Support Thread

Full Trust

Full Trust — APG vNext Guide

Full Trust — an archived discussion from the APG vNext support community.

About This Topic

This thread covers full trust in the context of APG vNext, the ASP.NET forum and community platform. The community includes APG developers and experienced administrators who can help with similar questions.

APG vNext Support

Full Trust Requirement for APG vNext on IIS

APG vNext requires Full Trust in the ASP.NET Code Access Security (CAS) policy. Shared hosting environments that run applications under Partial Trust (Medium Trust or lower) will cause APG vNext to fail at startup or throw SecurityException errors at runtime. This guide explains why Full Trust is needed and how to configure it.

Why APG vNext Requires Full Trust

  • Uses System.Drawing / ImageSharp for avatar and image processing (needs unmanaged code access)
  • Accesses the file system directly for skin templates, upload folders, and log files
  • Uses reflection for plugin and provider loading
  • Calls Windows APIs for licensing and server environment detection

Checking the Current Trust Level

<!-- In web.config, look for: -->
<trust level="Medium" />
<!-- This causes APG vNext to fail. Change to: -->
<trust level="Full" />

Configuring Full Trust in IIS

<!-- In machine.config or web.config at site root: -->
<system.web>
  <trust level="Full" originUrl="" />
</system.web>

Shared Hosting That Requires Partial Trust

If your shared host enforces Partial Trust and won't grant Full Trust, APG vNext cannot run in that environment. You need either a VPS, a dedicated server, or a cloud VM (Azure, AWS, DigitalOcean) where you control the IIS configuration. Shared hosting with Medium Trust is not a supported environment for APG vNext.

Related Resources

Why APG vNext Requires Full Trust

APG vNext requires Full Trust because it uses features that the Medium Trust sandbox prohibits: reflection (used by the ORM layer to map database columns to objects dynamically), native code interop (used for image processing and PDF generation), unmanaged code execution (used by the full-text search integration), and direct socket access (used for SMTP email sending). Medium Trust was introduced for shared hosting environments to prevent one customer's application from accessing another's data, but this restriction prevents legitimate application features that require these capabilities. All modern Windows hosting environments support Full Trust for dedicated or VPS hosting plans, and many shared hosting providers also offer Full Trust as an option for ASP.NET applications.

Security Implications of Full Trust

Granting Full Trust to an ASP.NET application does not inherently make the application or the server less secure — it simply removes the runtime sandbox that limits what code can do. Security in a Full Trust environment is enforced through other mechanisms: IIS application pool isolation (each application pool runs as a separate, least-privilege identity), Windows file system permissions (the application pool identity only has access to the files it needs), and network-level firewalls. Ensure that the IIS application pool for APG vNext runs under a dedicated service account with only the permissions required for APG vNext to operate, rather than under a high-privilege identity like SYSTEM or Network Service.

Full Trust vs Application Pool Identity Permissions

Full Trust in web.config controls what the .NET runtime allows the application to do; the IIS Application Pool identity controls what Windows allows the process to do. Both need to be configured correctly. Full Trust alone does not grant the ability to write to arbitrary file system locations — the application pool identity must also have write permission to those locations. For APG vNext, the application pool identity needs write permission to the upfiles/ folder, the session state folder (if using file-based session), and the ASP.NET temporary compilation folder. Grant these permissions using icacls or the IIS Manager → Edit Permissions interface, not by elevating the application pool identity to a high-privilege account.

Verifying Trust Level in Production

Confirm the trust level that APG vNext is running under by checking the APG vNext diagnostics page at /admin/diagnostics — the page reports the current ASP.NET trust level alongside other system configuration values. If the trust level shown is Medium rather than Full, the web.config trust setting may be overridden by a higher-level IIS configuration. Check the machine.config and the IIS administration web.config for a <trustLevel> element that restricts all applications on the server to Medium Trust. Shared hosting providers sometimes enforce Medium Trust at the machine.config level to prevent tenants from breaking out of the trust sandbox. In this case, the only solutions are to upgrade to a hosting plan that supports Full Trust, or to deploy APG vNext on a VPS or dedicated server where you control the machine.config.

Medium Trust Alternative Configuration (Not Recommended)

For the rare case where Full Trust is truly unavailable (some managed shared hosting plans), APG vNext provides a limited Medium Trust mode that disables features requiring Full Trust: PDF generation, image resizing, and some advanced search features. Enable Medium Trust mode in web.config with <add key="APG.MediumTrustMode" value="true" />. The APG vNext documentation clearly lists which features are disabled in Medium Trust mode. Shared hosting with Medium Trust is not a supported environment for APG vNext.


Looking for more help? Browse the support forum or check the Knowledge Base.