EMAB, Impersonation and Event log

Discussion in 'ASP .Net Security' started by SJ, Nov 11, 2003.

  1. SJ

    SJ Guest

    Hi all,

    I'm having a problem in ASP.NET enabling write access to the system event
    log using EMAB, which uses System.Diagnostics.WriteEntry under the covers.
    Specifically:
    * The web application has anonymous authentication (only) enabled.
    * The account used is IUSR_mypc
    * I use InstallUtil to create the 2 source entries in
    HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application. These are
    ExceptionManagerInternalException and ExceptionManagerPublishedException (
    the defaults )
    * In Web.config: authentication=none (or Windows).

    Whenever I set identity impersonate to "true", I get
    'System.ComponentModel.Win32Exception: Access is denied', no matter what
    permissions I grant on the registry keys (I've tried from the specific
    source keys to the Eventlog root).

    I thought that in this case, the ASPNET account would be used to impersonate
    the (anonymous) user. As I had granted full control to the registry keys to
    this account, I thought that there should be no problem writing to the event
    log.

    I've also tried the IUSR account and numerous others. There does not seem to
    be a single account I can use to grant these permissions. Does anyone know
    if this is correct?

    Thanks in advance

    Simon
     
    SJ, Nov 11, 2003
    #1
    1. Advertising

  2. SJ

    MSFT Guest

    Hi Simon

    With "impersonate" set to True and anonymous access, ASP.NET will use
    IUSER_mypc permission to write the event log. However, to write event log,
    it may be not enough to set permission on some registry entries. I suggest
    you may try following steps to see if they can help:

    1. Change "Impersonate" to false, so that the ASP.NET app will to ASPNET
    account to write the event log.
    2. Trace the registry and files access with some utilities, for example,
    Regmon and Filemon. They will record all read/write behaviors on registry
    and files. Form their log, we may find the object which cause "access
    denied". For more informaiton on these two utilities, please browse to
    www.systeminternals.com.

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Nov 11, 2003
    #2
    1. Advertising

  3. SJ

    SJ Guest

    Hi Luke,

    Thanks - they were good suggestions. I've tried seeing what is happening
    under the covers but am no closer to understand where it's failing. RegMon
    shows no failures at all, - the aspnet_wp successfully reads the Eventlog
    keys even when impersonate=true. Filemon, too, is showing no errors - I
    can't even see what file it's trying to write to. Diskmon also does not show
    any failures.

    About the only thing that's odd is in FileMon: when impersonate=true, before
    the exception, aspnet_wp opens, reads and closes the ExceptionManager.vb
    (source) file - this is part of the EMAB. When impersonate=false this does
    not happen.

    I know that the EMAB uses the resource manager, and I've tried assigning
    permissions to the IUSR account on the files accessed, but it still doesn't
    work. The exception is "A first chance exception of type
    'System.InvalidOperationException' occurred in system.dll Additional
    information: Cannot open log for source {0}. You may not have write access."

    The key to it may be the {0} symbol but I don't know why this ie being
    returned. Any more suggestions?

    Thanks

    Simon
     
    SJ, Nov 12, 2003
    #3
  4. I'm having the same trouble... I'm using W2K3 .Net Server so I've also
    changed my ACL's to include the Network Service account. The registry
    hive entry gets created under the Application tree but the actual
    event doesn't get logged. I've even given full rights to the local
    Everyone group just to see if that worked but no dice. The domain
    IUSR_ account has full rights to that section of the registry also. I
    don't know what else to open up... do these changes require a reboot?
    Thanks,
    -Dave
    Here's my code. It's in Global.asax.vb which is used to trap all
    errors:

    Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
    ' Fires when an error occurs
    Dim objEventLog As New EventLog
    Dim AppName As String = "My VB.Net WebApp"
    Dim LogName As String = "Application"
    Dim objErr As Exception = Server.GetLastError().GetBaseException()
    Dim err As String = "Error Caught in Application_Error event" & _
    System.Environment.NewLine & _
    "Error in: " & Request.Url.ToString() & _
    System.Environment.NewLine & _
    "Error Message: " & objErr.Message.ToString() & _
    System.Environment.NewLine & _
    "Stack Trace:" & objErr.StackTrace.ToString()
    Try
    'Register the App as an Event Source
    If Not objEventLog.SourceExists(AppName) Then
    objEventLog.CreateEventSource(AppName, LogName)
    End If
    objEventLog.Source = AppName
    objEventLog.WriteEntry(err, EventLogEntryType.Error)
    Catch Ex As Exception
    Response.Write(Ex.Message)
    End Try
    End Sub

    The result is:
    Cannot open log for source {0}. You may not have write access.


