Error Compiling and Publishing Website in Visual Studio 2005

I was getting the following compilation error when trying to publish or build my website that I was working on in Visual Studio 2005:

Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed

I was running Visual Studio 2005 on my workstation and my website was on a web server and I had a local drive letter (Y:) mapped to that folder. I was trying to publish to another web server that I had mapped to (X:). By following these steps, the error went away, the site compiled and I was able to publish it:

1. On the workstation that you're developing on, go to Administrative Tools > Microsoft .NET Framework 2.0 Configuration
2. Expand to .Net Framework 2.0 Configuration > My Computer > Runtime Security Policy > Machine > Code Groups > All_Code.
3. Right click the All_Code node and choose New.
4. Call the new code group anything you'd like and click the Next button.
5. From the pulldown choose "URL" and in the URL textbox that displays type:
   file:////\\y:\*
6. Click the Next button.
7. Select the "Use existing permission set" pulldown and select "Full Trust".
8. Close Visual Studio 2005, open it again and it should compile.

Solving NTLM multiple-hop authentication problem

I had developed a webservice that worked just fine when the webservice was on the same server with the .aspx page that called the webservice (let's call it SERVER1). From a web browser on another computer, I could connect to SERVER1 and the .aspx page would call the webservice without any problems.

I required NTLM authentication in my website so that users would automatically be authenticated with their credentials and the code that called up the webservice passed their credentials when calling the webservice:

proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

When I kept the webservice on SERVER1 and moved the .aspx pages to another IIS server (let's call it SERVER2) it would all still work as long as I was logged onto SERVER2 and calling up the .aspx pages locally. However, when I would view the .aspx pages on SERVER2 from another computer, I would get an authentication error:

Exception Details: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.

If I hardcoded the credentials, it would work:

proxy.Credentials = new System.Net.NetworkCredential("username", "password", "");

It would also work if I changed the authentication for the website from NTLM to basic authentication. However, that would require the user to enter their username and password; a step that I didn't want them to take.

After looking in some forums, I saw that this is a multiple-hop, sometimes called a 2-hop, NTLM authentication issue. It's a "security feature" that is implemented in IIS that doesn't allow an IIS server to pass credentials along to another server. It's a good idea I guess but it created this problem for me. Finally after throwing my hands up and posting to an MSDN forum, I found this little link (thanks kbradl1):

http://support.dspanel.com/help43/Server_Configuration/Delegation.htm

That link talks about this issue and SharePoint (which is just IIS). However, this article talks about the steps to take with IIS6, mainly editing \system32\inetsrv\Metabase.xml. I was running Windows 2000 Server with IIS5 and IIS5 doesn't keep configuration information in Metabase.xml. I thought I was back at square one, but another step that is required is enabling a computer in Active Directory to be trusted for delegation. In my case I needed SERVER2 to be trusted for delegation.

To enable a computer for delegation, open up Active Directory Users and Computers and find the computer. Open up the Properties window for the comptuer and on the General tab, check the checkbox labeled "Trust computer for delegation".

That's all I needed to fix my problem. I hope this helps someone else out there.