Problem with Exception Mgt. App Block on W2k Server

Discussion in 'ASP .Net Security' started by Jim Ross [MVP], Dec 2, 2003.

  1. I'm about at wit's end getting the exception block to operate at all
    on our Win 2000 server. All is well on my local workstation, but the
    block will not register correctly to operate on the server. Here is
    what we have done:

    * Xcopied the dll's into our app's bin directory on the server.
    * Ran the install util with a bat file located in the bin directory.
    the BAT file contains:
    ===========================
    REM *** Batch File to register the ExceptionManagement appblock dll to
    allow
    REM *** writing to the event log
    c:\winnt\microsoft.net\framework\v1.1.4322\installutil.exe
    microsoft.applicationblocks.exceptionmanagement.dll
    REM Register complete.
    pause
    =================================

    the BAT file returns comforting sounding words, and the actual install
    log that gets created also looks "comforting":

    ==========================================
    Installing assembly
    'd:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.dll'.
    Affected parameters are:
    assemblypath =
    d:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.dll
    logfile =
    d:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.InstallLog
    Creating EventLog source ExceptionManagerInternalException in log
    Application...
    Creating EventLog source ExceptionManagerPublishedException in log
    Application...
    Committing assembly
    'd:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.dll'.
    Affected parameters are:
    assemblypath =
    d:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.dll
    logfile =
    d:\sites\problem-management\wwwroot\cca\bin\microsoft.applicationblocks.exceptionmanagement.InstallLog
    ==============================

    BUT, when anything tries to throw an exception, we get the "dreaded":
    =======================
    "The event source ExceptionManagerInternalException does not exist and
    cannot be created with the current permissions
    ======================

    WHAT is going on here? I have seen this error reported frequently, but
    in most cases running the installutil seems to clear it up. Here, we
    ran installutil, with apparent success to judge from the log, but we
    still can't log an exception. I'm sure it is a permissions thing
    somewhere, but where? As noted, this is a Win2000 sp3.

    Jim Ross
    MS MVP [ASP.NET][VC/MFC emeritus]

    To send email, change 'lotsofspamthroughhere' to 'msn' but please ask all questions in the newsgroups, not via private mail
    Jim Ross [MVP], Dec 2, 2003
    #1
    1. Advertising

  2. Jim Ross [MVP]

    MSFT Guest

    Hi Jim,

    If you use a more powerful account, for example, the System account, will
    the error still occur?

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Dec 3, 2003
    #2
    1. Advertising

  3. I don't know. Could you tell me how I might try that? I'm afraid that
    is an area of .NET that is foreign territory to me.

    Note that the block _appears_ to be correctly registered. Even the
    correct Registry entries exist.

    (MSFT) wrote:

    >If you use a more powerful account, for example, the System account, will
    >the error still occur?


    Jim Ross
    MS MVP [ASP.NET][VC/MFC emeritus]

    To send email, change 'lotsofspamthroughhere' to 'msn' but please ask all questions in the newsgroups, not via private mail
    Jim Ross [MVP], Dec 3, 2003
    #3
  4. Jim Ross [MVP]

    MSFT Guest

    Hi Jim,

    You can configure the process identity in the <processModel> section of the
    Machine.config file in the Config subdirectory of the installation root
    directory. The userName and the password attributes control the identity of
    the process. The default values for these attributes are as follows:


    <processModel userName="machine" password="AutoGenerate" />


    The machine and the AutoGenerate values instruct ASP.NET to use the
    built-in ASPNET account and to use a cryptographically strong, random
    password that is stored in the Local Security Authority (LSA) for that
    account.

    If you want to use a process that has more access rights, you can set the
    userName attribute to System, which causes the ASP.NET worker process to
    run with the same identity as the Inetinfo.exe process. The Inetinfo.exe
    process runs by default as the System identity. When you configure the
    ASP.NET worker process to use the System identity, the ASP.NET worker
    process can access almost all of the resources on the local computer. On
    computers that are running Windows 2000 or Windows XP, the System account
    also has network credentials and can access network resources as the
    machine account.


    For more information about <processModel> Element:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/ht
    ml/gngrfprocessmodelsection.asp

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Dec 4, 2003
    #4
  5. Yes, I _could_ take that approach, but since my original post I'be
    been reading up on these issues, and according to an MS Press book on
    building secure ASP.NET apps, the preferred approach for this specific
    sort of issue is to grant the ASPNET account the needed access. The
    idea being--just as much access as is needed and not a bit more.
    Sounds reasonable.

