How to run a user control assembly that is hosted on Internet Information Services (IIS) in Internet Explorer (892466)

MORE INFORMATION

To load a user control assembly in Internet Explorer, you must follow several steps. Otherwise, you may receive security exceptions when you try to load the assembly. To run the user control assembly in Internet Explorer, make sure that the following conditions are met in this order:

1. The user control assembly is identifiable. You can use this identification to set the membership condition in a code group by using either the .NET Configuration Tool (Mscorcfg.msc) or the Code Access Security Policy Tool (Caspol.exe). We recommend that you sign the assembly by using a strong name or a certificate. However, you can also use other sources of identity, such as a URL or a site. A URL or a site can serve as a membership condition. However, we do not recommend that you use a URL or a site because they are less secure than a strong name or a certificate.
   
   Use the Strong Name tool (Sn.exe) that is included with the Microsoft .NET Framework Software Development Kit (SDK) to generate a cryptographic key pair. To generate a key pair and to store the key pair in a file that is named KeyPair.snk, type the following command at a command prompt:

   sn -k KeyPair.snk

   Note The strong name key is used to create a code group that grants permissions to the assembly.
   
   Sign the assembly by including the following assembly-level attribute in the source code file (AssemblyInfo):

   [assembly: AssemblyKeyFile("KeyPair.snk")]
   

2. If the user control is strong named, the user control must have the AllowedPartiallyTrustedCallers attribute. The AllowedPartiallyTrustedCallers attribute requires that the assembly be signed by using a strong name key. This attribute is required because the control is called by either an Intranet Web page or an Internet Web page that is running under restricted permissions. The fully attributed assembly should be similar to the following:

   [assembly: AssemblyKeyFile("snKey.snk")]
   [assembly: AssemblyVersion("1.0.0.0")]
   [assembly:AllowPartiallyTrustedCallers]
   namespace SignedAssembly
   

3. The user control must assert permissions that it requires to the zone in which the user control is running. Typically, these permissions would not be granted. Permissions should only be asserted if you know that the calling application has insufficient permissions. Asserts should not be performed without a strong requirement. The following code example shows how to use the FileIOPermisson.Assert method.

   new FileIOPermission(PermissionState.Unrestricted).Assert();
   		textBox1.Text = fileDialog.FileName;
   		// Display the contents of the file in the text box.
   FileStream fsIn = new FileStream(textBox1.Text, FileMode.Open, FileAccess.Read, FileShare.Read);
   		StreamReader sr = new StreamReader(fsIn);
   			
   		// Process every line in the file.
   for (String Line = sr.ReadLine(); Line != null; Line = sr.ReadLine()) 
   		{
   			listBox1.Items.Add(Line);
   		}
   

4. The user control must revert asserts immediately after it performs the asserted actions.
   
   Important You must call the RevertAssert method to restore the stack walk for file operations. To do this, use the following code example.

   FileIOPermission.RevertAssert();
   

5. The user control must be hosted in an IIS folder that has the Execute permission option set to either None or Scripts Only.
6. The client must have a code group to which the assembly resolves. This code group grants the permissions that the assembly requires. For example, use the following command to create a code group for an assembly:

   caspol -machine -addgroup All_Code -strong -file SignedAssembly.exe -noname -noversion FullTrust -name YourCompanyStrongName -description "Code group granting trust to code signed by YourCompany"

   Note You can also create the code group by using the Microsoft .NET Framework Configuration tool (Mscorcfg.msc). To use Mscorcfg.msc, open Administrative Tools in Control Panel. Then, double-click Microsoft .NET Framework Configuration.
7. If Internet Explorer Enhanced Security Configuration has been enabled for both the Administrators group and the Other Groups group on the computer that is running IIS, make sure that the Do not save encrypted pages to disk option is not selected on the Advanced tab in the Options dialog box in Internet Explorer. By default, the Internet Explorer Enhanced Security setting is enabled in Windows Server 2003. When this option is enabled, downloaded files are encrypted. Another feature is that the Do not save encrypted pages to disk option is selected automatically on the client. To successfully download a user control under these conditions, the client setting for the Do not save encrypted pages to disk setting must be cleared. To make sure the Do not save encrypted pages to disk is not selected, following these steps:
   1. In Internet Explorer, click Tools, and then click Internet Options.
   2. In the Internet Options dialog box, click the Advanced tab.
   3. Locate and then click to clear the Do not save encrypted pages to disk check box, and then click OK.
8. Make sure that the run-time version of the .NET Framework that is on the host computer is compatible with the run-time version that is used to compile the assembly.
9. Make sure that the code group that was created for the user control is in the same .NET Framework run-time version that the control uses.

If you experience problems, you can enable extended error logging in Internet Explorer. For more information, click the following article number to view the article in the Microsoft Knowledge Base: