Monday, May 14, 2007

How to get the ASP.NET Commerce Starter Kit 2.0 to run in medium trust !

Hi guys,

I am sure many of you will loooove this article.


You can follow the instructions below, alternatively you can download the C# code from my SkyDrive:

I have been now fighting for a while to get the wonderful ASP.NET Commerce Starter
Kit 2.0 to work on my ISP Shared hosting server.

At first I thought it was a lost battle and started coding the CSK without SubSonic, Entreprise Library or any of this fancy stuff that requires full trust to run properly.

But after battling harder, I noticed a few things that changed my life yesterday and let me share my findings with you all!

Here is how I got there :

1. I added this line in the CSK web.config so it would simulate my hosting service environment on my dev machine :

<trust level="Medium" />

I also prevented SubSonic from using the Entreprise Library data access and to use the more supported SqlDataProvider (not sure this made a difference but I would like to mention it) :

<SubSonicService defaultProvider="ELib2DataProvider">
<!--<add name="ELib2DataProvider" type="SubSonic.ELib2DataProvider, SubSonic" connectionStringName="CommerceTemplate"/>-->
<add name="ELib2DataProvider" type="SubSonic.SqlDataProvider, SubSonic" connectionStringName="CommerceTemplate" />

2. I updated the ATLAS stuff with the latest from Microsoft (optional):

Notes :

  • With that step more changes to the web.config are required (cf the web.config of the ajax web extensions).
  • Also I moved the ScriptManagers to the master pages (admin and site) and removed them from other pages, that way you always have ajax enabled pages :)
  • There is also an attribute that you need to remove from the ScriptManager or it won't compile.
  • One last thing you also have to replace the "Mode" attribute of all your UpdatePanels and change it to "UpdateMode".
3. In the App_Code\Configuration\SiteConfig.cs change the lines that say:
config.GetSection... to ConfigurationManager.GetSection
And rem out the line that says :

Dim config As System.Configuration.Configuration = WebConfigurationManager.OpenWebConfiguration(HttpContext.Current.Request.ApplicationPath)

This will try to access your web.config file and save it, which is NOT allowed in partial trust.
The only pages that use this to write to the file are the Payment, Shipping and Tax configuration pages in the admin. I have simply disabled the "" (i.e. rem'd it out) in those pages and you just need to go and configure those values manually in the web.config before you publish the code.

4. Next thing is to get rid of the eWorld.UI assembly all together cause it needs full trust to run and to replace the controls used in the CSK by nice new shiny AjaxControlToolkit controls (NumericBox to TextBox and Calendar are the only ones that I found in the project). Best to delete the eWorld.UI.dll from the bin folder and compile to see where we have to make the changes :o)

In order to use the AjaxControlToolkit you must put the AjaxControlToolKit dll in your bin folder and register it in the page :

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="ajaxToolkit" %>

Then you can replace everywhere it says "ew:NumericBox" by "asp:TextBox" and get rid of the :

<%@ Register Assembly="eWorld.UI" Namespace="eWorld.UI" TagPrefix="ew" %>

Finally for the calendar, replace :

<ew:calendarpopup id="txtExpirationDate" runat="server"></ew:calendarpopup>


<asp:TextBox ID="txtExpirationDate" runat="server"></asp:TextBox>
<ajaxToolkit:CalendarExtender ID="CalendarExtender1" runat="server" TargetControlID="txtExpirationDate" Format="dd/MM/yyyy" />

Another thing, once you have done that some of your code behind files will stop working and you will have to replace the old "PostedDate" or "SelectedDate" of the old calendar controls by the "Text" property of your textbox.

Also everytime you need to set a datetime datafield just do DateTime.Parse(textbox.Text) instead of the old eWorldUIOldTextBox.SelectedDate.

There will also be occurrences of this sort of thing which will not pass the compilation:

calEnd.SelectedDate = DateTime.Today

Just replace it with:

calEnd.Text = String.Format("{0:dd/MM/yyyy}", DateTime.Today)

Or this sort of thing :


Replace it with :


There might be more small code changes that I forgot to document here but I will let you find out by yourself, you've got the general idea!

Once the project compiles locally with those changes and in medium trust (cf step 1) then you can publish it (Build > Publish Website) and compile it to a location on your hard drive. Copy the files to your ISP with the correct DB connection strings and that's it! (I agree it's actually quite a lot!)

If you need the code, drop me a line with your email address and I will send it to you.

I have tried to look at contributing in CodePlex for the CSK but the lack of documentation on how to do that made me loose motivation...

On the other hand, the changes that I have made so far may have other impacts on other functions of the CSK so following my advice is at your own risk, you are responsible for any change you make to the code :o)

From what I have seen so far though, everything works like a charm on a shared hosting server!!!

Good luck and let me know your feedback.


"The SqlParameterCollection only accepts non-null SqlParameter type objects, not QueryParameter objects" ERROR

I received quite a few emails about this as it is a problem when using the CSK code and the solution is here:

You need to edit the OrderController.vb (or .cs) to include this function:

Public Shared Function GetDBCommand(ByVal objSubCom As SubSonic.QueryCommand) As DbCommand

Dim objDbCom As DbCommand
Dim objSqlCon As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString)

objDbCom = objSqlCon.CreateCommand()
objDbCom.CommandText = objSubCom.CommandSql
objDbCom.CommandType = objSubCom.CommandType

Dim par As QueryParameter
Dim objSqlParam As SqlParameter

For Each par In objSubCom.Parameters

objSqlParam = New SqlParameter

objSqlParam.DbType = par.DataType
objSqlParam.ParameterName = par.ParameterName
objSqlParam.Value = par.ParameterValue


Return objDbCom

End Function

Then replace all the lines that say:


With this line calling the new function bypassing the subsonic call:


The ToDbCommand is the one causing the error and it's a Subsonic function. It is only throwing the error when using the SqlProvider to connect to the DB (from the SubSonic dll). So the new GetDBCommand that I wrote is a workaround that bypasses that function...


Anonymous said...

Well sir, I take my hat off to you, getting the CSK to work under medium trust. I wondered if you would mind sending me the code please? I am an amateur at this sort of thing and although I started to follow your instructions, I figured after a while that if I made a mistake, I would probably be unable to work it out on my own. Thanks in advance and keep up the good work, Regards

Etienne said...

Hi George and thanks for the comment, I will send you what I have and I hope you will be able to work it out! Hope this helps...

Anonymous said...

Hi! Etienne:

I have been searching Medium Trust edition of CSK2 long time. I tried to following your guide but I didn't know how to do in your step 2. Would you pls send me your source code to me? Thank you very much!

Tony (

Etienne said...

Hi Tony, step 2 is actually optional so you do not have to do it, I only did it because my shared hosting environment only runs Microsoft Ajax Web Extensions 1.0 RTM. I have sent you the C# code by email, hope this helps!

Anonymous said...

Hi! Etienne:

I have received your C# code, Thank you so much! But I was busy on other projects and my old computer could not run MS studio 2005, so until today I just have a new computer. I will learn your code at once! Thanks!
BTW: your code can be used a real commerce website? what I should modify if I want to use it ?

Tony (

Etienne said...

Hi Tony,

the code can be used on a real commerce website, I have just done it for my last project. :)
The only things you should have to modify are the PayPal settings and connection strings in the web.config file.

Also you might have some other problems when using the SqlClient SQL provider instead of the Entreprise Library, and if you do, I can probably help you cause I ran into some issues when trying to get the PayPal PDT and IPN handlers to work...

Hope this helps!

Anonymous said...


I am trying to move to a shared hosted server with the latest version of the CSK 2.01. I have read your Blog and followed your steps. I am still having issues with the "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS." Could you send me you code and config file so I can check to see what i am doing wrong.

ps. I am installing the C# version, but I can translate from vb version.

thank you
Tim Kinsey

Anonymous said...

Hi Sir, did you get my previous e-mail.. Just checking

Tim Kinsey

Anonymous said...

Bonjour Etienne,

Je travaille sur cette problématique depuis une semaine...mais sans succès...

Très heureux de voir que tu as trouvé une solution.

Comme je ne suis pas un expert dans le domaine, est-ce que tu aurais la gentillesse de me faire parvenir le code S.V.P.?

Merci à l'avance!!!


Vincent said...

Hi Etienne,

Your walk through is extremely useful as this is the first REAL working example of how to get CSK to run with medium trust after hours of googling.

