Exception manegement application block can't write to Windows server 2003

[Lucas]

Hi,
I have an ASP.Net application written with VS.Net 2002 (Net FWK 1.0). This
Web Application uses Exception Management Application Block to log Events to
Windows Event Log. We registered the Exception Management Application Block
using installutil.
Our Application uses impersonation and used to work fine on Windows 2000
Server.

Now we installed it on a Windows Server 2003 and when an exception is
raised, we get an "Access is denied" error when the application tries to log
the Exception to Event Log.

At the bottom you'll find the Stack Trace.

Any idea will be welcome

LucasC


Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open log for source {0}. You may not have
write access.]
System.Diagnostics.EventLog.OpenForWrite() +366
System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData) +280
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
type, Int32 eventID, Int16 category, Byte[] rawData) +463
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +68
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID, Int16 category) +21
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID) +15
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type) +11

Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher.WriteToLog(
String entry, EventLogEntryType type) +33

Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher.Publish(Exc
eption exception, NameValueCollection additionalInfo, NameValueCollection
configSettings) +1758

Microsoft.ApplicationBlocks.ExceptionManagement.ExceptionManager.PublishInte
rnalException(Exception exception, NameValueCollection additionalInfo) +76

Microsoft.ApplicationBlocks.ExceptionManagement.ExceptionManager.Publish(Exc
eption exception, NameValueCollection additionalInfo) +1934

 

[Jacob Yang [MSFT]]

Hi Lucas,

Based on the error message, this issue is a permission issue.

Firstly please check which account is used to run the ASP.NET application.
Is it the Network_Service account? Please check the w3wp.exe process in the
task manager.

Then please grant the account "Full Control" permission to the event log
folder and test this issue again.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Lucas]

The w3wp.exe is running with Network_Service account. We set "Full Control"
to the event Log Folder (windows\ system32\config IS OK?) to Network_Service
and to my own user (because we are using Impersonation and Integrated
Security).
We get the same error.
Can it be caused because our Web Application was developed with Net FWK 1.0
and we are using Win 2003 (Net FWK 1.1)?
Can it be a new security policy of Win 2003? (remember it works fine on Win
2000)

Thanks

Lucas

 

[Jacob Yang [MSFT]]

Hi Lucas,

Thank you for your update.

You are right that the security policy in Windows Server 2003 is very
different with Windows 2000. Based on my research and experience, please
try the following solutions.

1. Grant the NETWORK_SERVICE account and your user account read permissions
to the \VSWebCache folder. To do this, follow these steps:

1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
2) Right-click the "VSWebCache" folder, and then click "Properties".
3) On the "Security" tab, click "Add".
4) In the "Select Users or Groups" box, type "<Servername>\NETWORK_SERVICE"
(without the quotation marks) in the "Select Users or Groups" box.
5) Click "OK".
6) Make sure that the "Read & Execute" check box is selected, and then
click "OK".

Do the same steps for your user account.

2. Please try to add the NETWORK_SERVICE account and your user account to
the administrators group.

3. If the above two solutions do not work, we need to use the Filemon and
Regmon to check what really caused the "Access is denied" error.

Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Note:
The third-party products that are discussed in this article are
manufactured by companies that are independent of Microsoft. Microsoft
makes no warranty, implied or otherwise, regarding the performance or
reliability of these products.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Lucas]

Jacob,
1. I couldn't find VSWebCache folder. This is a VS.Net folder, isn't it? My
Win server 2003 is for testing purposes and doesn't has VS.
2. If I add myself to Administrators group of the win server 2003. Event Log
is written correctly. I can't use this solution in Production environments.
:-(

I tried adding myself to Power Users group but nothing happened. I tried
given Full Control to C:\WINDOWS\system32\config (where app log resides) to
Everyone user and my own user but nothing happens.

Summary:
The only way it works (write in event log) is when I was part of
Administrators group, but this is not a valid scenario. This help me to know
that this is just a security issue. As I said before, it works fine in Win
2000 so I suppose it must work fine here too.

Any other idea?

Thanks

LucasC

 

[Lucas]

In order to Add something, I found this article
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/THCMCh19.asp)
If you go to the Event Log section it says:

"Least privileged accounts, such as ASPNET, have sufficient permissions to
be able to write records to the event log using existing event sources."

Thanks

LucasC

 

[Jacob Yang [MSFT]]

Hi Lucas,

Thank you for your update.

You are right that the VSWebCache folder is a VS.Net folder.

As I have mentioned before, this issue is a permission issue. I am not sure
about what the exact permissions are needed for this issue so I suggest
using the administrator. Thank you for your understanding.

Since you cannot accept the administrator solution, we need to use the
Filemon and Regmon to check what really caused the "Access is denied"
error. Have you tried them?

Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Note:
The third-party products that are discussed in this article are
manufactured by companies that are independent of Microsoft. Microsoft
makes no warranty, implied or otherwise, regarding the performance or
reliability of these products.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[mattsmith321]

Hi Lucas,

I am encountering the exact same scenario in my app: Impersonating a
user from a lower-privileged group does not writing to the Event Log.
Have you had any luck since your last post? I went ahead and tried the
FileMon and RegMon, but didn't see anything that indicated specifically
what was going wrong.

I know that there are numerous articles out there that address similar
situations and they seem to recommend wrapping the code that needs the
permissions with some combination of Assert/Demand. However, I keep
holding out for an easier solution before embarking on that path.


mattsmith321