How to setup a shared folder in Windows Server 2003 with necessary permissions to execute MC# programs

 

1. Create Folder (or choose existing one) which will be shared between nodes of the cluster (for example let’s use the installation folder of MC#.Cluster Programming System package – usually it is located in “C:\Program Files\MC# Group\MC#.Cluster Programming System\”)

 

 

2. Right-click this folder in Explorer and choose Sharing and Security

 

 

3. Enter the name of the shared folder (for example “Shared”) and change the necessary Permissions on this screen by pressing the “Permissions” button. If you don’t want this sharing to be displayed for everyone in the list of available shares of your computer you can add a ‘$’ sign at the end of the name, i.e. Shared$.

 

 

 

4. Now map this folder as Network Drive on all nodes that will be used in the cluster

 

 

 

For example you can map it to disk Z. Press Finish button.

 

5. You will see disk Z in the list of available disks.

 

 

However, if you will try to run a program that uses DNS, Sockets or other sophisticated features of .Net from disk Z you will see something like this:

 

 

And the details of the exception will be printed (may be different on your machine):

 

Unhandled Exception: System.Security.SecurityException: Request for the permission of type 'System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b77a5c561934e089' failed.

   at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)

   at System.Security.CodeAccessPermission.Demand()

   at System.Net.Dns.GetHostName()

   at MCSharp.Session.Init(String[] args)

   at ComputeFib.Main(String[] args)

 

If you take a look at Application Event Log you will see a not really friendly error message like this:

 

EventType clr20r3, P1 fib.exe, P2 0.0.0.0, P3 442d9dd0, P4 mscorlib, P5 2.0.0.0, P6 4333ab80, P7 36c1, P8 b, P9 system.security.security, P10 NIL.

 

This happens because .Net has its own Security mechanisms. You will need to create a special Code Zone and apply necessary permissions to this zone. The following steps show you how to do this.

 

6. Go to Start -> Programs -> Administrative Tools -> Microsoft .NET Framework 2.0 Configuration

 

 

 

7. There are several ways how you can allow the programs from disk Z to be executed on particular computer.

 

a) The first way (not very good and secure) is to add location “file://z:/” to Trusted sites in Internet Explorer and give the Full Trust permissions to Trusted_Zone code group.

 

To do this open Internet Explorer, then go to Tools -> Internet Options -> Security -> Trusted sites and click button Sites. Type in the location “file://z:/” and press Add button, followed by clicks on “Close” and OK buttons.

Then switch to the Microsoft .NET Framework 2.0 Configuration tool and navigate to “My Computer/Runtime Security Policy/Machine/Code_Groups/All_Code/Trusted_Zone”. Right-click on item called Trusted_Zone and select Properties -> Permission Set. In Permission set field select Full Trust and click OK button.

 

b) Another one approach is to create a special Permission Set and assign it to a specially created Code Group (created for programs on disk Z).

 

Switch to the Micorosft .NET Framework 2.0 Configuration tool and navigate to “My Computer/Runtime Security Policy/Enterprise/Permission Sets” and select New in context menu. Select “Create a new permission set”, type the name (for example “MC# Required Permissions”) and press Next button.

 

 

 

And grant unrestricted permissions for DNS, Event Log, Environment Variables, File Dialog, File IO, Registry, Reflection, Service Controller, Socket Access and User Interface:

 

 

Press Finish button.

 

Now you need to create a special Code Group. Navigate to “My Computer/Runtime Security Policy/Machine/Code_Goups/All_Code” and select New from context menu.

 

Enter the name “SharedDisk_Zone” on the next screen and press “Next” button.

 

 

On the next screen select the URL condition type and type in “file://z:/*”.

 

On the next screen assign the permission set that we created in previous steps:

 

 

Then click buttons “Next” and “Finish”. You will see that new Code Group which called “Copy of SharedDisk_Zone” appeared under the All_Code Code Group. You can rename it if you want to…

 

However this is not enough… By default Enterprise security settings are overridden by Machine or User levels of security policy. To change this behavior you need to right-click the “Copy of SharedDisk_Zone”, select Properties and uncheck the box called “Policy levels below this level will not be evaluated”.

 

That’s it! However keep in mind that maybe you will have to repeat the same operations on each node of your cluster (for example, if nodes are not in the same Windows domain or if Enterprise security policy is not replicated over nodes by some reasons).

 

8. When you execute your MC# program in distributed mode it will be executed in context of windows service called “MC#.Cluster – Work Node”. Due to architecture of all Windows NT-based systems that means that disk Z: which you connected in the previous steps won’t be available for your program. However there is a workaround for this problem. To fix this you will need to place the commands that map your disks in file "C:\Program Files\MC# Group\MC#.Cluster Programming System\commands.bat" on all cluster nodes. These files are executed by MC# Runtime on cluster nodes before running your code.

 

The syntax of the command that maps disk is the following:

 

net use <drive letter>: \\<server>\<share> /user:<domain>\<user> [<password>] /persistent:no

 

For example: net use Z: \\localhost\c$ /user:HOME\Administrator qwerty /persistent:no