EMAB, Impersonation and Event log

[SJ]

Hi all,

I'm having a problem in ASP.NET enabling write access to the system event
log using EMAB, which uses System.Diagnostics.WriteEntry under the covers.
Specifically:
* The web application has anonymous authentication (only) enabled.
* The account used is IUSR_mypc
* I use InstallUtil to create the 2 source entries in
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application. These are
ExceptionManagerInternalException and ExceptionManagerPublishedException (
the defaults )
* In Web.config: authentication=none (or Windows).

Whenever I set identity impersonate to "true", I get
'System.ComponentModel.Win32Exception: Access is denied', no matter what
permissions I grant on the registry keys (I've tried from the specific
source keys to the Eventlog root).

I thought that in this case, the ASPNET account would be used to impersonate
the (anonymous) user. As I had granted full control to the registry keys to
this account, I thought that there should be no problem writing to the event
log.

I've also tried the IUSR account and numerous others. There does not seem to
be a single account I can use to grant these permissions. Does anyone know
if this is correct?

Thanks in advance

Simon

 

[MSFT]

Hi Simon

With "impersonate" set to True and anonymous access, ASP.NET will use
IUSER_mypc permission to write the event log. However, to write event log,
it may be not enough to set permission on some registry entries. I suggest
you may try following steps to see if they can help:

1. Change "Impersonate" to false, so that the ASP.NET app will to ASPNET
account to write the event log.
2. Trace the registry and files access with some utilities, for example,
Regmon and Filemon. They will record all read/write behaviors on registry
and files. Form their log, we may find the object which cause "access
denied". For more informaiton on these two utilities, please browse to
www.systeminternals.com.

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[SJ]

Hi Luke,

Thanks - they were good suggestions. I've tried seeing what is happening
under the covers but am no closer to understand where it's failing. RegMon
shows no failures at all, - the aspnet_wp successfully reads the Eventlog
keys even when impersonate=true. Filemon, too, is showing no errors - I
can't even see what file it's trying to write to. Diskmon also does not show
any failures.

About the only thing that's odd is in FileMon: when impersonate=true, before
the exception, aspnet_wp opens, reads and closes the ExceptionManager.vb
(source) file - this is part of the EMAB. When impersonate=false this does
not happen.

I know that the EMAB uses the resource manager, and I've tried assigning
permissions to the IUSR account on the files accessed, but it still doesn't
work. The exception is "A first chance exception of type
'System.InvalidOperationException' occurred in system.dll Additional
information: Cannot open log for source {0}. You may not have write access."

The key to it may be the {0} symbol but I don't know why this ie being
returned. Any more suggestions?

Thanks

Simon

 

[David Eisenberg]

I'm having the same trouble... I'm using W2K3 .Net Server so I've also
changed my ACL's to include the Network Service account. The registry
hive entry gets created under the Application tree but the actual
event doesn't get logged. I've even given full rights to the local
Everyone group just to see if that worked but no dice. The domain
IUSR_ account has full rights to that section of the registry also. I
don't know what else to open up... do these changes require a reboot?
Thanks,
-Dave
Here's my code. It's in Global.asax.vb which is used to trap all
errors:

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
' Fires when an error occurs
Dim objEventLog As New EventLog
Dim AppName As String = "My VB.Net WebApp"
Dim LogName As String = "Application"
Dim objErr As Exception = Server.GetLastError().GetBaseException()
Dim err As String = "Error Caught in Application_Error event" & _
System.Environment.NewLine & _
"Error in: " & Request.Url.ToString() & _
System.Environment.NewLine & _
"Error Message: " & objErr.Message.ToString() & _
System.Environment.NewLine & _
"Stack Trace:" & objErr.StackTrace.ToString()
Try
'Register the App as an Event Source
If Not objEventLog.SourceExists(AppName) Then
objEventLog.CreateEventSource(AppName, LogName)
End If
objEventLog.Source = AppName
objEventLog.WriteEntry(err, EventLogEntryType.Error)
Catch Ex As Exception
Response.Write(Ex.Message)
End Try
End Sub

The result is:
Cannot open log for source {0}. You may not have write access.

 

[MSFT]

Hi Simon,

You may try write to the event log directly to see if it will be
successful, to set the security with this way, you may refer to:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q329291

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[MSFT]

Hi Simon,

Any updates? can you write the eventlog directly as I suggested?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Phil]

Hi Luke,
I had the exact same problems that Simon had. The link you suggested
worked:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q329291
However, after having following the instructions for the "Second Approach" I
can only right to the "TEST" Event Source. I then attempted to create a new
event source but I received the same failure exceptions.
While this is a temporary work around, it's hardly a solution to the
problem. It looks like the ASPNET user does not have permissions to Create
an Event Source, but does have permission to write to Event Sources that
already exist in the Registry.
Thanks for the work around to the problem.
Best Regards,
Phil

 

[SJ]

Hi Luke and Phil,

Thanks for chasing this up, Luke - and for the support, Phil - I thought I
was losing it for a while!

Yep, the work-around does work. I agree with Phil's last post: the ASPNET is
not able to create event sources, despite appearances to the contrary. There
doesn't seem to be any way to enable event source creation through
permissions.

I am now using an installer module to create the event source on
installation, but that's still an extra, manual step.

Thanks again

Simon

 

[Phil]

Simon,
Glad it all worked out.
Luke,
Suggestion:
This may sound a might pedestrian, and I certainly am more gratified as a
developer when I do the following in code, however,
since VS.Net's Server Explorer gives users the ability to create performance
counters and such, why not add the same feature for event log creation ? I
also noticed, after running the installer, then expanding the Application
event log node in VS.Net's Server Explorer, that the newly created 'TEST'
event log node is displayed. What would be really cool is if the user could
drag that particular event log node into the Designer. This would
automatically set the event source property of course.
Regards,
Phil