How to run a managed assembly from a local intranet share and how to make security changes if the assembly requires more permissions in the .NET Framework (892465)

MORE INFORMATION

The following information applies to a managed executable program (.exe) that runs with more permissions than the permissions that would be typically granted to the zone where the assembly belongs.

For a program that is hosted on another computer, the zone would be the Local Intranet zone. For example, a program that is hosted in a local area network (LAN) is in the Local Intranet zone. By default, all files that are on a mapped network drive are in the Local Intranet zone, and the files operate under the permissions that are set for that zone. If the assembly that you want to run does not require any permissions other than those that would be ordinarily granted to applications that are running in the Local Intranet zone, you do not have to sign and create a custom code group.

You only have to follow these steps if the assembly causes a security exception message when it runs.

Note We recommend that you do not change the permissions that are granted to the Local Intranet zone to FullTrust as an alternative to the following steps.

To run an assembly by signing and creating a custom code group in the Local Intranet zone, follow these steps:

1. Determine the executable program that is used to set the membership condition in a code group. To do this, use either the Microsoft .NET Framework Configuration Tool (Mscorcfg.msc) or the Code Access Security Policy Tool (Caspol.exe). Although other membership conditions are available, we recommend that you sign the assembly with a strong name or a certificate. To sign an assembly with a strong name, follow these steps:
   1. Use the Strong Name tool (Sn.exe) that is included with the .NET Framework Software Development Kit (SDK) to generate a cryptographic key pair.
      
      Type the following command line to generate a key pair and to store the key pair in a file that is named KeyPair.snk:

      sn -k KeyPair.snk

      Note The strong name key is used to create a code group that grants permissions to the assembly.
   2. Include the following assembly-level attribute in the source code (AssemblyInfo.cs):

      [assembly: AssemblyKeyFile("KeyPair.snk")]
      

2. The code group that corresponds to the evidence of the executable program gives the permissions that the assembly requires. If the executable program is identified by a strong name, the code group uses the StrongNameMembershipCondition class. To create the code group, run the Caspol.exe tool by using options that are similar to the following:

   caspol -machine -addgroup All_Code -strong -file -noname -noversion yourSignedAssembly.exe FullTrust -name YourCompanyStrongName -description "Code group granting trust to code that is signed by YourCompany"

   Note You can also create the code group by using the .NET Framework Configuration tool (Mscorcfg.msc). This tool is located in Administrative Tools.
   
   The simplest method of granting permissions to the new code group is by using the existing FullTrust permission set. However, we recommend that you create a custom named permission set and only grant the permissions that the assembly requires to run. Named permission sets are most easily constructed by using the .NET Framework Configuration tool. To do this, create the custom named permission set. Then, create the code group that uses the custom named permission set.
3. Make sure that the runtime version of the .NET Framework that is on the host computer is compatible with the runtime that is used to compile the assembly.
4. Make sure that the code group that you created for the executable program uses the same .NET Framework runtime that the executable program uses.