CRT4 - IIS - ASP.NET2 - Access to the temp directory is denied. Identity 'NT AUTHORITY\NETWORK SERVICE' under which XmlSerializer is running does not have sufficient permission to access the temp dir
I installed CRM fresh on a Windows 2003 Server and SQL 2005.. it was running fine with no issues then the outlook portion stated it was offline.. so when I try to access it by web from the server I get the following.
Did some searching but couldn't find out what was wrong.
dmtcrm-iis.JPG
Did some searching but couldn't find out what was wrong.
Server Error in '/' Application.
--------------------------------------------------------------------------------
Access to the temp directory is denied. Identity 'NT AUTHORITY\NETWORK SERVICE' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the temp directory is denied. Identity 'NT AUTHORITY\NETWORK SERVICE' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[UnauthorizedAccessException: Access to the temp directory is denied. Identity 'NT AUTHORITY\NETWORK SERVICE' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.]
System.Xml.Serialization.Compiler.Compile(Assembly parent, String ns, XmlSerializerCompilerParameters xmlParameters, Evidence evidence) +1208
System.Xml.Serialization.TempAssembly.GenerateAssembly(XmlMapping[] xmlMappings, Type[] types, String defaultNamespace, Evidence evidence, XmlSerializerCompilerParameters parameters, Assembly assembly, Hashtable assemblies) +2024
System.Xml.Serialization.TempAssembly..ctor(XmlMapping[] xmlMappings, Type[] types, String defaultNamespace, String location, Evidence evidence) +74
System.Xml.Serialization.XmlSerializer.GenerateTempAssembly(XmlMapping xmlMapping, Type type, String defaultNamespace) +99
System.Xml.Serialization.XmlSerializer..ctor(Type type, String defaultNamespace) +348
System.Xml.Serialization.XmlSerializer..ctor(Type type) +6
Microsoft.Crm.CrmPerformanceCounterFactory.LoadCounters(PerformanceCounterLoadSetting settings, String component) +355
Microsoft.Crm.LocatorCache.CreatePerformanceCounters() +35
Microsoft.Crm.LocatorCache..ctor() +218
Microsoft.Crm.ServerLocatorService..cctor() +20
[TypeInitializationException: The type initializer for 'Microsoft.Crm.ServerLocatorService' threw an exception.]
Microsoft.Crm.LocatorService..ctor() +223
Microsoft.Crm.LocatorService..cctor() +20
[TypeInitializationException: The type initializer for 'Microsoft.Crm.LocatorService' threw an exception.]
Microsoft.Crm.LocatorService..ctor() +30
Microsoft.Crm.CrmTrace.get_RefreshTrace() +416
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
dmtcrm-iis.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From : http://forums.techarena.in/server-update-service/786939.htm
The NT AUTHORITY\Network Service account requires very specialized permissions to the %windir%\temp directory, and I believe they should have been set by the .NET Framework installer. However, if somebody has 'tweaked' the permissions on the system, this could cause issues. Here are the correct permissions for the "Network Service" account on %windir%\temp: Permissions are not inherited from the parent. For "This folder and subfolders", the account requires: Traverse Files/ Execute Files List Folder / Read Data Read Attributes Delete Read Permissions For "Files only" List Folder / Read Data Delete Granting the generic READ permission to the "Network Service" account is not a proper solution because the READ permission does not grant the "Delete" permission, and it unnecessarily grants "Read Extended Attributes" on the folder and subfolders, and even more critically, it grants "Execute Files" on the files in those folders and subfolders. In essence you create a security hole on your machine by giving a network-enabled account execute permissions to files it should not have execute permissions for. It also doesn't have the ability to remove files from the %temp% folder when it's done with them.
The NT AUTHORITY\Network Service account requires very specialized permissions to the %windir%\temp directory, and I believe they should have been set by the .NET Framework installer. However, if somebody has 'tweaked' the permissions on the system, this could cause issues. Here are the correct permissions for the "Network Service" account on %windir%\temp: Permissions are not inherited from the parent. For "This folder and subfolders", the account requires: Traverse Files/ Execute Files List Folder / Read Data Read Attributes Delete Read Permissions For "Files only" List Folder / Read Data Delete Granting the generic READ permission to the "Network Service" account is not a proper solution because the READ permission does not grant the "Delete" permission, and it unnecessarily grants "Read Extended Attributes" on the folder and subfolders, and even more critically, it grants "Execute Files" on the files in those folders and subfolders. In essence you create a security hole on your machine by giving a network-enabled account execute permissions to files it should not have execute permissions for. It also doesn't have the ability to remove files from the %temp% folder when it's done with them.
ASKER