IIS – Web issue – “Global.asax could not be loaded”

(I had this issue back on 10 April 2006 – original blog entry)

This blog is to raise awareness of new security features in Windows XP SP2 and 2003 SP1 which are not always very visible through the different tools (e.g. Internet Explorer, Windows Explorer, …), but can make applications fail silently without warnings or events being logged.

My sources and references I used to resolve this issue are below:

  • The main technical concept to be aware of is “Fork in file systems”. A fork in a file system is used to add extra data about a file system object (metadata, different format,…) See http://en.wikipedia.org/wiki/Alternate_data_stream
  • The “fork” feature in NTFS is known as “Alternate Data Stream” (ADS). This feature has been a part of NTFS since the beginning.
    • With Windows 2000, ADS was used to stored extra information such as “Author”, “Thumbnail” picture, …
    • With Windows XP SP2 and Windows 2003 SP1, Microsoft introduced the “Attachment Execution Service” to store details on files that have been downloaded. This information is sometimes referred to as “Evidence”. The ADS used by “Attachment Execution Service” is called “Zone.Identifier” (I am not sure whether there are any more).

The other key point to be aware of is that not everything in Windows XP SP2 or 2003 SP1 is performing this security access check.For example, Windows Explorer implements the check against the ADS “Zone.Identifier”. Whereas, the command line (i.e. cmd.exe) does not. Because the Windows Kernel module loader does not implement this check, the new security feature is bypassed when using the command line to execute applications.

The original issue
On the web servers in my environment, some Web application pools (Books, Entertainment,…) were (sometimes) unable to instantiate a Web Application object because it could not load the type defined in “Global.asax” and implemented in a code-behind assembly in the \bin folder.

The causes
This was due to the fact that:

  • All machines in my environment have been rebuilt with Windows 2003 SP1. A lot of features in SP1 are related to security.
  • Assemblies (mainly DLLs) in the \bin folder for some of the Web applications were marked as “Blocked”.
  • DLLs were marked as blocked, because the unzip process was done remotely (i.e. one computer was running the unzip algorithm and saving the files via a map drive to another computer). Because these files were “downloaded” through the map drive, Windows marked them as “Blocked” by setting the metadata in the “Zone.Identifier” stream.

The Solution
Using Windows Explorer, check the properties of the file and “Unblock” the file if necessary (there is an ‘Unblock’ button).It would be good to have a tool that could scan folders and “unblock” DLLs/Exe’s.
On the Internet, there are quite a few tools to list “Alternate Data Stream” attached to files, but I have not yet found one from or supported by Microsoft. If anyone knows of any tools, please let me know.

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: