EventLog Access using impersonation in Windows Server 2003

Discussion in 'ASP .Net' started by =?Utf-8?B?Y2pr?=, Apr 2, 2004.

  1. Issue
    Our web application requires access to write to a custom event log, yet access is denied. This access is denied because we are using impersonation, and our end-users do not (should not) have permissions to write to a custom event log. We would like to know if someone out there has resolved this problem without incorporating registry hacks, elevating end-user account permissions to admin OR calling native code to logon as the account running our Application Pool

    Ideally, we would like to use our Application Pool account identity to create the event log entries and we do not mind providing the necessary permissions to this accoun

    Details
    -Web App hosted on Windows 2003 serve
    -Web App is using a custom application pool, running under a specified identity
    -Web App uses its own (custom) event lo
    -Web App uses impersonation, thus we loose the application pool identity when trying to create an event log entr
     
    =?Utf-8?B?Y2pr?=, Apr 2, 2004
    #1
    1. Advertising

  2. Hopefully this link will provide your answer:
    http://support.microsoft.com/?id=329291

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net


    "cjk" <> wrote in message
    news:...
    > Issue:
    > Our web application requires access to write to a custom event log, yet

    access is denied. This access is denied because we are using impersonation,
    and our end-users do not (should not) have permissions to write to a custom
    event log. We would like to know if someone out there has resolved this
    problem without incorporating registry hacks, elevating end-user account
    permissions to admin OR calling native code to logon as the account running
    our Application Pool.
    >
    > Ideally, we would like to use our Application Pool account identity to

    create the event log entries and we do not mind providing the necessary
    permissions to this account
    >
    > Details:
    > -Web App hosted on Windows 2003 server
    > -Web App is using a custom application pool, running under a specified

    identity
    > -Web App uses its own (custom) event log
    > -Web App uses impersonation, thus we loose the application pool identity

    when trying to create an event log entry
    >
    >
    >
    >
     
    Steve C. Orr [MVP, MCSD], Apr 2, 2004
    #2
    1. Advertising

  3. =?Utf-8?B?Y2pr?=

    bruce barker Guest

    try:

    [DllImport("advapi32")] private extern static bool RevertToSelf();

    WindowsIdentity id = WindowsIdentity.GetCurrent();
    RevertToSelf();

    // do your work here

    id.Impersonate();


    -- bruce (sqlwork.com)


    "cjk" <> wrote in message
    news:...
    > Issue:
    > Our web application requires access to write to a custom event log, yet

    access is denied. This access is denied because we are using impersonation,
    and our end-users do not (should not) have permissions to write to a custom
    event log. We would like to know if someone out there has resolved this
    problem without incorporating registry hacks, elevating end-user account
    permissions to admin OR calling native code to logon as the account running
    our Application Pool.
    >
    > Ideally, we would like to use our Application Pool account identity to

    create the event log entries and we do not mind providing the necessary
    permissions to this account
    >
    > Details:
    > -Web App hosted on Windows 2003 server
    > -Web App is using a custom application pool, running under a specified

    identity
    > -Web App uses its own (custom) event log
    > -Web App uses impersonation, thus we loose the application pool identity

    when trying to create an event log entry
    >
    >
    >
    >
     
    bruce barker, Apr 2, 2004
    #3
  4. I'm having the same problem. Unfortunately the link provided does not
    apply to my situation because I create the EventLog source in my
    ASP.NET app installer. The problem is that even after the EventLog
    source is created, my ASP.NET app can not log to the custom event
    source when running under Windows Server 2003. It works fine under
    Windows 2000.

    Details:

    ASP.NET app
    impersonation=true in web.config
    can not elevate user accounts to admin group just for logging

    Any ideas? I've found several people asking for help with this
    situation but no solutions offered.

    Scott


    "Steve C. Orr [MVP, MCSD]" <> writes:

    >Hopefully this link will provide your answer:
    >http://support.microsoft.com/?id=329291


    >--
    >I hope this helps,
    >Steve C. Orr, MCSD, MVP
    >http://Steve.Orr.net



    >"cjk" <> wrote in message
    >news:...
    >> Issue:
    >> Our web application requires access to write to a custom event log, yet

    >access is denied. This access is denied because we are using impersonation,
    >and our end-users do not (should not) have permissions to write to a custom
    >event log. We would like to know if someone out there has resolved this
    >problem without incorporating registry hacks, elevating end-user account
    >permissions to admin OR calling native code to logon as the account running
    >our Application Pool.
    >>
    >> Ideally, we would like to use our Application Pool account identity to

    >create the event log entries and we do not mind providing the necessary
    >permissions to this account
    >>
    >> Details:
    >> -Web App hosted on Windows 2003 server
    >> -Web App is using a custom application pool, running under a specified

    >identity
    >> -Web App uses its own (custom) event log
    >> -Web App uses impersonation, thus we loose the application pool identity

    >when trying to create an event log entry
    >>
    >>
    >>
    >>
     
    Scott Zabolotzky, Apr 8, 2004
    #4
  5. =?Utf-8?B?Y2pr?=

    nosperantos

    Joined:
    Nov 1, 2006
    Messages:
    1
    As for writing to event log using ASP...

    Hi,

    I've mined Google through and through and dug up a million articles over a few days now. Nothing helped, especially not Microsoft documents.
    I'm trying to use WSH objects from ASP code in order to write messages to the application event log. Logging on as administrator does the job, though using the IIS's user (IUSR_Whatever) or any other member of the guests group fails everytime due to lack of permissions.
    I'm using plain old ASP (not .NET). And it's installed on IIS-6, Windows 2003.
    My code looks as following:
    -------------------------------------------------------------------------

    <%@ Language=VBScript %>
    <HTML>
    <BODY>
    <%
    'Use these Constants to designate the type of Event Log.
    const SUCCESS = 0
    const ERROR = 1
    const WARNING = 2
    const INFORMATION = 4
    const AUDIT_SUCCESS = 8
    const AUDIT_FAILURE = 16

    dim sessionID
    sessionID = session.sessionID
    dim WshShell
    set WshShell = Server.CreateObject("WScript.Shell")
    wshshell.Logevent AUDIT_SUCCESS, "Event logged successfully for session number "&sessionID
    set wshshell=nothing
    Response.write "Event logged successfully for session number "&sessionID
    Session.Abandon

    %>
    </BODY>
    </HTML>

    -----------------------------------------------------------------------
    No matter what changes I've made in registry, using SDDL permissions, security policy, permissions to event log file itself, it doesn't work :-(

    Seems like no change to CustomSD works in registry.

    My CustomSID key looks like this:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;; S-1-5-21-1444055606-3596881769-3846073516-1007)

    whereas S-1-5-21-1444055606-3596881769-3846073516-1007 is the user I use to run the script.
    Is there something I'm missing here ?


    Thank you very much to whoever answers my riddle.
     
    nosperantos, Nov 1, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joe
    Replies:
    1
    Views:
    573
    Thomas Kratz
    Sep 29, 2003
  2. Scott Zabolotzky
    Replies:
    0
    Views:
    754
    Scott Zabolotzky
    Apr 14, 2004
  3. Scott Zabolotzky

    App can't write to EventLog on Windows Server 2003

    Scott Zabolotzky, Apr 16, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    427
    Scott Zabolotzky
    Apr 19, 2004
  4. Edward J. Stembler
    Replies:
    2
    Views:
    137
    Edward J. Stembler
    Oct 2, 2003
  5. Joe
    Replies:
    1
    Views:
    131
    Thomas Kratz
    Sep 29, 2003
Loading...

Share This Page