Now, my web site is compiled, and it runs fine locally until the PayPal part. I have configured to use PayPal Pro, and I get this message:
The SqlParameterCollection only accepts non-null SqlParameter type objects, not QueryParameter objects.
when I click "Place your order" at the end.

Is there any special handling required to make this work?

Many thanks for the wonderful work through!

Etienne said...

Hi Vincent,

I know this error as I was confronted to the exact same problem.

I seem to remember that it is in the PaymentController (or something similar) and the problem lies in the subsonic method that gets the SQL out of a query object. I had to look at the SubSonic code and I had to rewrite this particular function .UpdateCommand or .InsertCommand if I can remember right. I will try and get the code to you as soon as I can.


PS: Let me know your email address

Anonymous said...

Hi Etienne,

My email address is

Thank you so much for helping me. I was so excited when the site actually runs with Medium trust for the first time!


Anonymous said...

Hi Etienne,

I wonder if you could kindly send your modified SubSonic.dll and possibly the source code as well.

Many thanks in advance!

Vincent (

Anonymous said...


Did you have problem in getting into paymentconfiuration? I had this problem when I have medium trust.

Please shoot me an email if possible. Thanks.

Etienne said...

Indeed I had problems getting into the PaymentConfiguration page you're absolutely right, but I just chose to ignore them :o)

After all, it's only there to help you change the PaymentConfiguration settings in the web.config file and it is fairly easy to change them manually anyway.

The reason for this is of course that is is not allowed to "overwrite" the web.config file in medium trust, which is what this page does...

Hope this helps,

Nick Ashley said...

I am having the "The SqlParameterCollection only accepts non-null SqlParameter type objects, not QueryParameter objects." error when trying to checkout with

I would be endlessly grateful if you could send me a working codebase to start from. You can send code to


Brad said...

Hi Etienee:
Thanks to you I've made all the change in the CSK and all seems to work except for the issue with subsonic and the update/insert command.
I'm guessing you must have the source code for subsonic 1.0.5 version? Any chance you could send that subsonic source code project or the modified dll?

john said...

Thank you so much for putting this on your blog. I am having problems getting this to work and was hoping you could send me a working example in vb.

alex said...

Hi etienne,
I did all the change but I have this error.
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

In the subsonic section.

Usman said...


Good work man. You really helped a lot of people out of trouble.

I am also having the same problem,

The SqlParameterCollection only accepts non-null SqlParameter type objects, not QueryParameter objects

Please send me the updated subsonic.dll or any other change you think would work. (

Thanx in advance.

The Digital Photographer ... said...


This is very impressive - chapeau!
I am moving my local CSK2.2 (a.k.a Dash Commerce 2.2) to GoDaddy.

it will be nice having a copy of your ready made stuff, much appriciate your help


Anonymous said...

This post really helps me,

Thanks you so much.
i think you have a lot work hoad
to find this solutions....

i think all the CSK related question will be solved here.
lot of people got the error while publishing CSK, but the there is only one answer - this blog.
thanks a log.

Anonymous said...

Its really nice solution that help me a lot !!! i am wondering my CSK site published on what happend , how i solved this such errors then with google and with this blog, i got the solution.
Thanks a lot.
I want to just tell you that i have uploaded my site on ,but blocks httpwebrequest method that occurs when before customer can see receipt after payment made so you can just update your database that you have to just
configure your web.config to solve httpwebrequest with 1and1 ->
proxy usesystemdefault="False" bypassonlocal="False" proxyaddress=""

-> close proxy
-> close defaultProxy
-> close

by this user can solve httpwebrequest problem on 1and1.
so just update your blog so other user will be benifited.


Anonymous said...

Hi Etienne

This is a life saver for people like me and I have followed all your instructions and Can you please help me in the #3 part, I am kind of stuck in making my siteConig properties to fetch the values, since you suggested to commend the config declaration line.

Would you be able to share your working copy to please.


r4 nds said...

take my hat off to you, getting the CSK to work under medium trust.the code can be used on a real commerce website, I have just done it for my last project.

Etienne said...

Thanks for the feedback "r4 nds" glad I could help some fellow programmers :)

Take care,

German said...


I had I fall out with my web host and decided to switch to GoDaddy which as you all know (except me) does not allow full trust on apps.

I'm gladI found your post! Now my website is up and running!!

Appreciate all your work and thanks for sharing it!!

Etienne said...

Thanks very much German, very pleased I could help!

Take care,