Thursday, July 5, 2012

Request for the permission of type "System.DirectoryServices failed"


I created a ssrs report with custom dll execution. The custom dll would retrieve the active directory groups of the report user. Code of custom dll function was:

// Get groups of user with specific prefix and extract the store information
public static List GetStoresSecurity(string groupprefix, string userName)
{
List result = new List();
// establish domain context
PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain);
// find your user
UserPrincipal user = UserPrincipal.FindByIdentity(yourDomain, userName);
// if found - grab its groups
if (user != null)
{
PrincipalSearchResult groups = user.GetAuthorizationGroups();
// iterate over all groups
foreach (Principal p in groups)
{
// make sure to add only group principals
if (p is GroupPrincipal)
{
if (p.Name.StartsWith(groupprefix))
{
result.Add(p.Name.Replace(groupprefix, ""));
}
}
}
}
return result;
}

When I deployed the report I added to rssrvpolicy.config the following permission assign (ReportFunctions.dll contains my function):

<CodeGroup>

class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust"
Name="Report Functions"
Description="This code group grants full permissions to directory functions ">
class="UrlMembershipCondition"
version="1"
Url="C:\Program Files\Microsoft SQL Server\MSRS10_50.R2\Reporting Services\ReportServer\bin\ReportFunctions.dll"
/>
</CodeGroup>

When I tried to execute the report I got the error: Request for the permission of type "System.DirectoryServices failed". This was a permission error and the way I found to overpass it was to give full trust to .net assemblies. The way to do this was to edit again rssrvpolicy.config and make the following change:

<CodeGroup>

class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust"
Name="Report_Expressions_Default_Permissions"
Description="This code group grants default permissions for code in report expressions and Code element. ">
class="StrongNameMembershipCondition"
version="1"
PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100512C8E872E28569E733BCB123794DAB55111A0570B3B3D4DE3794153DEA5EFB7C3FEA9F2D8236CFF320C4FD0EAD5F677880BF6C181F296C751C5F6E65B04D3834C02F792FEE0FE452915D44AFE74A0C27E0D8E4B8D04EC52A8E281E01FF47E7D694E6C7275A09AFCBFD8CC82705A06B20FD6EF61EBBA6873E29C8C0F2CAEDDA2"
/>
</CodeGroup>

1 comment:

  1. Hi Nick,

    did you solved problem with Attemption by security transparent method to access security critical method in DirectorySearcher?

    I'm solving this problem right now. I see one solution - query AD by SQL... But it is not so nice... :-(

    Best regards, Tomas

    ReplyDelete