a few weeks on tools that we’re working on to allow developers to determine exactly what permissions their application requires in order to run. This tool, combined with the enhanced VS support for debugging security problems, should help to enable the least-privilege scenario you describe.

  5. Jane says:

    Hi, Shawm,

    This is a great blog! It clears some of my confusions about CAS.

    I have been stuck and struggling on a problem about .NET remoting. I wonder if you can help me out. I am testing the .NET Remoting architecture for our project I wrote a small function as a remote object. This function uses SQLHelper class to execute a SQL query against our testing database. The driven application of this function is an ASP.NET application. When I set up and run the applications on my local machine, everything works fine. However, when I move the remote object to another machine in the same Intranet, I keep getting exception:

    Request for the permission of type System.Data.SqlClient.SqlClientPermission

    I modified the security policy to full trust the LocalIntranet Zone on both of the local machine and remote machine (I realize it is not secure but I am so devastating to get it work at the moment that I want to try everything). I still get the same error message. Then I increased the trust level of System.Data.dll to full trust on both machines using .NET Framework Configuration. It still doesn’t work. You suggested that it is also possible that giving the assemblies a strong. However, this assembly is already in the global assembly caches on both machines. I don’t think it is necessary to do that. Do you know where problems could be?

    Thanks a lot!


  6. Shawn says:

    Hi Jane,

    I’m not a remoting guru, so I’m just going to take a few guesses here. First off, trusting System.Data.Dll didn’t work, because your demand is failing somewhere else on the call stack. It’s possible that since you’re using HTTP and ASP.Net that you’re getting assigned Internet evidence instead of LocalIntranet. In that case, you could try trusting the Internet zone (only for a test run obviously). If this works, I would then create a sub code group off the Internet Zone, possibly using Url evidence to create a safer trust environment. I’d be interested to know if this works, or if it didn’t. Thanks.


  7. Jane says:

    Thanks for taking time for my questions. The LocalIntranet_Zone finally works. The problem was that I need to restart the machine to activate the changes made to the LocalIntralnet_Zone. I find out that I only need SQL Client permission for using System.Data.dll instead of the fulltrust. That is nice because it won’t risk the security of the machine so much.

    Distributing assemblies is really giving me a hard time. The reason if using .NET Remoting for our project is that we want to store all of business logics on application farm. In another word, no assemblie related to business logic or database access should appear on the web farm. However, I found out that whatever assemblies appear on the application farm, a copy of them is needed on the web farm. THis is ridiculous. I think I realy should try if interface_based programming works.


  8. Steve says:


    This post helped us get our new .NET application running from a shared network folder and works fine as an internal application for our small company. But it’s not clear to me how we’re supposed to deal with .NET applications intended to be deployed to our customers’ PCs. Are we supposed to ask our customers to change trust levels through the Control Panel? Or blindly run a policy MSI? If we create a policy MSI for them to install, how do we keep that MSI from overwriting or replacing any existing policies? We’re new to .NET and have just stumbled upon some of these .NET security and deployment issues, and any help would be greatly appreciated.

  9. Shawn says:

    Hi Steve,

    Glad the post helped you get everything up and working. As you’ve discovered, currently the only way to get policy deployed across the enterprise is with some sort of group policy. And unfortunately, you cannot do this without overwriting everyone’s customized policies. (However, most people do not change their policy, so this shouldn’t be much of an issue).

    You could also offer the option of installing the policy .msi on a web page with your application, and have only people who need your app change their policy.

    For Whidbey we’re working on ClickOnce … a way to distribute applications that esentially solve this problem. Each application will know the set of permissions it requires, and users can allow, on a per-app basis, each app to run with those permissions.


  10. Jonathan Evraire says:

    I have an application that is used to transform XML instances. The application allows the user to select two input XML instances and one output XML instance, then it executes an XSLT transform on the two input instances and writes the results to the selected output instance.

    This application is located on an intranet server and is available to our users via a mapped network share. Obviously I have a problem, as the LocalIntranet zone does not permit full IO Permissions and my application needs them to not only read in the user’s files, but also to write out the results. My solution was to digitally sign my application (ie: giving it a strong name) and to add a Code Group (child to the LocalIntranet_Zone code group) granting the necessary permissions to any application signed with this certificate.

    To test my theory, I started by setting my LocalInternet_Zone itself to Full Trust, and my application behaved as desired. Next up, I signed my application and created the Code Group within the LocalIntranet_Zone. To begin testing, I decided to assign any application signed with my certificate the FullTrust permissions. I reset my zone permissions and tested my application. It appeared to behave as expected, however the output produced was wrong: only one of the two input XML files was processed!

    My theory behind what’s happening is this… my assembly is signed with my digital certificate, and thus my assembly is getting the necessary FullTrush permissions. However, the XslTransform object I’m using from the .NET Framework, being in a seperate assembly not signed with my certificate, is still using the default LocalIntranet_Zone permissions, which is to say limited IO permissions. As such, the document() statement in my XSLT file which loads in the second input instance is failing and I only get the first input instance on the other end of my transform.

    Thus, my question is this: what is the proper way of assigning permissions to my application such that not only my assembly has the proper permissions, but also ajoining .NET Framework assemblies?

    Thank you for taking the time to assist me,

    Jonathan Evraire

    jonevrai at

  11. Shawn says:

    Hi Jonathan,

    I doubt that the problem you’re having is what you describe. The System.Xml classes live in System.Xml.dll, which is located on the local machine and will get FullTrust due to that. (Each assembly will get different grant sets, so the fact that your app runs off a share doesn’t stop System.Xml from getting full trust). In fact, there’s an additonal code group hanging off the MyComputer code group that matches the strong name of the System.Xml assembly (and several other Microsoft assemblies), so even if you change the trust level of the MyComputer zone, this will still recieve full trust.

    Another hint I have that this isn’t the problem is that you don’t see a security exception anywhere. The only way that this might be security related is if some code somewhere is swallowing the exception. You might want to try hooking a debugger up to your application and trapping first chance exceptions to see if that is the case.


  12. Jonathan Evraire says:

    Thanks, that makes sense. Unfortunately I have no clue what the problem could be. I’ve been trying to debug this all afternoon with no progress. The same code is run with the IntranetZone set to FullTrust and just my application set to FullTrust and the results are different. In both cases, every line of my C# code behaves in exactly the same way, and even the parameters passed into my script are the same. The only difference is when my application is set to FullTrust the following works when the IntranetZone is set to full trust, and it fails when my application is set to full trust:

    <xsl:comment> <xsl:value-of select="$second-instance"/>


    <xsl:when test="document($second-instance)">

    <xsl:comment> Document found </xsl:comment>



    <xsl:comment> Document NOT found! </xsl:comment>



    (where $second-instance is a parameter passed into my application, specifically the URI to the second input instance). In both cases the value of $second-instance is correct according to the xsl:value-of, yet the results are different.

    I don’t know what else I can do to figure this out.

  13. Jonathan Evraire says:

    Further testing has revealed that, when my xslt stylesheet is located on the C: drive, the document() function succeeds. However, when my xslt stylesheet is on a network drive, the document() function fails. Or, in other words, it would appear that whenever my xslt stylesheet is in a zone that has FullTrust, the document() function succeeds, but when it’s in a zone with partial trust document() fails, even if the application itself has FullTrust.

    My question now becomes, how can I have my xslt stylesheet on a network drive and still get document() to succeed?

    Thanks for any help you could provide,

    Jonathan Evraire

    jonevrai at

  14. Jonathan Evraire says:

    From the .NET Framework help topic "XslTransform Class Implements the XSLT Processor":

    "Most of the Load methods also take Evidence as a parameter. The Evidence parameter is the System.Security.Policy.Evidence that is associated with the style sheet. The security level of the style sheet affects the security level of any subsequent resources it references, such as the script it contains, any document() functions it uses, and any extension objects used by the XsltArgumentList.

    If the style sheet is loaded using a Load method that contains a URL parameter and no Evidence parameter, the evidence of the style sheet is calculated by combining the given URL with its site and zone."

    I’m guessing this is what’s happening: I’m merely providing a URL to the stylesheet without any Evidence. I guess the solution to my problem would be to provide the necessary Evidence to permit my stylesheet to load outside documents, but how do I do that?

    I’ll get to the bottom of this eventually! 🙂 I hope my trials will be beneficial to other visitors to this site.

    Jonathan Evraire

    jonevrai at

  15. Shawn says:

    Hi Jonathan,

    When you posted about the issue with moving the stylesheet, it occured to me that this is exactly what is happening. This pattern is used in several places across the runtime, where input data is from a potentially untrusted source. You found the example of the stylesheet, this is also true for XML Decryption in Whidbey. Since both of these types of documents can cause arbitrary code to run on the user’s machine, they need to be provided with Evidence, otherwise we don’t know how much you trust the documents. I’m willing to be that once you provide Evidence to your stylesheet that points it to a zone you trust, you’ll be able to make this work. Another alternative would be to modify your policy to trust the URL where the stylesheet is loaded from.


  16. Joe says:

    Great blog, thanks for the info. I’m having trouble setting up jit debugging so I can look at exactly where SecurityExceptions are thrown. I followed the

    directions given in the dialog launched by IE to set < jitDebugging="false" /> into the <configuation> section of machine.config or web.config for the site (hosted in IIS). This didn’t work though – the dialog still came up, still no way to attach a debugger. Any ideas? I also tried putting it in the whatever.exe.config file.

    <pedantic>Typo in first post – mscorcfg.mmc should be mscorcfg.msc :-)</pedantic>

  17. joe goeke says:

    I would really like some help with the first option mentioned, which was:

    "Determine what permissions are being demanded that are causing your application to throw, and try to modify your application to not require these permissions any more. The SecurityException that is being thrown should tell you which demand

    failed. "

    I cannot find any help on how to do this. The only info I get from the app before I can even do any debuging is:

    "An unhandled exception of type ‘System.Security.SecurityException’ occurred in Unknown Module."

    Please throw me a bone 🙂


  18. Shawn says:

    Joe #1 — thanks for the info on the typo … I’ve updated the post. As for your ASPX debugging question, I’m not really an expert in that area. Try hitting the microsoft.public.dotnet.framework.aspnet newsgroup and seeing if they can help you out in there.

    Joe Goeke —

    This is a problem we fixed in Whidbey, the Security Exception is now greatly improved. It shows you the demand that failed, the granted set of the assembly, the action that failed, and the zone of hte assembly that failed. Also Visual Studio 2005 will catch security exceptions where they’re thrown, and provide help on solving the problem. VS 2005 also allows "Debug in Zone", which enables you to debug as if your app was on the Internet or Intranet.


