Sdk: DllNotFoundException: Unable to load DLL 'sni.dll': Access is denied.

Created on 10 Jan 2017  路  21Comments  路  Source: dotnet/sdk

Steps to reproduce

Project Repository

dotnet publish -c Production
copy files to a windows 2012 r2 iis8.5 machine with the hosting bundle installed.

位 dotnet --version

Microsoft .NET Core Shared Framework Host

  Version  : 1.1.0
  Build    : 928f77c4bc3f49d892459992fb6e1d5542cb5e86

Expected behavior

I expect the application to work when published to IIS when using a sql client like it does when run on OSX.

Actual behavior

An unhandled exception occurred while processing the request.

DllNotFoundException: Unable to load DLL 'sni.dll': Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
System.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)

TypeInitializationException: The type initializer for 'System.Data.SqlClient.SNILoadHandle' threw an exception.
System.Data.SqlClient.TdsParser..cctor()

TypeInitializationException: The type initializer for 'System.Data.SqlClient.TdsParser' threw an exception.
System.Data.SqlClient.TdsParser..ctor(bool MARS, bool fAsynchronous)

Environment data

dotnet --info output:

$ dotnet --info
.NET Command Line Tools (1.0.0-preview2-1-003177)

Product Information:
 Version:            1.0.0-preview2-1-003177
 Commit SHA-1 hash:  a2df9c2576

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.12
 OS Platform: Darwin
 RID:         osx.10.12-x64
picture steveoh

Most helpful comment

Had the same issue. Fixed it by assigning full control to %USERPROFILE%.nuget. You can also try to change the app pool identity in IIS to LocalSystem.

picture azisoft on 11 Dec 2018
👍5

All 21 comments

I'm having the same problem on Windows 7. Never happened before.

rjperes picture rjperes on 11 Jan 2017

/cc @schellap

blackdwarf picture blackdwarf on 12 Jan 2017

It looks like a pre-req issue. Can you confirm if you have the pre-reqs installed on Windows as described here? https://docs.microsoft.com/en-us/dotnet/articles/core/windows-prerequisites#net-core-dependencies

Esp., the ucrt update.

schellap picture schellap on 12 Jan 2017

And this KB: For Windows 7 and Windows Server 2008 machines only:
Make sure that your Windows installation is up-to-date and includes hotfix KB2533623 installed through Windows Update.

schellap picture schellap on 12 Jan 2017

I am on windows server 2012 r2 so I will skip the windows 7 and 2008 instructions

steveoh picture steveoh on 12 Jan 2017

I have these vc++ items

image

KB2533623 looks like another windows 7 update that was published in 2011.

My update history

image

steveoh picture steveoh on 12 Jan 2017

What is the ucrt update @schellap?

steveoh picture steveoh on 12 Jan 2017

@steveoh I think you have the necessary pre-reqs. I got misled by the win7 comment above.

Can you guide me through how to publish your app from your repo -- what steps are you using?

I did the following:

cd api
dotnet restore
dotnet publish -c Production

Is the above your flow?

schellap picture schellap on 12 Jan 2017

Yes basically. this issues explains it a bit more when I thought it was an IIS integration issue.

steveoh picture steveoh on 12 Jan 2017

Any updates here?

TheRealPiotrP picture TheRealPiotrP on 18 Jan 2017

None from me

steveoh picture steveoh on 18 Jan 2017

Had the same issue. Fixed it by assigning full control to %USERPROFILE%.nuget. You can also try to change the app pool identity in IIS to LocalSystem.

azisoft picture azisoft on 11 Dec 2018
👍5

Thanks @azisoft , I've just solved the issue following your second advice: change the app pool identity to LocalSystem

keycad picture keycad on 12 Dec 2018

image

It's work for me, thanks for saving my time

MongkonEiadon picture MongkonEiadon on 16 Oct 2019

This happen with me.
Giving more permissions to the Application Pool user for me is the worst option, for God's sake! For who don't know, the Application Pool Identity was created to give more security to the entire server!!

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

All my sites run with Application Pool Identity, with "Read" only permission to IISAppPool\APPLICATIONPOOLNAME to the site's folder.

With .NET Core i'm having this problem with some sites, that could be solved by giving ONLY the folder's DLL the "Read and Execute" permission solve the problem.
(In that case of "sni.dll", giving "Read and Execute" to [...]\runtimes\win-arm64\native should work). If you don't want to debug to the correct way, this is, in my opinion, by far, best than giving "System" permission to the App Pool)

But it's not how should be, in my opinion, as "Execute" permission give a security flaw as someone could inject a code in that folder and execute remotely.

