Exception manegement application block can't write to Windows server 2003

Discussion in 'ASP .Net' started by Lucas, Nov 26, 2003.

  1. Lucas

    Lucas Guest

    Hi,
    I have an ASP.Net application written with VS.Net 2002 (Net FWK 1.0). This
    Web Application uses Exception Management Application Block to log Events to
    Windows Event Log. We registered the Exception Management Application Block
    using installutil.
    Our Application uses impersonation and used to work fine on Windows 2000
    Server.

    Now we installed it on a Windows Server 2003 and when an exception is
    raised, we get an "Access is denied" error when the application tries to log
    the Exception to Event Log.

    At the bottom you'll find the Stack Trace.

    Any idea will be welcome

    LucasC


    Win32Exception (0x80004005): Access is denied]

    [InvalidOperationException: Cannot open log for source {0}. You may not have
    write access.]
    System.Diagnostics.EventLog.OpenForWrite() +366
    System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
    EventLogEntryType type, String[] strings, Byte[] rawData) +280
    System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
    type, Int32 eventID, Int16 category, Byte[] rawData) +463
    System.Diagnostics.EventLog.WriteEntry(String source, String message,
    EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +68
    System.Diagnostics.EventLog.WriteEntry(String source, String message,
    EventLogEntryType type, Int32 eventID, Int16 category) +21
    System.Diagnostics.EventLog.WriteEntry(String source, String message,
    EventLogEntryType type, Int32 eventID) +15
    System.Diagnostics.EventLog.WriteEntry(String source, String message,
    EventLogEntryType type) +11

    Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher.WriteToLog(
    String entry, EventLogEntryType type) +33

    Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher.Publish(Exc
    eption exception, NameValueCollection additionalInfo, NameValueCollection
    configSettings) +1758

    Microsoft.ApplicationBlocks.ExceptionManagement.ExceptionManager.PublishInte
    rnalException(Exception exception, NameValueCollection additionalInfo) +76

    Microsoft.ApplicationBlocks.ExceptionManagement.ExceptionManager.Publish(Exc
    eption exception, NameValueCollection additionalInfo) +1934
     
    Lucas, Nov 26, 2003
    #1
    1. Advertising

  2. Hi Lucas,

    Based on the error message, this issue is a permission issue.

    Firstly please check which account is used to run the ASP.NET application.
    Is it the Network_Service account? Please check the w3wp.exe process in the
    task manager.

    Then please grant the account "Full Control" permission to the event log
    folder and test this issue again.

    I hope it helps.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Nov 27, 2003
    #2
    1. Advertising

  3. Lucas

    Lucas Guest

    The w3wp.exe is running with Network_Service account. We set "Full Control"
    to the event Log Folder (windows\ system32\config IS OK?) to Network_Service
    and to my own user (because we are using Impersonation and Integrated
    Security).
    We get the same error.
    Can it be caused because our Web Application was developed with Net FWK 1.0
    and we are using Win 2003 (Net FWK 1.1)?
    Can it be a new security policy of Win 2003? (remember it works fine on Win
    2000)

    Thanks

    Lucas

    "Jacob Yang [MSFT]" <> escribió en el mensaje
    news:Y%...
    > Hi Lucas,
    >
    > Based on the error message, this issue is a permission issue.
    >
    > Firstly please check which account is used to run the ASP.NET application.
    > Is it the Network_Service account? Please check the w3wp.exe process in

    the
    > task manager.
    >
    > Then please grant the account "Full Control" permission to the event log
    > folder and test this issue again.
    >
    > I hope it helps.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
    >
     
    Lucas, Nov 27, 2003
    #3
  4. Hi Lucas,

    Thank you for your update.

    You are right that the security policy in Windows Server 2003 is very
    different with Windows 2000. Based on my research and experience, please
    try the following solutions.

    1. Grant the NETWORK_SERVICE account and your user account read permissions
    to the \VSWebCache folder. To do this, follow these steps:

    1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
    2) Right-click the "VSWebCache" folder, and then click "Properties".
    3) On the "Security" tab, click "Add".
    4) In the "Select Users or Groups" box, type "<Servername>\NETWORK_SERVICE"
    (without the quotation marks) in the "Select Users or Groups" box.
    5) Click "OK".
    6) Make sure that the "Read & Execute" check box is selected, and then
    click "OK".

    Do the same steps for your user account.

    2. Please try to add the NETWORK_SERVICE account and your user account to
    the administrators group.

    3. If the above two solutions do not work, we need to use the Filemon and
    Regmon to check what really caused the "Access is denied" error.

    Filemon
    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    Regmon
    http://www.sysinternals.com/ntw2k/source/regmon.shtml

    Note:
    The third-party products that are discussed in this article are
    manufactured by companies that are independent of Microsoft. Microsoft
    makes no warranty, implied or otherwise, regarding the performance or
    reliability of these products.

    I hope it helps.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Nov 28, 2003
    #4
  5. Lucas

    Lucas Guest

    Jacob,
    1. I couldn't find VSWebCache folder. This is a VS.Net folder, isn't it? My
    Win server 2003 is for testing purposes and doesn't has VS.
    2. If I add myself to Administrators group of the win server 2003. Event Log
    is written correctly. I can't use this solution in Production environments.
    :-(

    I tried adding myself to Power Users group but nothing happened. I tried
    given Full Control to C:\WINDOWS\system32\config (where app log resides) to
    Everyone user and my own user but nothing happens.

    Summary:
    The only way it works (write in event log) is when I was part of
    Administrators group, but this is not a valid scenario. This help me to know
    that this is just a security issue. As I said before, it works fine in Win
    2000 so I suppose it must work fine here too.

    Any other idea?

    Thanks

    LucasC

    "Jacob Yang [MSFT]" <> escribió en el mensaje
    news:...
    > Hi Lucas,
    >
    > Thank you for your update.
    >
    > You are right that the security policy in Windows Server 2003 is very
    > different with Windows 2000. Based on my research and experience, please
    > try the following solutions.
    >
    > 1. Grant the NETWORK_SERVICE account and your user account read

    permissions
    > to the \VSWebCache folder. To do this, follow these steps:
    >
    > 1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
    > 2) Right-click the "VSWebCache" folder, and then click "Properties".
    > 3) On the "Security" tab, click "Add".
    > 4) In the "Select Users or Groups" box, type

    "<Servername>\NETWORK_SERVICE"
    > (without the quotation marks) in the "Select Users or Groups" box.
    > 5) Click "OK".
    > 6) Make sure that the "Read & Execute" check box is selected, and then
    > click "OK".
    >
    > Do the same steps for your user account.
    >
    > 2. Please try to add the NETWORK_SERVICE account and your user account to
    > the administrators group.
    >
    > 3. If the above two solutions do not work, we need to use the Filemon and
    > Regmon to check what really caused the "Access is denied" error.
    >
    > Filemon
    > http://www.sysinternals.com/ntw2k/source/filemon.shtml
    >
    > Regmon
    > http://www.sysinternals.com/ntw2k/source/regmon.shtml
    >
    > Note:
    > The third-party products that are discussed in this article are
    > manufactured by companies that are independent of Microsoft. Microsoft
    > makes no warranty, implied or otherwise, regarding the performance or
    > reliability of these products.
    >
    > I hope it helps.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
    >
     
    Lucas, Nov 28, 2003
    #5
  6. Lucas

    Lucas Guest

    In order to Add something, I found this article
    (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
    tml/THCMCh19.asp)
    If you go to the Event Log section it says:

    "Least privileged accounts, such as ASPNET, have sufficient permissions to
    be able to write records to the event log using existing event sources."

    Thanks

    LucasC

    "Lucas" <> escribió en el mensaje
    news:...
    > Jacob,
    > 1. I couldn't find VSWebCache folder. This is a VS.Net folder, isn't it?

    My
    > Win server 2003 is for testing purposes and doesn't has VS.
    > 2. If I add myself to Administrators group of the win server 2003. Event

    Log
    > is written correctly. I can't use this solution in Production

    environments.
    > :-(
    >
    > I tried adding myself to Power Users group but nothing happened. I tried
    > given Full Control to C:\WINDOWS\system32\config (where app log resides)

    to
    > Everyone user and my own user but nothing happens.
    >
    > Summary:
    > The only way it works (write in event log) is when I was part of
    > Administrators group, but this is not a valid scenario. This help me to

    know
    > that this is just a security issue. As I said before, it works fine in Win
    > 2000 so I suppose it must work fine here too.
    >
    > Any other idea?
    >
    > Thanks
    >
    > LucasC
    >
    > "Jacob Yang [MSFT]" <> escribió en el mensaje
    > news:...
    > > Hi Lucas,
    > >
    > > Thank you for your update.
    > >
    > > You are right that the security policy in Windows Server 2003 is very
    > > different with Windows 2000. Based on my research and experience, please
    > > try the following solutions.
    > >
    > > 1. Grant the NETWORK_SERVICE account and your user account read

    > permissions
    > > to the \VSWebCache folder. To do this, follow these steps:
    > >
    > > 1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
    > > 2) Right-click the "VSWebCache" folder, and then click "Properties".
    > > 3) On the "Security" tab, click "Add".
    > > 4) In the "Select Users or Groups" box, type

    > "<Servername>\NETWORK_SERVICE"
    > > (without the quotation marks) in the "Select Users or Groups" box.
    > > 5) Click "OK".
    > > 6) Make sure that the "Read & Execute" check box is selected, and then
    > > click "OK".
    > >
    > > Do the same steps for your user account.
    > >
    > > 2. Please try to add the NETWORK_SERVICE account and your user account

    to
    > > the administrators group.
    > >
    > > 3. If the above two solutions do not work, we need to use the Filemon

    and
    > > Regmon to check what really caused the "Access is denied" error.
    > >
    > > Filemon
    > > http://www.sysinternals.com/ntw2k/source/filemon.shtml
    > >
    > > Regmon
    > > http://www.sysinternals.com/ntw2k/source/regmon.shtml
    > >
    > > Note:
    > > The third-party products that are discussed in this article are
    > > manufactured by companies that are independent of Microsoft. Microsoft
    > > makes no warranty, implied or otherwise, regarding the performance or
    > > reliability of these products.
    > >
    > > I hope it helps.
    > >
    > > Best regards,
    > >
    > > Jacob Yang
    > > Microsoft Online Partner Support
    > > Get Secure! ¨C www.microsoft.com/security
    > > This posting is provided "as is" with no warranties and confers no

    rights.
    > >

    >
    >
     
    Lucas, Nov 28, 2003
    #6
  7. Hi Lucas,

    Thank you for your update.

    You are right that the VSWebCache folder is a VS.Net folder.

    As I have mentioned before, this issue is a permission issue. I am not sure
    about what the exact permissions are needed for this issue so I suggest
    using the administrator. Thank you for your understanding.

    Since you cannot accept the administrator solution, we need to use the
    Filemon and Regmon to check what really caused the "Access is denied"
    error. Have you tried them?

    Filemon
    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    Regmon
    http://www.sysinternals.com/ntw2k/source/regmon.shtml

    Note:
    The third-party products that are discussed in this article are
    manufactured by companies that are independent of Microsoft. Microsoft
    makes no warranty, implied or otherwise, regarding the performance or
    reliability of these products.

    I hope it helps.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Dec 1, 2003
    #7
  8. Lucas

    mattsmith321 Guest

    Hi Lucas,

    I am encountering the exact same scenario in my app: Impersonating a
    user from a lower-privileged group does not writing to the Event Log.
    Have you had any luck since your last post? I went ahead and tried the
    FileMon and RegMon, but didn't see anything that indicated specifically
    what was going wrong.

    I know that there are numerous articles out there that address similar
    situations and they seem to recommend wrapping the code that needs the
    permissions with some combination of Assert/Demand. However, I keep
    holding out for an easier solution before embarking on that path.


    mattsmith321
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message118170.html
     
    mattsmith321, Dec 6, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Zabolotzky
    Replies:
    0
    Views:
    762
    Scott Zabolotzky
    Apr 14, 2004
  2. =?Utf-8?B?SGVnZGVT?=
    Replies:
    0
    Views:
    355
    =?Utf-8?B?SGVnZGVT?=
    Sep 15, 2004
  3. morrell
    Replies:
    1
    Views:
    992
    roy axenov
    Oct 10, 2006
  4. Lucas
    Replies:
    6
    Views:
    232
    Ciaran
    Jan 6, 2004
  5. Scott Zabolotzky

    App can't write to EventLog on Windows Server 2003

    Scott Zabolotzky, Apr 16, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    434
    Scott Zabolotzky
    Apr 19, 2004
Loading...

Share This Page