  19. Shawn says:

    Just to add to my above comment, I posted a new blog entry today about the enhanced security exception in Whidbey.


  20. Matt says:

    Hi There,

    thanks for the great article!

    We are moving over 100 websites to a new webfarm. The majority of these sites are .NET with no strong named assemblies.

    I have a Win2003 Domain Controller which hosts my SQL 2000 database, a win2003 webserver which will host the many web applications that now write to a network share. I am getting the error System.Security.SecurityException: Request for the permission of type System.Data.SqlClient.SqlClientPermission in my .net pages (however this works fine when moving the site to the local disk).

    I did change the machine.config file for the aspnet_worker process to run under a Domain user instead of machine.

    I tried modifying the LocalINtranet_ZONE to full trust to see if it works. After rebooting the webserver it did not resolve the problem. Do I need to make changes to the Domain Controller as well which hosts the database?

    Any help appreciated.

  21. Shawn says:

    Hi Matt,

    Unfortunately, I’m not an ASP.Net expert, so I’m not sure what steps you should take next. I would recommend hitting up the microsoft public newsgroups, specifically microsoft.public.dotnet.aspnet to see if someone there can provide you with some information.


  22. Travis says:

    I’m working on an application that will be run from a mapped network drive, using Visual Basic .Net 2003. I’ve created a key file and referenced it in my AssemblyInfo file. I’ve compiled the application with Copy Local set to True for its References. I’ve added a security policy, importing the public key from my assembly, giving it Full Permission. I still receive the errors below when trying to run the application. I would appreciate any suggestions…

    See the end of this message for details on invoking

    just-in-time (JIT) debugging instead of this dialog box.

    ************** Exception Text **************

    System.Security.Policy.PolicyException: Execution permission cannot be acquired.

    at EMS_Requests.frmMain.Form1_Load(Object sender, EventArgs e)

    at System.Windows.Forms.Form.OnLoad(EventArgs e)

    at System.Windows.Forms.Form.OnCreateControl()

    at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)

    at System.Windows.Forms.Control.CreateControl()

    at System.Windows.Forms.Control.WmShowWindow(Message& m)

    at System.Windows.Forms.Control.WndProc(Message& m)

    at System.Windows.Forms.ScrollableControl.WndProc(Message& m)

    at System.Windows.Forms.ContainerControl.WndProc(Message& m)

    at System.Windows.Forms.Form.WmShowWindow(Message& m)

    at System.Windows.Forms.Form.WndProc(Message& m)

    at System.Windows.Forms.ControlNativeWindow.OnMessage(Message& m)

    at System.Windows.Forms.ControlNativeWindow.WndProc(Message& m)

    at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

    ************** Loaded Assemblies **************


    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/system/1.0.5000.0__b77a5c561934e089/system.dll



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/system.drawing/1.0.5000.0__b03f5f7f11d50a3a/system.drawing.dll



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/system.directoryservices/1.0.5000.0__b03f5f7f11d50a3a/system.directoryservices.dll



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/system.messaging/1.0.5000.0__b03f5f7f11d50a3a/system.messaging.dll



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/system.serviceprocess/1.0.5000.0__b03f5f7f11d50a3a/system.serviceprocess.dll



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/



    Assembly Version: 1.0.2147.23078

    Win32 Version: 1.0.2147.23078

    CodeBase: file:///E:/EMS_Request.exe



    Assembly Version: 1.0.5000.0

    Win32 Version: 1.1.4322.573

    CodeBase: file:///c:/winnt/assembly/gac/



    Assembly Version: 7.0.5000.0

    Win32 Version: 7.10.3052.4

    CodeBase: file:///c:/winnt/assembly/gac/microsoft.visualbasic/7.0.5000.0__b03f5f7f11d50a3a/microsoft.visualbasic.dll


  23. Kalai says:

    It’s Really working..But i want the key as to use the created key as a public key to make use of the web to run in different systems.i have a application in windows and importred to web page. its working in local.

  24. Don says:

    I have a C# app and C# class library (.NET 2003) deployed on a network drive. Doesn’t work because of a SecurityException that occurs before Main () is called. The debugger says the following:

    A first chance exception of type ‘System.Security.SecurityException’ occurred in mscorlib.dll

    Additional information: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    A first chance exception of type ‘System.Security.SecurityException’ occurred in mscorlib.dll

    Additional information: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    A first chance exception of type ‘System.Security.SecurityException’ occurred in Unknown Module.

    Additional information: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    A first chance exception of type ‘System.Security.SecurityException’ occurred in Unknown Module.

    Additional information: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    An unhandled exception of type ‘System.Security.SecurityException’ occurred in Unknown Module.

    Additional information: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    Unhandled Exception: System.Security.SecurityException: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

    at Senco.ScrapTrackerAdmin.ScrapTrackerAdmin.Main()

    The state of the failed permission was:

    <IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"



    The program ‘[3796] ScrapTrackerAdmin.exe’ has exited with code 0 (0x0).


    I do not have any unmanaged code in my app or my class library (no P/Invoke calls).

