This topic describes how to run a Kentico CMS website in a Medium Trust Level environment.
The .NET Framework provides a batch of predefined code access security policies, categorized into several trust levels, which determine the permissions available for applications running on the given machine.
The medium trust level is often used by web hosts on shared servers to prevent applications from accessing certain resources that could be harmful to other websites running on the server. Kentico CMS can be used with the default medium trust policy. To run the system under medium trust, you need to follow certain rules. There are three main components that require higher than medium trust and must be considered in this situation:
•VirtualPathProvider for .NET 3.5 - retrieves resources (ASCX layouts and transformations) from the database and provides them through a virtual file system.
•Staging module - ensures synchronization of content between production and live site servers.
•Bounced e-mail monitoring - this feature of the newsletters module tracks the amount of unsuccessfully delivered e-mails.
It is recommended to develop websites under Full trust. Medium trust environments should only be used for hosting live production websites.
This library handles virtual objects stored in the database that need to be compiled, such as document transformations and page layouts. The system references the files through a virtual path, and the Virtual path provider provides the control code to the compiler.
The .NET 3.5 Virtual path provider cannot run under medium trust (requires AspNetHostingPermission with "high" trust level), so you need to store the physical files on the file system before deploying the website to the production environment.
1. Go to Site Manager -> Administration -> System -> Virtual objects.
2. Click Store all virtual objects in file system. This saves all virtual objects into files under the following folder:
The system loads the data from the files on the disk instead of the database. You can still make changes to the objects through the administration interface (they are carried over to the files immediately).
3. When you are ready to deploy the website, copy the web project over FTP to the server (including the content of the CMSVirtualFiles folder).
You cannot edit the content of the virtual objects directly on the production website, because the CMS application will usually not be allowed to access the file system on a medium trust server. You need to redeploy the website if you wish to modify the virtual objects.
When using .NET 4.0 or newer, the Virtual path provider runs under medium trust, so the issues described in this section do not occur (you can store virtual objects in the database even on medium trust servers).
This section applies only if you're using the Staging module.
The Microsoft.Web.Services3.dll library from the Web Services Extensions 3 (WSE) package which is used by the Staging module requires Full trust permissions because of the low level operations related to the communication protocols. To ensure the proper functionality, the library needs to be registered in the Global Assembly Cache (GAC) of the server. The library is provided by Microsoft and most hosting providers pre-install it on their shared servers.
If you manage the server, please follow these steps:
1.Go to Control panel -> Administrative tools -> Microsoft .NET Framework 2.0 Configuration.
2.Select the Assembly cache, click on Add an Assembly to the Assembly Cache and select the bin\Microsoft.Web.Services3.dll library file from your web project.
3.Delete the bin\Microsoft.Web.Services3.dll file from your web project if it's present.
4.Make sure that your project web.config file contains the following item:
<compilation debug="false" numRecompilesBeforeAppRestart="100">
If you are not able to install the library to the GAC or convince your web host to do so, you may still run Kentico CMS under medium trust, but you will not be able to use the Staging module. If this is the case, you will need to manually remove some of the system components by deleting the bin/Microsoft.Web.Services3.dll file from your web project if it is present.
After these changes, your system will work correctly in a medium trust environment but you will not be able to use content staging operations.
This section is only relevant if you wish to use the bounced e-mails feature of the newsletters module.
To be able to check bounced e-mails, the newsletters module makes use of a component that creates outgoing network connections using POP3, a standard e‑mail protocol for receiving maildrops from an e-mail server. This component requires the SocketPermission for its operation, otherwise it fails when attempting to connect to the server. This permission is denied for applications under medium trust.
If you cannot raise the trust level or create a custom security policy that includes this permission, the only solution is to attempt to convince the hosting administrators to grant the SocketPermission to your application. If you are unable to do so, the bounced e‑mail monitoring feature will unfortunately not be functional in a medium trust environment.
The Reporting module utilizes Microsoft Chart Controls to generate its graphs. If your application uses the 3.5 SP1 version of the .NET Framework and is hosted in a medium trust environment, it is necessary to have the MS Chart package installed on the server to ensure that the appropriate library is available in the Global Assembly Cache. The installation executable can be downloaded from the Microsoft website: http://www.microsoft.com/download/en/details.aspx?id=14422
The required assemblies are already included in .NET Framework 4.0, so the installation is not necessary if your application uses this version.
Now the system should work under a medium trust level properly. Restart your IIS in order for the configuration changes to take effect and run the website.
If your website uses any third-party components that do not support a medium trust level by default, you may need to configure the system for them. In this case, please contact their author to get the information how to perform the configuration required to run in a medium trust environment.