Yesterday I encountered an interesting problem on a MS CRM 3.0 installation running as default website in IIS. This was due to an upgrade from CRM 1.2 to 3.0. The installation included customizations one of them in form of a HttpModule. Everything worked fine, but viewing reports threw a SecurityException stating that "Request for the permission of type System.Web.AspNetHostingPermission ... failed".

I didn't know the reason for this exception, so I did a bit of research. I found out that Reporting Services uses its own security policy files. There is a good article about this on MSDN:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/RSPROG/htm/rsp_prog_extend_install_25ia.asp

After experimenting a bit, I found the following solution to my problem (this is for use with private assemblies, for global assemblies in GAC see below):

1. First I made a backup of the following two files (do not skip this step !!!):

C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportManager\rsmgrpolicy.config
C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\rssrvpolicy.config

2. I inserted a new code group into both files after "Microsoft_Strong_Name" code group:

<CodeGroup class="UnionCodeGroup"
   version="1"
   PermissionSetName="FullTrust"
   Name="CRMHttpModuleCodeGroup"  
   Description="Code group for CRM HTTP module">
      <IMembershipCondition class="UrlMembershipCondition"
         version="1"
         Url="C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\[yourassembly].dll" />
</CodeGroup>

Do not forget to match 'Url' attribute with the path to ReportManager directory for rsmgrpolicy.config.

If you have multiple HttpModules, you can do this for every assembly.

This procedure works for HttpModule assemblies that do not reside in GAC. But you have to make sure that your private HttpModule assembly resides in all necessary bin directories. This includes:

- bin directory of CRM web aplication.
- mscrmservices\bin directory of CRM web aplication
- C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportManager\bin
- C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin

Placing your HttpModule in GAC is much more convenient, because you don't have to copy it to four different locations. First you have to "strong name" your assembly and place it into GAC (if you don't know how to do it, ask my friend google). Then you have to add a different code group into Reporting Services security policy files:

<CodeGroup class="UnionCodeGroup"
   version="1"
   PermissionSetName="FullTrust"
   Name="CRMHttpModuleCodeGroup"  
   Description="Code group for CRM HTTP module">
      <IMembershipCondition class="StrongNameMembershipCondition"
         version="1" PublicKeyBlob="..." />
</CodeGroup>

(if you don't know how to get your PublicKeyBlob: use sn.exe with -e and -tp options with the strong name key file you used when creating your assembly)

If your HttpModule is then in GAC, you may still receive a Configuration Error stating "Parser Error Message: Assembly someassembly.dll security permission grant set is incompatible between appdomains." I don't know why this exception is thrown because it does not seem to make any sense. The actual reason for this exception is that the HttpModule assembly is not found. Make sure you use the fully qualified name when you add your assembly to web.config:

<httpModules>
   <add type=".NET Class, Assembly [,Version=version number] [,Culture=culture] [,PublicKeyToken=token]" name="CRMHttpModule" />
</httpModules>

If you still get an exception, there may be missing dependencies to your HttpModule assembly in GAC. To get rid of these use FUSLOGVW.exe.

Hope this helps someone out there.