EventLog Access using impersonation in Windows Server 2003

[Guest]

Issue
Our web application requires access to write to a custom event log, yet access is denied. This access is denied because we are using impersonation, and our end-users do not (should not) have permissions to write to a custom event log. We would like to know if someone out there has resolved this problem without incorporating registry hacks, elevating end-user account permissions to admin OR calling native code to logon as the account running our Application Pool

Ideally, we would like to use our Application Pool account identity to create the event log entries and we do not mind providing the necessary permissions to this accoun

Details
-Web App hosted on Windows 2003 serve
-Web App is using a custom application pool, running under a specified identity
-Web App uses its own (custom) event lo
-Web App uses impersonation, thus we loose the application pool identity when trying to create an event log entr

 

[Steve C. Orr [MVP, MCSD]]

Hopefully this link will provide your answer:
http://support.microsoft.com/?id=329291

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net

Issue:
Our web application requires access to write to a custom event log, yet

access is denied. This access is denied because we are using impersonation,
and our end-users do not (should not) have permissions to write to a custom
event log. We would like to know if someone out there has resolved this
problem without incorporating registry hacks, elevating end-user account
permissions to admin OR calling native code to logon as the account running
our Application Pool.

Ideally, we would like to use our Application Pool account identity to

create the event log entries and we do not mind providing the necessary
permissions to this account

Details:
-Web App hosted on Windows 2003 server
-Web App is using a custom application pool, running under a specified identity
-Web App uses its own (custom) event log
-Web App uses impersonation, thus we loose the application pool identity

when trying to create an event log entry

 

[bruce barker]

try:

[DllImport("advapi32")] private extern static bool RevertToSelf();

WindowsIdentity id = WindowsIdentity.GetCurrent();
RevertToSelf();

// do your work here

id.Impersonate();


-- bruce (sqlwork.com)

Issue:
Our web application requires access to write to a custom event log, yet

access is denied. This access is denied because we are using impersonation,
and our end-users do not (should not) have permissions to write to a custom
event log. We would like to know if someone out there has resolved this
problem without incorporating registry hacks, elevating end-user account
permissions to admin OR calling native code to logon as the account running
our Application Pool.

Ideally, we would like to use our Application Pool account identity to

create the event log entries and we do not mind providing the necessary
permissions to this account

Details:
-Web App hosted on Windows 2003 server
-Web App is using a custom application pool, running under a specified identity
-Web App uses its own (custom) event log
-Web App uses impersonation, thus we loose the application pool identity

when trying to create an event log entry

 

[Scott Zabolotzky]

I'm having the same problem. Unfortunately the link provided does not
apply to my situation because I create the EventLog source in my
ASP.NET app installer. The problem is that even after the EventLog
source is created, my ASP.NET app can not log to the custom event
source when running under Windows Server 2003. It works fine under
Windows 2000.

Details:

ASP.NET app
impersonation=true in web.config
can not elevate user accounts to admin group just for logging

Any ideas? I've found several people asking for help with this
situation but no solutions offered.

Scott

 

[nosperantos]

As for writing to event log using ASP...

Hi,

I've mined Google through and through and dug up a million articles over a few days now. Nothing helped, especially not Microsoft documents.
I'm trying to use WSH objects from ASP code in order to write messages to the application event log. Logging on as administrator does the job, though using the IIS's user (IUSR_Whatever) or any other member of the guests group fails everytime due to lack of permissions.
I'm using plain old ASP (not .NET). And it's installed on IIS-6, Windows 2003.
My code looks as following:
-------------------------------------------------------------------------

<%@ Language=VBScript %>
<HTML>
<BODY>
<%
'Use these Constants to designate the type of Event Log.
const SUCCESS = 0
const ERROR = 1
const WARNING = 2
const INFORMATION = 4
const AUDIT_SUCCESS = 8
const AUDIT_FAILURE = 16

dim sessionID
sessionID = session.sessionID
dim WshShell
set WshShell = Server.CreateObject("WScript.Shell")
wshshell.Logevent AUDIT_SUCCESS, "Event logged successfully for session number "&sessionID
set wshshell=nothing
Response.write "Event logged successfully for session number "&sessionID
Session.Abandon

%>
</BODY>
</HTML>

-----------------------------------------------------------------------
No matter what changes I've made in registry, using SDDL permissions, security policy, permissions to event log file itself, it doesn't work :-(

Seems like no change to CustomSD works in registry.

My CustomSID key looks like this:

O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;; S-1-5-21-1444055606-3596881769-3846073516-1007)

whereas S-1-5-21-1444055606-3596881769-3846073516-1007 is the user I use to run the script.
Is there something I'm missing here ?


Thank you very much to whoever answers my riddle.