    What is so maddening is that I HAVE granted it Registry access to the
    needed keys. I can look at it in RegEdt32, and there it is, ASPNET has
    the exact access the books says it needs, but as soon as I try to log
    an exception, it gets "Registry access denied". It seems reasonable to
    assume, at this point, that the domain security policies are somehow
    overriding what I'm trying to do.

    (MSFT) wrote:
    >You can configure the process identity in the <processModel> section of the
    >Machine.config file in the Config subdirectory of the installation root
    >directory. The userName and the password attributes control the identity of
    >the process. The default values for these attributes are as follows:
    >


    Jim Ross
    MS MVP [ASP.NET][VC/MFC emeritus]

    To send email, change 'lotsofspamthroughhere' to 'msn' but please ask all questions in the newsgroups, not via private mail
    Jim Ross [MVP], Dec 9, 2003
    #5
  6. Jim Ross [MVP]

    Joe Audette Guest

    I think the reason your batch file doesn't work is
    because you have to use the VS.NET command prompt to run
    the installutil not just a regular command prompt. The
    VS.NET command line set up environment variables that are
    needed. I know there is a way to do it with a regular
    command prompt but you have to setup the environment
    variables that the VS.NET command prompt would do for you.

    Best Regards,

    Joe Audette

    >-----Original Message-----
    >I'm about at wit's end getting the exception block to

    operate at all
    >on our Win 2000 server. All is well on my local

    workstation, but the
    >block will not register correctly to operate on the

    server. Here is
    >what we have done:
    >
    >* Xcopied the dll's into our app's bin directory on the

    server.
    >* Ran the install util with a bat file located in the

    bin directory.
    >the BAT file contains:
    >===========================
    >REM *** Batch File to register the ExceptionManagement

    appblock dll to
    >allow
    >REM *** writing to the event log
    >c:\winnt\microsoft.net\framework\v1.1.4322

    \installutil.exe
    >microsoft.applicationblocks.exceptionmanagement.dll
    >REM Register complete.
    >pause
    >=================================
    >
    >the BAT file returns comforting sounding words, and the

    actual install
    >log that gets created also looks "comforting":
    >
    >==========================================
    >Installing assembly
    >'d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.dll'.
    >Affected parameters are:
    > assemblypath =
    >d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.dll
    > logfile =
    >d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.InstallLog
    >Creating EventLog source

    ExceptionManagerInternalException in log
    >Application...
    >Creating EventLog source

    ExceptionManagerPublishedException in log
    >Application...
    >Committing assembly
    >'d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.dll'.
    >Affected parameters are:
    > assemblypath =
    >d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.dll
    > logfile =
    >d:\sites\problem-

    management\wwwroot\cca\bin\microsoft.applicationblocks.exc
    eptionmanagement.InstallLog
    >==============================
    >
    >BUT, when anything tries to throw an exception, we get

    the "dreaded":
    >=======================
    >"The event source ExceptionManagerInternalException does

    not exist and
    >cannot be created with the current permissions
    >======================
    >
    >WHAT is going on here? I have seen this error reported

    frequently, but
    >in most cases running the installutil seems to clear it

    up. Here, we
    >ran installutil, with apparent success to judge from the

    log, but we
    >still can't log an exception. I'm sure it is a

    permissions thing
    >somewhere, but where? As noted, this is a Win2000 sp3.
    >
    >Jim Ross
    >MS MVP [ASP.NET][VC/MFC emeritus]
    >
    >To send email, change 'lotsofspamthroughhere' to 'msn'

    but please ask all questions in the newsgroups, not via
    private mail
    >.
    >
    Joe Audette, Dec 9, 2003
    #6
  7. Jim Ross [MVP]

    MSFT Guest

    Hi Jim,

    There may be some other registry entries on which we need permission. To
    make sure this, you may use a tool "regmon" to trace the access to
    registry. It will log all access to registry. When the error occur, you can
    check its log to see if there is any permission denied error on the
    registry. For more information on this tool, you can browse to:

    www.systeminternals.com

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Dec 10, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    6,060
    Karl Seguin [MVP]
    Jul 11, 2006
  2. morrell
    Replies:
    1
    Views:
    938
    roy axenov
    Oct 10, 2006
  3. Replies:
    1
    Views:
    413
    benben
    Aug 7, 2005
  4. KDawg44
    Replies:
    1
    Views:
    268
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=
    Jun 12, 2007
  5. helveticus
    Replies:
    1
    Views:
    282
    Alexey Smirnov
    Apr 29, 2010
Loading...

Share This Page