Something is making the AppPoolIdentity need to execute the DLLs needed to access SQL Server.

RomBrz picture RomBrz on 6 Jan 2020
👍3

I am also receiving below error with .Net Core 3.1:

An unhandled exception occurred while processing the request.

DllNotFoundException: Unable to load DLL 'sni.dll' or one of its dependencies: Access is denied. (0x80070005 (E_ACCESSDENIED))
Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)

TypeInitializationException: The type initializer for 'Microsoft.Data.SqlClient.SNILoadHandle' threw an exception.
Microsoft.Data.SqlClient.TdsParserStateObjectFactory.get_EncryptionOptions()

TypeInitializationException: The type initializer for 'Microsoft.Data.SqlClient.TdsParser' threw an exception.
Microsoft.Data.SqlClient.TdsParser..ctor(bool MARS, bool fAsynchronous)

DllNotFoundException: Unable to load DLL 'sni.dll' or one of its dependencies: Access is denied. (0x80070005 (E_ACCESSDENIED))

Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize(IntPtr pmo)
Microsoft.Data.SqlClient.SNINativeMethodWrapper.SNIInitialize()
Microsoft.Data.SqlClient.SNILoadHandle..ctor()
Microsoft.Data.SqlClient.SNILoadHandle..cctor()

Can anyone please guide?

naveedahmed1 picture naveedahmed1 on 27 Mar 2020

Change the app pool identity in IIS to LocalSystem did the trick for me, thank you @azisoft

fredrikstolpe picture fredrikstolpe on 31 Mar 2020

How about setting permissions for sni.dll to 774?

Which of these option is better? Setting app pool identity in IIS to LocalSystem or setting permissions for sni.dll to 774

naveedahmed1 picture naveedahmed1 on 31 Mar 2020

@naveedahmed1 just give execute permission to user "IIS AppPool\NAMEOFTHEAPPLICATIONPOOL" instead of changing to LocalSystem.
(When you use app pool identity, IIS "creates" an user for each application pool you have, so you can give permissions for each application pool to read/write/execute each folder, instead of all apps pools reading or writing everything in every place.

So if you have an application pool called "WebApp1", and a site in IIS pointed to the folder "E:\Inetpub\WebApps\WebApp1" using the application pool WebApp1, you just have to create a "Read/Execute" permission to \WebApp1 folder to the following user: "IIS AppPool\WebApp1" (search for Local Computer accounts instead of a domain, you have one), isn't searchable, just write this and should work.

RomBrz picture RomBrz on 6 Apr 2020
👍1

This happen with me.
Giving more permissions to the Application Pool user for me is the worst option, for God's sake! For who don't know, the Application Pool Identity was created to give more security to the entire server!!

https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

All my sites run with Application Pool Identity, with "Read" only permission to IISAppPool\APPLICATIONPOOLNAME to the site's folder.

With .NET Core i'm having this problem with some sites, that could be solved by giving ONLY the folder's DLL the "Read and Execute" permission solve the problem.
(In that case of "sni.dll", giving "Read and Execute" to [...]\runtimes\win-arm64\native should work). If you don't want to debug to the correct way, this is, in my opinion, by far, best than giving "System" permission to the App Pool)

But it's not how should be, in my opinion, as "Execute" permission give a security flaw as someone could inject a code in that folder and execute remotely.

Something is making the AppPoolIdentity need to execute the DLLs needed to access SQL Server.

This works for me => Grant access to runtimes\win-arm64.
Thanks 馃憤

hrsh picture hrsh on 13 Sep 2020

Just to help and documentate this to everyone that could have a problem with permissions on DotNet Core.
I've tried to find something related to this officially, and seems like Microsoft tell us to use Read and Execute by default:

_"Read & execute permissions should be granted by default"_

https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-3.1

With that, we changed the procedures to host DotNet Core applications, changing every project to use Read And Execute instead of Read, and with that the sni.dll (and other DLL) should not be a problem.

Personally i don't agree with this "default" as i told early; Execute permission could give security problems, and DotNet Framework seems to work fine with Read only, but i cannot argue with official documentation lol

RomBrz picture RomBrz on 14 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dsplaisted picture dsplaisted  路  3Comments
pranavkm picture pranavkm  路  3Comments
fmorriso picture fmorriso  路  3Comments
Petermarcu picture Petermarcu  路  3Comments
natemcmaster picture natemcmaster  路  3Comments