LDAP in medium trust

Question

I've have a solution with one website and several projects.
The projects all have the AllowPartiallyTrustedCallers attribute and are strongly-named.

The site works in full trust. However, after set the trust to medium, I get the System.Security.SecurityException: Request failed. error as soon as I browse to the site.

In my projects, I have calls to LogOnUser, as well as many calls to variousSystem.DirectoryServices.AccountManagement methods.

Can this site run with medium trust or do I have to have full trust for all the LDAP calls?

As I mentioned, I've set the AllowPartiallyTrustedCallers attribute on all projects. Not sure what else to do.
Also, I have no idea what/where the error is being generated. The event logs on the server have nothing in regards to this SecurityException. Is there any way to find out what the error location is so maybe I can attempt to rewrite some code?

[running .NET 4.0 on Win2k8R2]

Answer 1

LogOnUser, like all P/Invoke calls, requires SecurityPermission with the UnmanagedCode permission flag. System.DirectoryServices.AccountManagement requires unrestricted DirectoryServicesPermission. Neither permission is granted to medium-trust ASP.NET applications by default.

The AllowPartiallyTrustedCallers attribute allows a full-trust assembly to be used by a partial-trust assembly. In your case, the attribute has no effect because all assemblies in the bin folder are loaded into the partial-trust application domain.

If your application is required to run under medium trust, and you have the ability to install assemblies into the GAC, then you can create an assembly containing the code that requires extra permissions, mark the assembly with AllowPartiallyTrustedCallers, and put it in the GAC. You will also need to Assert the required permissions to suppress the stack walks that will still occur.

For more information, see the Code Access Security in ASP.NET 4 Applications topic in MSDN Library.

Answer 2

While @Michael Liu's answer is correct, it's not easily understood by a novice (such as myself) with limited working knowledge in this area. This answer is intended to supplement Michael's answer.

When your web.config is configured to use a trust level that is anything other than "full"

<trust level="Full"/>

then you will not be able to connect to Active Directory without creating your own policy file. Once you have created your own policy file (let's say it's called "myPolicyFile.config") then you're ready to customize it in order to allow your ASP.NET application to connect to Active Directory.

Here are the changes that you need to make:

In web.config, configure the website to use your custom policy file:

<system.web>
    ...
    <securityPolicy>
        <trustLevel name="myMediumPolicy" policyFile="myPolicyFile.config"/>
    </securityPolicy>

    <trust level="myMediumPolicy"/>
    ...
</system.web>

Next, in your myPolicyFile.config file, add the "SecurityClass" and "IPermission" entries as shown in the following:

<configuration>
    ...
        <PolicyLevel version="1">
            <SecurityClasses>
                ....
                <SecurityClass Name="DirectoryServicesPermission" Description="System.DirectoryServices.DirectoryServicesPermission, System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
                ....
            </SecurityClasses>
            <NamedPermissionSets>
                <PermissionSet
                        class="NamedPermissionSet"
                        version="1"
                        Name="ASP.Net">
                    ...
                    <IPermission
                            class="DirectoryServicesPermission"
                            version="1"
                            Unrestricted="true"
                    />
                    <IPermission
                            class="SecurityPermission"
                            version="1"
                            Flags="Execution, ControlThread, ControlPrincipal, RemotingConfiguration, UnmanagedCode"
                        />
                    ...
                </PermissionSet>
            </NamedPermissionSets>
        </PolicyLevel>
    ...
</configuration>

Note: the <IPermission class="SecurityPermission"... /> node may already exist (depending on which system defined trust-level file you based your myPolicyFile.config file). If it already exists then you just need to add the text ", UnmanagedCode" to the "Flags" attribute. If it does not already exist then copy and paste the example above into the "ASP.Net" NamedPermissionSet.

Finally, save your changes and reload your website. You should be good to go!