Thursday, December 17, 2009

Adding permissions to add items to the gac for other user accounts

Trying to have a user add an assembly to the gac you receive:

Failure adding assembly to the cache: Access denied. You might not have administrative credentials to perform this task.

or you may receive this error:
Failed to execute the request because the ASP.NET process identity does not have read permissions to the global assembly cache. Error: 0x80070005 Access is denied.
(This error message sometimes _lies_ btw...if aspnet (xp) or network service (above windows xp) doesn't have permissions to your app folder you can receive this message.)


In our case the account we used to run our cruise control build process (ccnet) that then called off to nant scripts which in turn added assemblies to the gac was failing.
One solution is to add your user to the administrators group. You may not want to do this though. If we look at the permissions on the folder (you must use a command line utility or change the shell options.. we'll stick with command line option cacls.exe here)



C:\>cacls c:\windows\assembly
c:\windows\assembly BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
MyLocalMachine\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F


You can see Administrators and System have Full Control (F).
Users have read, so web applications have no problem accessing the gac.
Running a web app therefore can access the gac (read only) because of the
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

To add the user to the ACL for the gac run
(you can use %WINDIR% in place of c:\windows so you can use %WINDIR%\assembly)



CACLS c:\windows\assembly /e /t /p user@domain:F

or

CACLS c:\windows\assembly /e /t /p username:F

This is not always enough though depending on your inheritance permissions. since the gac install is a two phase install process and the temp and tmp folders may be used you may also at times need the following commands, but first try without.
Also note where I have "username" that of course means replace with the username to add permissions for.


CACLS c:\windows\assembly\temp /e /t /p username:F

CACLS c:\windows\assembly\tmp /e /t /p username:F


If this still doesn't resolve, Microsoft has a posting that deals with some other causes:
http://support.microsoft.com/default.aspx?kbid=811320

If you want to edit the permissions in explorer.. you can do this by first disabling the 'gac' view in windows explorer and make it a normal folder again:

regsvr32 -u C:\WINNT\Microsoft.NET\Framework\v2.0.50727\shfusion.dll

and to register the shell view again (IE make c:\windows\assembly the 'gac' view rather than just a normal folder) run:
<

C:\>regsvr32 C:\WINNT\Microsoft.NET\Framework\v2.0.50727\shfusion.dll

2 comments:

  1. I just right-click on the CMD tool and choose "Run as Administrator" and the gacutil.exe works just fine.

    ReplyDelete

Note: Only a member of this blog may post a comment.