    "SJ" <> wrote in message news:<>...
    > Hi Luke,
    >
    > Thanks - they were good suggestions. I've tried seeing what is happening
    > under the covers but am no closer to understand where it's failing. RegMon
    > shows no failures at all, - the aspnet_wp successfully reads the Eventlog
    > keys even when impersonate=true. Filemon, too, is showing no errors - I
    > can't even see what file it's trying to write to. Diskmon also does not show
    > any failures.
    >
    > About the only thing that's odd is in FileMon: when impersonate=true, before
    > the exception, aspnet_wp opens, reads and closes the ExceptionManager.vb
    > (source) file - this is part of the EMAB. When impersonate=false this does
    > not happen.
    >
    > I know that the EMAB uses the resource manager, and I've tried assigning
    > permissions to the IUSR account on the files accessed, but it still doesn't
    > work. The exception is "A first chance exception of type
    > 'System.InvalidOperationException' occurred in system.dll Additional
    > information: Cannot open log for source {0}. You may not have write access."
    >
    > The key to it may be the {0} symbol but I don't know why this ie being
    > returned. Any more suggestions?
    >
    > Thanks
    >
    > Simon
     
    David Eisenberg, Nov 12, 2003
    #4
  5. SJ

    MSFT Guest

    MSFT, Nov 13, 2003
    #5
  6. SJ

    MSFT Guest

    Hi Simon,

    Any updates? can you write the eventlog directly as I suggested?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Nov 17, 2003
    #6
  7. SJ

    Phil Guest

    Hi Luke,
    I had the exact same problems that Simon had. The link you suggested
    worked:
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q329291
    However, after having following the instructions for the "Second Approach" I
    can only right to the "TEST" Event Source. I then attempted to create a new
    event source but I received the same failure exceptions.
    While this is a temporary work around, it's hardly a solution to the
    problem. It looks like the ASPNET user does not have permissions to Create
    an Event Source, but does have permission to write to Event Sources that
    already exist in the Registry.
    Thanks for the work around to the problem.
    Best Regards,
    Phil

    "MSFT" <> wrote in message
    news:$...
    > Hi Simon,
    >
    > Any updates? can you write the eventlog directly as I suggested?
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
     
    Phil, Nov 17, 2003
    #7
  8. SJ

    SJ Guest

    Hi Luke and Phil,

    Thanks for chasing this up, Luke - and for the support, Phil - I thought I
    was losing it for a while!

    Yep, the work-around does work. I agree with Phil's last post: the ASPNET is
    not able to create event sources, despite appearances to the contrary. There
    doesn't seem to be any way to enable event source creation through
    permissions.

    I am now using an installer module to create the event source on
    installation, but that's still an extra, manual step.

    Thanks again

    Simon
     
    SJ, Nov 19, 2003
    #8
  9. SJ

    Phil Guest

    Simon,
    Glad it all worked out. :)
    Luke,
    Suggestion:
    This may sound a might pedestrian, and I certainly am more gratified as a
    developer when I do the following in code, however,
    since VS.Net's Server Explorer gives users the ability to create performance
    counters and such, why not add the same feature for event log creation ? I
    also noticed, after running the installer, then expanding the Application
    event log node in VS.Net's Server Explorer, that the newly created 'TEST'
    event log node is displayed. What would be really cool is if the user could
    drag that particular event log node into the Designer. This would
    automatically set the event source property of course.
    Regards,
    Phil


    "SJ" <> wrote in message
    news:...
    > Hi Luke and Phil,
    >
    > Thanks for chasing this up, Luke - and for the support, Phil - I thought I
    > was losing it for a while!
    >
    > Yep, the work-around does work. I agree with Phil's last post: the ASPNET

    is
    > not able to create event sources, despite appearances to the contrary.

    There
    > doesn't seem to be any way to enable event source creation through
    > permissions.
    >
    > I am now using an installer module to create the event source on
    > installation, but that's still an extra, manual step.
    >
    > Thanks again
    >
    > Simon
    >
    >
     
    Phil, Nov 19, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Henrik_the_boss
    Replies:
    0
    Views:
    2,679
    Henrik_the_boss
    Nov 5, 2003
  2. =?Utf-8?B?VG9tIFdpbmdlcnQ=?=

    My.Log.Writeexception not writing to Application Event Log.

    =?Utf-8?B?VG9tIFdpbmdlcnQ=?=, Jan 20, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    2,395
    =?Utf-8?B?VG9tIFdpbmdlcnQ=?=
    Jan 20, 2006
  3. Replies:
    0
    Views:
    324
  4. JimLad
    Replies:
    0
    Views:
    627
    JimLad
    Jan 26, 2010
  5. Jaloha
    Replies:
    0
    Views:
    178
    Jaloha
    Jul 2, 2004
Loading...

Share This Page