Error about propagation flags

[dazinator]

Hello,

Wondered if anyone could help. I am trying to configure a docker container, and using DSC to set up the website.

I have declared an ntfs permission like so:

        cNtfsPermissionEntry DotNetNuke_DirPermission
        {
            Ensure = "Present"
            Path = $websiteDir
            Principal = "IIS APPPOOL\DotNetNuke"
            AccessControlInformation = cNtfsAccessControlInformation
            {
                AccessControlType = "Allow"
                FileSystemRights = "Modify,ReadAndExecute,ListDirectory,Read,Write"
            }
            DependsOn = @("[File]DotNetNuke_WebsiteDir","[xWebAppPool]DotNetNuke_AppPool")
        }

When this runs I see this in the output:

[[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None' Exception calling "AddAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."

• CategoryInfo : NotSpecified: (:) [], CimException
• FullyQualifiedErrorId : InvalidOperationException
• PSComputerName : localhost

Here is the complete verbose output for this dsc resource

VERBOSE: [184090B5949F]: LCM: [ Start Resource ] [[cNtfsPermissionEntry]DotNetNuke_DirPermission] VERBOSE: [184090B5949F]: LCM: [ Start Test ] [[cNtfsPermissionEntry]DotNetNuke_DirPermission] VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Ensure : 'Present' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Path : 'C:/inetpub/wwwroot/DotNetNuke' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Principal : 'IIS APPPOOL\DotNetNuke' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] AccessControlInformation : 'cNtfsAccessControlInformation' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Verbose : 'True' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Resolving identity reference 'IIS APPPOOL\DotNetNuke'. VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Current permission entry count : 0 VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Desired permission entry count : 1 VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] The number of current permission entries is different from the number of desired permission entries. VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Permission entry was not found (1 of 1) : VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > IdentityReference : 'IIS APPPOOL\DotNetNuke' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > AccessControlType : 'Allow' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > FileSystemRights : 'Modify, Synchronize' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > InheritanceFlags : 'ContainerInherit, ObjectInherit' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] The target resource is not in the desired state. VERBOSE: [184090B5949F]: LCM: [ End Test ] [[cNtfsPermissionEntry]DotNetNuke_DirPermission] in 0.4380 seconds. VERBOSE: [184090B5949F]: LCM: [ Start Set ] [[cNtfsPermissionEntry]DotNetNuke_DirPermission] VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Resolving identity reference 'IIS APPPOOL\DotNetNuke'. VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Current permission entry count : 0 VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] Adding permission entry (1 of 1) : VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > IdentityReference : 'IIS APPPOOL\DotNetNuke' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > AccessControlType : 'Allow' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > FileSystemRights : 'Modify, Synchronize' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > InheritanceFlags : 'ContainerInherit, ObjectInherit' VERBOSE: [184090B5949F]: [[cNtfsPermissionEntry]DotNetNuke_DirPermission] > PropagationFlags : 'None' Exception calling "AddAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."

• CategoryInfo : NotSpecified: (:) [], CimException
• FullyQualifiedErrorId : InvalidOperationException
• PSComputerName : localhost

VERBOSE: [184090B5949F]: LCM: [ End Set ] [[cNtfsPermissionEntry]DotNetNuke_DirPermission] in 0.3690 seconds. The PowerShell DSC resource '[cNtfsPermissionEntry]DotNetNuke_DirPermission' with SourceInfo 'C:\setup.ps1::42::9::cNtfsPermissionEntry' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.

• CategoryInfo : InvalidOperation: (:) [], CimException
• FullyQualifiedErrorId : NonTerminatingErrorFromProvider
• PSComputerName : localhost

PropagationFlags : 'None' Exception calling "AddAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."

• CategoryInfo : NotSpecified: (:) [], CimException
• FullyQualifiedErrorId : InvalidOperationException
• PSComputerName : localhost

I think I need to deal with propagation flags, but I am not sure why the default "None" is such an issue, or what the message about canonical form is about! If anyone can share some knowledge on this would be much appreciated!

[SNikalaichyk]

Hi @dazinator, A quick web search suggested that wrong order of ACEs can cause this. Please try using accesschk to see what's wrong:

C:\> accesschk -q FILE
Error: FILE has a non-canonical DACL:
   Explicit Deny after Explicit Allow

Useful links:

• Fixing “This access control list is not in canonical form” errors from the command line
• Publishing Website Error : This access control list is not in canonical form and therefore cannot be modified
• How do you programmatically fix a non-canonical ACL?

[dazinator]

Thanks @SNikalaichyk yes it looks like that is the issue.. It looks like, if I just create a new folder via windows explorer in the same location (which is under c:/inetpub/wwwroot) and then look at it's security tab, I get told there are incorrectly ordered permissions - so it seems to be inheriting this problem by default. For now I have switched to creating the folder somewhere else and now it has gone away :-)

Looks like I just need to fix the problem on the parent directory :-)

Thanks for your help