  25. Ravi says:

    I created a console application in .net 1.1 and strong named it. This application references another .net assembly which is also strong named. I want to run this application with limited trust level. By default, the applications run from My Computer zone are assigned Full Trust permission set. To limit the trust level, I created another code group using .net configuration tool and the membership condition is specified as the public key of the assembly (both console app and referenced assembly are signed with the same key). The new code group is given ALL available permissions (unrestricted) (different from “Full Trust” permission set). To ensure that the code does not get Full Trust permission set when unioned with permission set assigned to My Computer zone, I checked the “This policy level will only have the permissions from the permission set associated with this code group” check box in the properties dialog box of the code group I have created.

    The console application does nothing and just writes a string to the console. When I execute the application, it works as expected.

    Now I add some code in Main to instantiate an object of the referenced assembly and invoke a method on the object. The method doesn’t do anything and just returns a string. Now when I try to run the application, it throws an exception even before getting into the Main function “An unhandled exception of type ‘System.Security.SecurityException’ occurred in Unknown Module. Additional information: Security error”. The problem is resolved if I let the code run with “Full Trust” Permission set (either through My Computer Zone or through custom code group).

    Any clues as to why this is happening and what is the solution for the problem? Thanks.

  26. My guess is that you’re hitting a LinkDemand for FullTrust in your code. See for more details.


  27. Tom Bryan says:

    Great post. I used your method to sign my assembly and had the framework trust my key and it works great!! Launches a smartclient from portal. Now if we can just do something about the File Download – Security Warning dialog box in XP SP2….


  28. Anthony says:

    Thanks for the info this was the first article that gave me an understaning of how the security framework actually works in .NET.

    The problem is that I continue to get the same security exception problem. My situation is as follows:

    Created a DLL and EXE. These worked fine on local machines but on moving to a network drive experienced problems.

    Steps to resolve:

    1. Retested on local machine – worked fine.

    2. Signed both DLL and EXE with same "strong name" key – did not work.

    3. Created a new permission in the .net 1.1 configuration wizard – attempted to import public key from assemblies (DLL and EXE) – Error was received that "assembly does not appear to be valid" and thus could not import.

    4. Using sn.exe printed out the public key and pasted it into the permissions in the config wizard – did not work.

    5. Modified intranet permission to ‘fulltrust’ for testing purposes – did not work.

    6. Modified all permissions in the local machine to ‘fulltrust’ – did not work (reset all permissions)

    7. Merged EXE and DLL into a single EXE – could still not import public key.

    The actual error I am experiencing is :

    "System.Security.SecurityException: Request for the permission of type ‘System.Data.Odbc.OdbcPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    I am using the .net 2.0 framework. Any help would be greatly appreciated

  29. dmitry says:

    Expand the All_Code code group

    Right click the LocalIntranet_Zone code group, and select properties

    Switch to the Permission Set tab, and select FullTrust…

    I can do it for .NET 1.1, but there is no ".net configuration utility" in .NET 2.0. We installed .NET framework 2.0 but didn’t see any new shortcuts in control panel.

    What should I do to allow full trust in local intranet for 2.0 application?


  30. Hi Dmitry,

    The MMC snapin you’re asking about was moved to the SDK for v2.0.  (See


  31. Ryan Mrachek says:

    Just simple comment, I find it simpler to grant trusts to Local intranet through the .Net cmd prompt. Its also easier to push to clients, if you’re not using gpo’s.

    To grant FullTrust to the LocalIntranet (1.2) simple type:

    caspol -cg 1.2 FullTrust

  32. Anthony says:

    After a lot of searching I essentially resolved my problem as logged earlier.

    Point 1:

    I followed all instructions here but I was using the ".Net Framework 1.1 Configuration" tool instead of version 2.0.

    This explained why I could not import the "strong name" key.

    Point 2:

    The configuration tool for .Net 2.0 is not included in the runtime engine for 2.0 but only in the SDK.


    Thus following on from the previous poster "Ryan Mrachek" I used the "caspol" tool but instead of assigning a blanket "FullTrust" I used the "strong name" I had already embedded into my assembly.

    Here is the command I used –

    caspol -ag 1.3 -strong -file myfilename.exe AName_I_assigned -noversion FullTrust -n AName_I_assigned

    I placed it into the ‘Internet’ zone (1.3) since this is where the application was running when executed over a network share.

  33. Kevin says:

    Would a reboot be required after the steps above for "To modify the polcy to trust a specific strong name"…?

  34. A reboot will not be required, but you will have to restart your process.  CAS security settings are read at process start, and will not be reread during your process lifetime.


  35. Mel says:

    What is the reasoning in the security model, where a .Net executable on a network shared drive does not have full access? If non-.Net executables and scripts still have full access. Is something being changed in Whidbey to address this?

  36. Joe L says:

    I am looking at how we implement .NET security on our estate. One thing concerns me the application one of our develops has sent me doesnt use strong names. It works if i copy it to the local drive as by default it has FullTrust.

    If its on a network it doesnt work

    Isnt there a security hold where develops would write what they want then copy it to the local drive to run it.

    Shouldnt the My_computer be locked down as well?


  37. Hi Joe,

    If a malicious developer can convince the user to copy their code to the local machine and run it, then the game is already over.  If the user is willing to do that, what would prevent them from running a caspol command that the malicious developer handed them, then running the code?


  38. Joe L says:

    Thanks shawn.. Basically i see what you are seeing .NET doesnt close existing holes.. and basically one thing that does concern me is that admin users could either maliciously or accidentally overwrite the local config files and leave Internet as SkipVerification or Fulltrust.

    I know im being cheeky but i have a question on another site if i sent it to you could you take a look. Its more that i need a 2nd head to confirm what i think!

    Many Thanks


  39. An admin sure can accidentally turn Internet to FullTrust.  They could also accidentally install a virus, or open up unwanted ports in a firewall.  There’s not much we can do to protect against the admin user.


  40. BoonDock says:

    Another solution is simply to turn off CAS..

    caspol -s off

    Depends on what your envirionment is, but we are implimenting an app that uses the "thin client" ( and we are deploying it in an intranet where there is full control of the evironment.. so we simply turn off security checking, run the request for the remote DLL so that it is downloaded to the cache, then turn the security checking back on. Works well for us.


  41. Turning CAS off is absolutely not a good option.  When you do that, you’re allowing any managed code from anywhere in the world full access to your machine.  With v2.0 we’ve made caspol -s off a temporary operation, and in future versions it may be removed entirely.


  42. Phil H. says:

    I see in this thread an example of a caspol command that is supposed to grant local Intranet permissions to an app.  Do I have to run this on every machine that needs the application?  What if I have a large number of users that need the app? Do I have to go around to every machine?  (Yes we have GPOs in place.) I can’t install this app locally; it must be called from a central network location.  

    I understand the need for security, but this trusted assembly stuff is way overboard.  Why do I have to beat my brains out trying to get an application to run where I want it to run after I’ve run it flawlessly in local dev?  We have a VERY strong Active Directory policy and organization in place; why won’t that suffice?

    Phew.  This is very frustrating (what, you can’t tell from my rant?). It would be nice if someone produced some CLEAR and CONCISE instructions to network-enable my app, instead of the MSDN mumbo-jumbo I’ve been plowing through for the last two days.

    OK, I’m done.

  43. Hi Phil,

    Yes you have to trust the code on every machine that will run it.  You can use the .NET Configuration Wizard in the control panel to create an MSI that you deploy via GPO to simplify things for you.

    Just because code is trusted to run on a developer’s machine doesn’t mean every user trusts it to run.  In that case, any developer of malware would simply say "Oh yes, this is trusted code.  Nothing to see here, move on."  Obvsiously that’s not an ideal sitaution 🙂


  44. Matt says:

    Thanks, this blog has been helpful.  I’ve got a couple of questions though…I’m working on an application that uses C# and C++ COM components, if i am running the application from an network share (actually a Rational Clear Case integration branch) should i create a different strong name key for every assembly, or would it be just as safe to create one SNK and use it for all assemblies, which would make updating the .NET configuration manager much easier.  Also do if i have a COM component that uses the C# assemblies, do I need to create a SNK for each COM component, or even C++ executables?

  45. Sharing keys should be fine, and you only need to sign managed components with them.  Unmanaged libraries don’t undergo CAS evaluation so they don’t need to be elevated via a strong name signature.


  46. sema atavi says:

    I don’t know if you guys solved the problem but this works…

    Expand the All_Code code group under Administrator Tools/Microsoft .NET Framework 1.1 Configuration

    Right click the LocalIntranet_Zone code group, and select properties

    Switch to the Permission Set tab, and select FullTrust…

  47. Doing that opens up any code that someone can get onto your Intranet to run unrestricted on your local machine.  Depending on your network configuration, this may or may not be an acceptable solution.


  48. Chris says:

    I have a Windows Forms app that will be installed on a network share.  I did not sign every assembly with a strong name, but instead granted FullTrust to the network share itself.  In other words, I added a new group on the Machine -> All_Code specifically for my application.  I set it’s condition to URL with the url specifying the specific shared folder with a wildcard at the end of the folder name: (file://server/folder/*)

    This folder has been granted right by our security department to only a few individuals.  

    Does this open the whole Intranet or only the code in that folder?  Do you fell this is a large security leak?


  49. Hi Chris,

    That sounds reasonable — as long as you’re willing to trust anyone who can get code onto the share, trusting the share itself is fine.


  50. Sheetal says:

    How can we allow full trust in local intranet for 2.0 application programmatically?

    So that i dont have to install 2.0 SDK.

    i tried the caspol -cg 2.0 FullTrust command but got an error Invalid Label or name.

  51. The 1.1 in the command line does not refer to the CLR version, but the code group you want to modify.  (You can do a caspol -lg to see these).  So you’ll want to use caspol -cg 1.2 to refer to the LocalIntranet zone.


  52. Jon says:

    For those who want a sample step by step on how to create a key and a sample application go here:

  53. Jesse says:

    I am getting a "Request for the permission of type System.Data.SqlClient.SqlClientPermission, System.Data, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed."  I have registered the strong names of the DLL that uses these DLLs.  What do I have to do next?

  54. You’ll need to attach a debugger and examine the call stack at the time of the failure — there may be an unelevated assembly or AppDomain on the stack (or a PermitOnly or Deny).


  55. James says:

    plz help me i am getting error given below :-

    Security Exception

    Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

    Exception Details: System.Security.SecurityException: Request for the permission of type ‘System.Data.Odbc.OdbcPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

    what can be solution for this problem?

  56. Fishpark says:

    If I read and understand the entries above correctly, my application (that uses a call into unmanaged code) needs some setup before it can be run from a share.

    My application will be sent out to 100s of people all over the country. Some of these people might set it up to run on a network and some might not.

    Now I can add a call to CASPOL to my NSIS installer but I take it CASPOL only works if you are an administrator. Requiring my users to type in an admin name and password when installing the application!

    Similarly, packaging permissions into some MSI probably requires admin access.

    Is the best option then to leave the application as it is, and catch the security error early on and telling the user something like ‘you are trying to run this application over the intranet but you need special permissions for this blablabla’ and provide support (in the form of an MSI or other installer) so that they can set up their machines to allow the application to be run from a network?

  57. Fishpark says:

    It seems CASPOL actually works for users as well as administrators but it will apply settings for the current user rather than machine-wide.

    I suppose this means I can add a call to CASPOL in my application’s installer and change the user settings that way.

    Obviously .net gives you a fake sense of security since any application can install with a call to CASPOL and open up the intranet to any other .net application that requires fulltrust.

    Why isn’t there some provision for an interactive negotiation of this? My users wouldn’t mind a message that says something like ‘You are running <appname> over the intranet, this is a security risk blablabla do you want to allow access yes/no’

    Or perhaps the CLR could pop up a message similar to the ones personal firewalls have, with something like ‘<appname> is being activated over the network. Are you sure you want to allow this yes/no’

    Well for now running CASPOL in the installer will do fine.

    Thanks for your informative blog!

  58. As you note, if you run caspol as a non-admin you’ll by default update the user policy level rather than the machine level.

    However, each policy level is intersected to get the final grant set.  This means that users can only restrict the security settings of the machine, not increase them.

    For example, if the machine level granted an assembly the Intranet permission set, and the user level granted it FullTrust, Intranet intersect FullTrust = Intrant.  However if the user level granted it Internet permissions, Intranet intersect Internet = Internet.

    As for an interactive negotiation, well, that’s ClickOnce 🙂


  59. Ananth says:


    I am also having similar kind of issue, we have deployed our migrated .Net 2.0 application in virtual folder using IIS, and when we try to access exe through IE, the login window prompts security warning followed by permission alert. please see below

    "Microsoft .Net security warning : Never enter personal information or passwords into a window unless you can verify and trust the source code of the request."

    "Request for the permission of type ‘System.Data.SqlClient.SqlClientPermission, System.Data, Version, Culture=neutral, Publikyeotoken=2jksdfhsdjhfsd89’ failed."

    And i have applied the below commands

    C:WINNTMicrosoft.NETFrameworkv2.0.50727>CasPol.exe -m -ag 1.2 -url http://sonopress-om2/sonobest2/SOSG2.0_UAT/SonoBEST2.0.exe. FullTrust

    Microsoft (R) .NET Framework CasPol 2.0.50727.42

    Copyright (c) Microsoft Corporation.  All rights reserved.

    The operation you are performing will alter security policy.

    Are you sure you want to perform this operation? (yes/no)


    Added union code group with "-url" membership condition to the Machine level.


    Any help greatly appreciated.

    Thanks in advance

  60. Umer Tahir says:


    Thats a very helpful article solving the security issue on client side machine but is there anyway I can do these settings on server side rather than every client changing their .Net security settings? As it can be a bit of pain for the users  cause every client machine needs to be configured before running my application.



  61. Hi Umer,

    If you’re using v2.0 of the CLR, your best bet is to use ClickOnce, which allows a simple "yes/no" decision on each client machine, and modifies the client machines appropriately.

    If you can’t use ClickOnce however, then you can either create a policy MSI file and push that out via Group Policy, or provide instructions for your clients on your install page.  If we allowed arbitrary servers to update client trust policy, we’d have a problem with malware writers saying "no really, you should trust me :-)".


  62. Adam says:

    I am trying to learn how to use remote debugging with VS 2005 (C#) but am having issues with the security of being able to run it.

    So I have the application on the remote machine (in a shared directory) and the and VS is all set up on my local machine to remote debug the application.  However I always get the exception "Request for the permission of type ‘System.Net.SocketPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    But I am able to run it fine by navigating to the shared directory over the network.  I have a strong name key in the application and then I had to add a FullTrust for the strong name of the application under the LocalIntranet of the .NET Config tool  to get it to work like this.  

    Any idea what is causing this?

  63. Adam says:


    I am having the same problem as a lot of people.  I did get my program to run fine over a network share by adding a strong name key and adding FullTrust of that key.  However I am having a problem because I am trying to use Remote Debugging in VS2005.  But I am back to getting all the same security exceptions when I run my program through the remote debugger.  Any ideas as to why this may occur or how to fix it?



  64. VasekB says:

    How to leave Users to set Admin config task:

    \serversharerunas.exe /user:axa-assistanceadmin-username "\serversharecaspol -cg 1.2 FullTrust" | \serversharesanur.exe admin-password

  65. Jennifer says:

    After reading all this I thought it was going to be a major pain to deploy a C# app but it wasn’t too bad.  Unless you enjoy flailing around with a command prompt setting obscure parameters… you can try these steps if you have VS 2005:

    1) Right click on the project file and select Properties

    2) Select Publish

    3) Tell it where on the network to copy the files to

    4) There are a few million other settings on this tab that I’m not gonna go over… so goodluck…

    5) Have users run the setup.exe from the network and then the program is installed… either locally… or with some kind of shortcut depending on settings you used to deploy.

    6) In the future I’m having the IS department install this program on an image used to build new PCs so users don’t even have to install.

    This might not work for everyone but… I thought it might help someone who just needs to get something out there without opening up the local intranet to FullTrust.

  66. Hi Jennifer,

    Absolutely!  That’s the ClickOnce feature of .NET 2.0, and if you can use it a lot of security policy problems simply go away.


  67. IAmChris says:


    I’m trying to create a new code group using an XML file to import the public key, so instead of having to know where the application was installed, I can run a batch file that calls caspol as a custom action on install.

    The problem I’m having is that when I try to import the file (even through the .NET 2.0 configuration tool) I get an error stating that "You are trying to load an unknown security type."

    The contents of the XML file are:

    <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Test" Description="Test description">

    <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100CBE718ACE1087986E7530D06C81291887B581BF96BFA007DFF02A29920D466B29029496CACDE914B45BAFAC5152E6ECD1ECFA86E08C00A019E3FFF306D7659D9B0E9C2C77553C53A99594DC211061239956D54B6FF27DA3F0340DB77332B500511EAABAB232B9628CF48A6EACA82B2F028BC71DD725E6AE23552F292B7000BC2"/></CodeGroup>

    and the command I’m using is:

    caspol -m -ag All_code -custom ImportCodeGroup.xml

    I have looked everywhere for an answer on this but can find nothing but questions on the same from others.  As I said this file cannot be imported from caspol or the GUI config tool.  Please help me.  


  68. stuart_d_dent says:

    I read Jennifer’s comments but I’m still confused. (and there is so much other detail in the blog that I am overwhelmed).

    I have written a very simple windows forms app that uses data from our SQL Server 2000 database on a local PC.

    I want to place the assembly on a network share.

    Users will click the .exe filename and execute the application (no setup required on their part).

    The app gets some data from the database and writes it to a .txt file on the users PC.

    Under Framework 1.1, I used the Wizard to allow users to do run theis app easily.

    I am totally confused about how I have to do it in Framework 2.0.

    Perhaps I’m really stupid, but the solution simply isn’t clear to me at all.


  69. Michael says:

    I had to add that you should probably make sure that your target machine has the Framework 2.0 on it..  It took me way too long to figure that out, and I thought maybe it’d save someone else someday..

  70. Hi Stuart,

    Jennifer is referring to ClickOnce, which is accessable via the Publish feature in Visual Studio 2005.  Using ClickOnce you can say that your application requires FullTrust to run, and ClickOnce will generate some manifest files for it. If you have your users run the manifest files rather than your .exe directly, then the application will run with the requested permissions.

    By the way, the wizard that was available in v1.1 is also available in v2.0.  You just need to install the v2.0 Framework SDK to get it to appear.  You can find mscorcfg.msc in the SDKbin directory.


  71. Shekar says:

    Thats really very good information provide. I’ve an Windows form which is loaded in IE. This windows form interacts with an interop dll (VC dll, which is signed). Both the windows form dll and interop dll are signed and placed in gac. Now, when I try to access the interop dll from my windows form (loaded in IE) it gives me the following exception: System.Security.SecurityException: Request for the permission of the type ‘System.Security.Permissions.SecurityPermission, mscorlib, Version=, Culture=neutral, PublicKey Token=b77a5c5611934e089’ failed. Any help will be highly appreciated

  72. Hi Shekar,

    The AppDomain itself will be partially trusted, so you’ll need to make sure that you do an Assert for FullTrust at the top of the callstack, preventing the demand from failing when it walks past the top frame of your code.


  73. Daniel says:


    I used the polcy to trust a specific strong name, but I receive the following error:

    "System.Security.SecurityException: That assembly does not allow partially trusted callers.  To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file."

    I can not put in the web config: "<trust level="Full" />" because it says: "This configuration section cannot be used at this path.  This happens when the site administrator has locked access to this section using <location allowOverride="false"> from an inherited configuration file.


    When I use the policy to allow full trust for all Intranet assemblies:

    I receive the same error: "Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    I read your instructions, but I can not solve this problem. Help me!!

    thank you very much.

  74. Hi Daniel,

    The first exception you mentioned means that you need to add the AllowPartiallyTrustedCallersAttribute to your assembly.


  75. Stephen says:

    I have tried giving my network every type of rights I can according to all I have read and my script will still not execute on my local machine when I try and run it via a Test management software tool, it will however run when triggered in Visual Studio.  Using the Test management software I can however run the script remotely on other machines.  I did have this working on the local machine but after a reboot of the network server last week it will now not run.

  76. kani says:

    Hi Shawn,

    Am using a windows form user control in my web application. I followed the steps u had mentioned in your blog –

    It works well in my local system. But doesn’t work when the rest in intranet accesses my application.

    Please give your suggestions.

  77. Hi Kani,

    You need to make sure to issue these caspol commands on each computer that neesd to run network code.  The changes you made on your machine do not affect the security policy on other machines, so you’ll need to duplicate them there.


  78. dunnk says:

    I found this article on msdn on how to create a msi to modify the .NET access. ( I want to complete steps 1-5 (after the sentence: To make a specific change to the security policy and to avoid overwriting other policies, follow these steps.) so that I don’t OVERWRITE the settings they already have.  But I don’t understand how to complete steps 1 -5.  Do you know of different instructions that might be easier to follow?  Have you ever done these steps?

    Thanks for the assistance.

  79. Saqib says:

    Hi Shawn,

    I am trying to run a WinForms app which is called from a ASP.NET page. The app is residing on the server. the problem I am having is that for some of the users it is giving FileIOPermission and SQLClientPermission error while others are able to access it. I am using Microsoft.ApplicationBlocks.Data DLL to connect to database. Do I need the trust level to set to high on the server to make it work for everyone?

  80. Shri says:


    I created a .Net dll in VS2008 .Net 3.5SP1, to run with Excel 2003.

    It works well on the local machine and fails on the network. I get a runtime error 80131700.

    Any ideas?

    I have granted full trust to the network with the config manager 1.1. I also registered the dll with the /codebase option. I also have a strong key for the assembly. I also placed a config file in the Excel.exe. folder excel.exe.config.

    I have tried every trick in the book mentioned online. I am completely at my wits end… I cannot start the debugger across the network (placing the sourcecode on the network, compiling and using debugger) since the code does not come into the debugger. it fails before it enters the dll and there is no call stack.

  81. Since comments are sill added to this old post, I thought I’d add that this whole issue has been resolved by Microsoft in .NET Framework 3.5 SP1 due to a lot of customer feedback. Read about it here:

    hth if you arrive here in the future 🙂

  82. Error 0x80131700 is CLR_E_SHIM_RUNTIME_LOAD.  That means that mscoree.dll couldn’t load up the runtime correctly.  You likely have a problem other than security, since you’re erroring out long before the CLR security system comes into play.


  83. hanashiaru says:

    We’re still ways off from adopting 3.5 SP1, so will have to toil with setting the policy at the machine level.

    With that, I see this post —

    But not fully grasping how to run caspol to have my app be fully trusted with its snk file.  Don’t I have to specify the path for exe and snk?

  84. Chandan says:

    thanks for the solution……..

  85. Every .NET framework install (each version, and each bitness of each version from v2.0+) have independent CAS policy – so you need to make sure you’re using the caspol.exe from the install of the framework that your code is running against in order to get these instructions to work.


  86. If you want to trust an assembly via its strong name, then you should use the -strong option to caspol and pass it your signed assembly (not the SNK file):

    caspol -m -ag 1. -strong -file yourassembly.exe -noversion FullTrust

    You could also add a -noname flag if you want to trust everything signed by that key, although at that point you should put the code group under a different Zone entry (for instance LocalIntranet).


  87. Peter says:

    I know it’s not really contributing to the discussion but why is it harder to run a perfectly save and simple executable over a network share than to get infected with a horrible virus?

    Instead of making it hard for us programmers to distribute executables over a share, they should make it more difficult to create, share and duplicate viruses.

    My 2 cents.

  88. As of .NET 3.5 SP1, your executables will run fully trusted off of a share by default:


  89. Mathii says:


    I have developed an application and it was working till before a week. 2 days back i formatted my system and reinstalled .Net 2005. One of my application throws "ecurity Exception Unhandled".

    It is building successfully. when i click exe from  the release folder it works fine, for debugging purpose if i execute from visual studio ide, it throws an exception.

    i used some dlls like( interop.Excel,..) which has not strong named. So i could not add strong name to my application.

    My Exception message is

    "Request for the permission of type ‘System.Data.SqlClient.SqlClientPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    So if anyone having idea about this, please help me to resolve it.

    So any

  90. jtwine says:


    I have installed .net 3.5 SP1 on my local machine, but when I locate the site on the shared hosting I am using I get this error:

    " System.Security.SecurityException: Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    I am trying to play a sound file on the server using :

    Dim mvda as New Microsoft.VisualBasic.Devices.Audio()


    mvda.Play(path, Microsoft.VisualBasic.AudioPlayMode.Background)

    Why is this error happening?

    The hosting server is set for Medium trust level.

    Is there any way I can avoid this without changing my local set-up?

    Or, how can I correct this by changing my local setup?

    When I set my local system to Medium trust, my MySql data connections don’t work, and I can see I am going to go down a deep rabbit hole in trying to fix this from my side.

    I am using VWD 2008, so the option to publish my site using it as you can with VS is not available.

    Thanks in advance.

  91. jtwine says:


    I have installed .net 3.5 SP1 on my local machine, but when I locate the site on the shared hosting I am using I get this error:

    " System.Security.SecurityException: Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed."

    I am trying to play a sound file on the server using :

    Dim mvda as New Microsoft.VisualBasic.Devices.Audio()


    mvda.Play(path, Microsoft.VisualBasic.AudioPlayMode.Background)

    Why is this error happening?

    The hosting server is set for Medium trust level.

    Is there any way I can avoid this without changing my local set-up?

    Or, how can I correct this by changing my local setup?

    When I set my local system to Medium trust, my MySql data connections don’t work, and I can see I am going to go down a deep rabbit hole in trying to fix this from my side.

    I am using VWD 2008, so the option to publish my site using it as you can with VS is not available.

    Thanks in advance.

  92. Dante says:

    Hi, I’m getting the following error when running my app from a network share:

    "…An unhandled exception of type ‘System.Security.SecurityException’ occurred in mscorlib.dll

    System.Security.Permissions.EnvironmentPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.."

    When debugging, I can see that this line actually thrown the exception:

    Dim computername As String = System.Environment.MachineName.ToLower

    The strange thing here is if I compile my app using framework 2.0 it works ok. The problem is with 1.1 only.

    Any ideas?? Maybe I can use another command to get the system name ?

    Thanks in advance,


Comments are closed.

Skip to main content