Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DllNotFoundException: Unable to load DLL 'sni.dll': Access is denied. #7480

Closed
steveoh opened this issue Jan 10, 2017 · 21 comments
Closed

DllNotFoundException: Unable to load DLL 'sni.dll': Access is denied. #7480

steveoh opened this issue Jan 10, 2017 · 21 comments
Milestone
Backlog

Comments

@steveoh
Copy link

steveoh commented Jan 10, 2017

Steps to reproduce

Project Repository

dotnet publish -c Production
copy files to a windows 2012 r2 iis8.5 machine with the hosting bundle installed.

λ dotnet --version

Microsoft .NET Core Shared Framework Host

  Version  : 1.1.0
  Build    : 928f77c4bc3f49d892459992fb6e1d5542cb5e86

Expected behavior

I expect the application to work when published to IIS when using a sql client like it does when run on OSX.

Actual behavior

An unhandled exception occurred while processing the request.

DllNotFoundException: Unable to load DLL 'sni.dll': Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
System.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)

TypeInitializationException: The type initializer for 'System.Data.SqlClient.SNILoadHandle' threw an exception.
System.Data.SqlClient.TdsParser..cctor()

TypeInitializationException: The type initializer for 'System.Data.SqlClient.TdsParser' threw an exception.
System.Data.SqlClient.TdsParser..ctor(bool MARS, bool fAsynchronous)

Environment data

dotnet --info output:

$ dotnet --info
.NET Command Line Tools (1.0.0-preview2-1-003177)

Product Information:
 Version:            1.0.0-preview2-1-003177
 Commit SHA-1 hash:  a2df9c2576

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.12
 OS Platform: Darwin
 RID:         osx.10.12-x64
@rjperes
Copy link

rjperes commented Jan 11, 2017

I'm having the same problem on Windows 7. Never happened before.

@blackdwarf
Copy link

blackdwarf commented Jan 12, 2017
edited
Loading

/cc @schellap

@schellap
Copy link

It looks like a pre-req issue. Can you confirm if you have the pre-reqs installed on Windows as described here? https://docs.microsoft.com/en-us/dotnet/articles/core/windows-prerequisites#net-core-dependencies

Esp., the ucrt update.

@schellap
Copy link

And this KB: For Windows 7 and Windows Server 2008 machines only:
Make sure that your Windows installation is up-to-date and includes hotfix KB2533623 installed through Windows Update.

@steveoh
Copy link
Author

steveoh commented Jan 12, 2017

I am on windows server 2012 r2 so I will skip the windows 7 and 2008 instructions

@steveoh
Copy link
Author

steveoh commented Jan 12, 2017

I have these vc++ items

image

KB2533623 looks like another windows 7 update that was published in 2011.

My update history

image

@steveoh
Copy link
Author

steveoh commented Jan 12, 2017

What is the ucrt update @schellap?

@schellap
Copy link

@steveoh I think you have the necessary pre-reqs. I got misled by the win7 comment above.

Can you guide me through how to publish your app from your repo -- what steps are you using?

I did the following:

cd api
dotnet restore
dotnet publish -c Production

Is the above your flow?

@steveoh
Copy link
Author

steveoh commented Jan 12, 2017

Yes basically. this issues explains it a bit more when I thought it was an IIS integration issue.

@TheRealPiotrP
Copy link
Contributor

Any updates here?

@steveoh
Copy link
Author

steveoh commented Jan 18, 2017

None from me

@azisoft
Copy link

azisoft commented Dec 11, 2018

Had the same issue. Fixed it by assigning full control to %USERPROFILE%.nuget. You can also try to change the app pool identity in IIS to LocalSystem.

@keycad
Copy link

keycad commented Dec 12, 2018

Thanks @azisoft , I've just solved the issue following your second advice: change the app pool identity to LocalSystem

@MongkonEiadon
Copy link

image

It's work for me, thanks for saving my time

@RomBrz
Copy link

RomBrz commented Jan 6, 2020

This happen with me.
Giving more permissions to the Application Pool user for me is the worst option, for God's sake! For who don't know, the Application Pool Identity was created to give more security to the entire server!!

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

All my sites run with Application Pool Identity, with "Read" only permission to IISAppPool\APPLICATIONPOOLNAME to the site's folder.

