Before we get started with configuring our application to run on a DFS share, you should first familiarize yourself with the basic concepts of DFS. You can find out more information by visiting Microsoft TechNet: "Creating a DFS Root Share" article.
It is sometimes necessary to configure IIS
to use a remote share or DFS share to configure a website. Prior to .NET,
this was as simple as configuring IIS to use a share on another computer.
This possibly had negative consequences as malicious code would then have access
to network resources.
With the .Net framework, the Common Language Runtime's (CLR)
implementation of code access security protects us from potentially malicious
code. Code access security is based on the following two concepts,
permission set, and code groups. A permission set allows you to define what an
application has access to (like shares, registry information). While a code
group is what you're providing the permissions for based on certain criteria the
code meets. Therefore, in order to use a remote share for an ASP.Net
application, the code must be trusted by defining permissions. This is done by configuring the
Microsoft .NET Framework 1.1 (or 1.0) Configuration utility located in
Administrative Tools within the Control Panel.
This article will demonstrate how to setup
that trust.
1. On your web server, go to Control
Panel --> Administrative Tools --> Microsoft .NET Framework 1.1
Configuration (fig. 1)
Figure 1 - .Net Configuration MMC
2. Expand Runtime Security
Policy\Machine\Code Groups\All_Code,
3. Right click All_code and select
New (fig. 2)...
Figure 2 - Create New Code Group dialog box.
4. Create a new code group is already
selected, enter a name and description for the code group (fig. 3). Click Next.
Figure 3 - Specifying description properties for new code
group.
5. In the drop down box, select URL. A
text box will then appear that informs you to enter the URL with either ftp://
or http://. This is not necessary as it will add file:// for you.
6. In the text box, enter \\server\share\* It
is important to enter the *. (fig. 4) Click Next.
Figure 4 - Identifying the share path for the application.
7. The next page is to assign a permission
set to the code group (fig 5). I used FullTrust, though you could create a new
permission set that is specific to your ASP.Net application. The following
permissions are available:
- FullTrust - full access to resources.
- SkipVerification - initial verification is skipped.
- Execution - allows for code execution.
- Nothing - all privileges are denied.
- LocalIntranet - default rights for a typical configuration for
intranet applications.
- Internet - default rights for a typical Internet application.
- Everything - full access to all resources without skipping of
verification.
I decided
that in my environment, it was fine to use FullTrust. In this configuration the
ASP.Net worker process must have the appropriate rights in order to access the
share. For additional information on account permissions and security refer to
the MS
knowledge base. To continue click Next.
Figure 5 - Assigning the permission set for the code group.
8. You are then told to click Finish
to create the new code group. Click Finish and you are almost done.
9. From a command prompt, enter iisreset and then press enter.
Following these steps, will now allow your
web server to run ASP.Net applications, from a remote or DFS share.
By: Jeff Overstreet - LucasLabs.Net
contributor and PortalPro.Net co-founder. Jeff has over 7 years of experience in system administration (Novell, UNIX, and Windows), network design and administration, and web application architecture and development. You can view his personal website at
http://www.jeffoverstreet.net/ or read his weblog at
http://www.lucaslabs.net/blogs/overstreet.
