I'm currently running 3.2 on a Windows 2000 Webfarm which has been mostly successful. Now I've upgraded the site to 4.4 on my local Win XP box without too much trouble, but am having a ton of trouble getting the new site working on a Windows 2000 Webfarm using the .Net 2.0 Framework. Eventually I'll have to get this working on Windows 2003 Server as well in the next couple months, but for now must use Windows 2000.
It's my hope this thread can serve as a ray of light for others who are trying to do the same thing. I've found a 7 or 8 other threads in which people are having the same issues I am, but I haven't seen any solutions that work for me. Eventually, when this is all figured out, I hope this can be moved into the Web Farm Documentation .pdf. Currently, there is NO INFORMATION in the Web Farm doc that explains .Net permissions for the scenarios it suggests to use.
To start, here is my setup.
I have Server9, and Server10, with the DNN database (using SQL 2000 btw) residing on Server76 (using fake server names but real numbers on the end so I don't confuse the doc). To load balance, we have a Cisco based balancer in front of Server9 and Server10. It's just a round robin for new requests, but once a session is started it will always go to the same server.
So I don't have to deal with file replication, I'm using a shared file source that contains the DNN4.4 application files. To make things simple for at least one server, I have the app files local on Server9. I've also shared the "website" directory on Server9, so Server10 connects to the \\Server9\Portal share for it's application files. This way I don't have to use file replication, and at least one server has the files locally so setup is easy for that server. It's Server10 that I'll have all the problems with. Had I opted to put the share on a separate File Server, I'd have problems on Server9 as well. Perhaps once I figure everything out, I will move the share off Server9 to alleviate any extra load that may occur, but with the anticipated traffic of the site, I shouldn't have any problems for a long while.
To setup Server9 I used the source package and followed the instructions for setup starting on page 32 of the 4.4 install guide.
I had already given the Server9\ASPNET account permissions to the directory, so I went to the old standby of running ASPNET_REGIIS using the -i switch and then did a IISRESET and tried to access the site. The easy part is done. DNN4.4 successfully came up and even used Windows Authentication successfully (after removing anonymous access to WindowsSignin.aspx and changing the anonymous access local account to a domain account with permissions to read active directory)
Now comes the hard part, getting Server10 to connect to the files on Server9 and work successfully. (i.e. connect to app files that reside on a different server, or network share)
I first created a share called \\Server9\BIPortal that points to the "website" directory on the local server.
On Server10 I created the virtual directory and used the same domain account from Server9 as the anonymous account. This account has local admin access to both servers. After creating the virtual directory, in the IIS Admin tool the icon next to the virtual directory is the big red stop sign, and it says "Access Denied" even though I do get a listing of the files in the share. The Event Viewer says:
The server was unable to add the virtual root '/BIPortal' for the directory '\\Server9\BIPortal' due to the following error: Access is denied. The data is the error code.
To solve this error, in the NTFS permissions of the website directory/share on Server9, I added DomainName\Server10$ and gave it full permissions. This is the machine account on the domain for Server10. Then after doing another IISRESET the error went away in the IIS admin tool.
Upon trying to access the website, I got the following errors in Event Viewer on Server10:
Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: None
Event ID: 1073
Date: 1/11/2007
Time: 1:38:32 PM
User: N/A
Computer: Server10
Description:
Failed to initialize the AppDomain:/LM/W3SVC/1/Root/BIPortal
Exception: System.IO.FileLoadException
Message: Could not load file or assembly 'System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
AND
Failed to execute the request because the ASP.NET process identity does not have read permissions to the global assembly cache. Error: 0x8007052e Logon failure: unknown user name or bad password.
So with this error, I believe the ASPNET account on Server10, doesn't have the appropriate access to run .Net 2... so I'm going to edit the machine.config in this directory: C:\WINNT\Microsoft.NET\Framework\v2.0.50727\CONFIG
Change this line:
<system.web>
<processModel autoConfig="true"/>
to this:
<system.web>
<processModel autoConfig="true" userName="Domain\useraccount" password="accountpassword"/>
NOTE: the case of userName and password is VERY IMPORTANT. Notice the capital N in userName.
Now save machine.config and do an iisreset again. (processModel needs an iisreset, though other settings do not. This is documented behavior) This should work because the useraccount used is a local admin. If you don't want to use a local admin account, there are a lot of Microsoft support docs detailing how to give an account the proper permissions to access everything it needs to execute .Net 2 on the machine. I'm essentially cheating because I want the damn thing to work already! :-)
This worked! But... now I am back to the dreaded error I haven't yet been able to resolve. I try to bring up the website and get this in the browser:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. |
Stack Trace:
[SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Web.Configuration.MetabaseServerConfig.MapPathCaching(String siteID, VirtualPath path) +3500410
System.Web.Configuration.MetabaseServerConfig.System.Web.Configuration.IConfigMapPath.MapPath(String siteID, VirtualPath vpath) +9
System.Web.Hosting.HostingEnvironment.MapPathActual(VirtualPath virtualPath, Boolean permitNull) +163
System.Web.CachedPathData.GetConfigPathData(String configPath) +382
System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp) +132
System.Web.HttpContext.GetFilePathData() +27
System.Web.HttpContext.GetConfigurationPathData() +26
System.Web.Configuration.HttpCapabilitiesBase.GetBrowserCapabilities(HttpRequest request) +133
System.Web.HttpRequest.get_Browser() +134
System.Web.ErrorFormatter.RequiresAdaptiveErrorReporting(HttpContext context) +104
|
This FileIOPermission error has proven to be quite a challenge to get around.. The Event Viewer shows something a little different...
The dreaded ASPNETHostingPermission error.... both I believe are security related.
Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1310
Date: 1/11/2007
Time: 2:00:59 PM
User: N/A
Computer: Server10
Description:
Event code: 3008
Event message: A configuration error has occurred.
Event time: 1/11/2007 2:00:59 PM
Event time (UTC): 1/11/2007 7:00:59 PM
Event ID: cf31597ee0374a4fa3801f0c3faedda1
Event sequence: 12
Event occurrence: 2
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/Root/BIPortal-1-128130153948287440
Trust level: Full
Application Virtual Path: /BIPortal
Application Path: \\Server9\BIPortal\
Machine name: Server10
Process information:
Process ID: 4640
Process name: aspnet_wp.exe
Account name: Domain\useraccount
Exception information:
Exception type: ConfigurationErrorsException
Exception message: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. (\\swcl0009\BIPortal\web.config line 58) (\\server9\BIPortal\web.config line 58)
Request information:
Request URL: http://Server10/BIPortal/Default.aspx
Request path: /BIPortal/Default.aspx
User host address: 555.555.555.555
User:
Is authenticated: False
Authentication Type:
Thread account name: Domain\useraccount
Thread information:
Thread ID: 1
Thread account name: Domain\useraccount
Is impersonating: False
Stack trace: at System.Web.Configuration.HttpModuleAction.get_Entry()
at System.Web.Configuration.HttpModulesSection.CreateModules()
at System.Web.HttpApplication.InitModules()
at System.Web.HttpApplication.InitInternal(HttpContext context, HttpApplicationState state, MethodInfo[] handlers)
at System.Web.HttpApplicationFactory.GetNormalApplicationInstance(HttpContext context)
at System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context)
at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
Now I think that Server10 can not get the correct permissions (within .Net 2 Framework) to run the application. Not sure if this is a correct assumption.. So the question is, how do we tell .Net 2 Framework on Server10 that it's OK to run files from the Share directory on Server9?? Well, I'm using "Medium" trust.... let me try "High" for the virtual directory on Server10. (note: may NOT want to do this in a shared hosting environment) This essentially means, that I as an admin highly trust the files my web server is connecting to. I'd want to put it at "low" if the files were from an external or third party source that I couldn't trust not to be a bunch of hackers. So.. to be safe, run another iisreset to make sure the change takes affect.
Ok, this had NO affect. Changing back to Medium priority.
After playing some more I now sometimes get the following error:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. (\\Server9\BIPortal\web.config line 58)
Source Error:
Line 56: <!-- HttpModules for Common Functionality -->
Line 57: <httpModules>
Line 58: <add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" />
Line 59: <add name="Compression" type="DotNetNuke.HttpModules.Compression.HttpModule, DotNetNuke.HttpModules.Compression" />
Line 60: <add name="UrlRewrite" type="DotNetNuke.HttpModules.UrlRewriteModule, DotNetNuke.HttpModules.UrlRewrite" />
|
Source File: \\Server9\BIPortal\web.config Line: 58
If I do another IISRESET it goes back to the FileIOPermission error from before which is a bit confusing.... both errors however seem to deal with permissions of course...
So what's next? Anything else I can try? Anyone else get this working? (Hosting a .Net 2 web application off of a share)
For .Net 1.1 use this link to solve this issue:
http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet/browse_frm/thread/d3709942a2720416/3c2ea960b4309100?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dtestproject4%26meta%3Dgroup%253Dmicrosoft.public.dotnet.framework.aspnet.*#3c2ea960b4309100
For .Net 2.0....
Let's try to use caspol to fully trust a share, since a share is by default part of the local intranet zone....
http://blogs.msdn.com/shawnfa/archive/2004/12/30/344554.aspx
CasPol.exe -m -ag 1.2 -url file://Server9/BIPortal/* FullTrust
Ok.. I thought this would do it.... granting Full Trust to the share I'm loading the application from. No luck....
Any help here? Anyone have any further ideas??