With .NET Core i'm having this problem with some sites, that could be solved by giving ONLY the folder's DLL the "Read and Execute" permission solve the problem.
(In that case of "sni.dll", giving "Read and Execute" to [...]\runtimes\win-arm64\native should work). If you don't want to debug to the correct way, this is, in my opinion, by far, best than giving "System" permission to the App Pool)

But it's not how should be, in my opinion, as "Execute" permission give a security flaw as someone could inject a code in that folder and execute remotely.

Something is making the AppPoolIdentity need to execute the DLLs needed to access SQL Server.

@msftgits msftgits transferred this issue from dotnet/cli Jan 31, 2020
@msftgits msftgits added this to the Backlog milestone Jan 31, 2020
@naveedahmed1
Copy link

I am also receiving below error with .Net Core 3.1:

An unhandled exception occurred while processing the request.

DllNotFoundException: Unable to load DLL 'sni.dll' or one of its dependencies: Access is denied. (0x80070005 (E_ACCESSDENIED))
Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)

TypeInitializationException: The type initializer for 'Microsoft.Data.SqlClient.SNILoadHandle' threw an exception.
Microsoft.Data.SqlClient.TdsParserStateObjectFactory.get_EncryptionOptions()

TypeInitializationException: The type initializer for 'Microsoft.Data.SqlClient.TdsParser' threw an exception.
Microsoft.Data.SqlClient.TdsParser..ctor(bool MARS, bool fAsynchronous)

DllNotFoundException: Unable to load DLL 'sni.dll' or one of its dependencies: Access is denied. (0x80070005 (E_ACCESSDENIED))

Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)
Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize()
Microsoft.Data.SqlClient.SNILoadHandle..ctor()
Microsoft.Data.SqlClient.SNILoadHandle..cctor()

Can anyone please guide?

@fredrikstolpe
Copy link

Change the app pool identity in IIS to LocalSystem did the trick for me, thank you @azisoft

@naveedahmed1
Copy link

How about setting permissions for sni.dll to 774?

Which of these option is better? Setting app pool identity in IIS to LocalSystem or setting permissions for sni.dll to 774

@RomBrz
Copy link

RomBrz commented Apr 6, 2020

@naveedahmed1 just give execute permission to user "IIS AppPool\NAMEOFTHEAPPLICATIONPOOL" instead of changing to LocalSystem.
(When you use app pool identity, IIS "creates" an user for each application pool you have, so you can give permissions for each application pool to read/write/execute each folder, instead of all apps pools reading or writing everything in every place.

So if you have an application pool called "WebApp1", and a site in IIS pointed to the folder "E:\Inetpub\WebApps\WebApp1" using the application pool WebApp1, you just have to create a "Read/Execute" permission to \WebApp1 folder to the following user: "IIS AppPool\WebApp1" (search for Local Computer accounts instead of a domain, you have one), isn't searchable, just write this and should work.

@hrsh
Copy link

hrsh commented Sep 13, 2020

This happen with me.
Giving more permissions to the Application Pool user for me is the worst option, for God's sake! For who don't know, the Application Pool Identity was created to give more security to the entire server!!

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

All my sites run with Application Pool Identity, with "Read" only permission to IISAppPool\APPLICATIONPOOLNAME to the site's folder.

With .NET Core i'm having this problem with some sites, that could be solved by giving ONLY the folder's DLL the "Read and Execute" permission solve the problem.
(In that case of "sni.dll", giving "Read and Execute" to [...]\runtimes\win-arm64\native should work). If you don't want to debug to the correct way, this is, in my opinion, by far, best than giving "System" permission to the App Pool)

But it's not how should be, in my opinion, as "Execute" permission give a security flaw as someone could inject a code in that folder and execute remotely.

Something is making the AppPoolIdentity need to execute the DLLs needed to access SQL Server.

This works for me => Grant access to runtimes\win-arm64.
Thanks 👍

@RomBrz
Copy link

RomBrz commented Sep 14, 2020

Just to help and documentate this to everyone that could have a problem with permissions on DotNet Core.
I've tried to find something related to this officially, and seems like Microsoft tell us to use Read and Execute by default:

"Read & execute permissions should be granted by default"

https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-3.1

With that, we changed the procedures to host DotNet Core applications, changing every project to use Read And Execute instead of Read, and with that the sni.dll (and other DLL) should not be a problem.

Personally i don't agree with this "default" as i told early; Execute permission could give security problems, and DotNet Framework seems to work fine with Read only, but i cannot argue with official documentation lol

@RomBrz RomBrz mentioned this issue Sep 21, 2020
Closed
@steveoh steveoh closed this as completed Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests