Issues with IIS .NET Trust Levels and Lucee

AKo · August 9, 2024, 11:06am

I switched IIS 10 .NET Trust Level setting from default “Full” to “Medium”, as recommended by CIS IIS Benchmarks. As a result, when I’m trying to access our web site, I’m getting error message:

Server Error in '/' Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SecurityException: Request failed.]
   System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
   System.Security.PermissionSet.Demand() +79
   System.SecurityUtils.DemandGrantSet(Assembly assembly) +74
   System.SecurityUtils.DemandReflectionAccess(Type type) +107
   System.SecurityUtils.SecureCreateInstance(Type type, Object[] args, Boolean allowNonPublic) +102
   System.Configuration.ApplicationSettingsBase.CreateSetting(PropertyInfo propInfo) +8628454
   System.Configuration.ApplicationSettingsBase.EnsureInitialized() +340
   System.Configuration.ApplicationSettingsBase.get_Properties() +149
   System.Configuration.SettingsBase.GetPropertyValueByName(String propertyName) +26
   System.Configuration.SettingsBase.get_Item(String propertyName) +83
   System.Configuration.ApplicationSettingsBase.GetPropertyValue(String propertyName) +106
   System.Configuration.ApplicationSettingsBase.get_Item(String propertyName) +83
   BonCodeAJP13.Properties.Settings.get_EnableAdobeMode() +25
   BonCodeAJP13.BonCodeAJP13Settings..cctor() +58

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.4092.0

I’m running Windows Server 2022 with IIS 10 and Lucee 6.1.0.243. To rule out that the web-site contains anything odd that could be causing the issue, I created a test web-site with minimal content “”. The web-site starts working immediately when I turn the .NET Trust Level setting back to “Full”.

Any ideas what I could try, to get the IIS configured securely according to CIS Benchmarks?