|
| Cannot open log for source {0}. You may not have write access. |
|
|
|
|
| Messages |
|
Related Types |
This message was discovered on microsoft.public.dotnet.framework.aspnet.security.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.
| Magdelin |
Hi,
I have hosted my .NET Remote application in IIS 6.0 on Win2K3. Application
performs "Basic" authentication and identity is impersonated in web.config
file. Errors and exceptions from the .net remote application are logged to a
custom event log on the application server on which the application is
hosted. The error logging fails with the message "Cannot open log for source
{0}. You may not have write access.".
Registry on the server already has a Key for both the custom event log and
custom event source. I have granted read/write permission to the
HKLM/CurrentControlSet/Services/Event log key in the registry and all its
subkeys to all the users who might probably get impersonated in the
application. I have also granted read/write permission to the above mentioned
users for the <customeventlog>.evt file within the
c:\windows\system32\config.
But, the application still throws security exception with the message
"Cannot open log for source {0}. You may not have write access." whenever the
application tries to write the custom event log.
What would the minimum set of permissions that have to be granted to the
impersonated users in ASP.NET application to allow the users to be able to
write to custom event logs setup on application/web server?
Any quick response or pointers would be greatly appreciated.
Thanks in advance.
Magdelin
|
|
|
| |
|
| |
| |
| [MSFT] (VIP) |
| GOOD ANSWER |
Hello ,
For such a issue, you may goto to the following registry key:
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Application
And locate the CustomSD key and add the following string to the existing
value:
(A;;0x0002;;;AU)
A: SDDL_ACCESS_ALLOWED
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/ace_strings.asp
0x0002: ELF_LOGFILE_WRITE: Permission to write log files.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
event_logging_security.asp
AU: Authenticated Users
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/sid_strings.asp
Here are some related articles:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
event_logging_security.asp
http://msdn.microsoft.com/library/en-us/dncode/html/secure06122003.asp
Hope this help,
Luke
|
|
|
| |
|
|
| |
| |
| Magdelin |
Hi Luke,
Thanks for your reply. the SD (A;;0x0002;;;AU) worked when I added it to the
existing CustomSD value in
HKLM/CurrentControlSet/Services/EventLog/<CustomEventLog> key.
But, I have another problem on my web server regarding event logs. The web
application also writes to the custom event log on the web server. But unlike
the business component on the app server, web application is configured for
basic authentication and identity is NOT impersonated. The application pool
identity is set to NETWORK SERVICE account. The custom event log and event
source is registered on the web server.
The web application was successfully logging errors to the custom event log
on the web server with no additional privileges earlier. But, while
troubleshooting the error that occurred on the app server, I added read/write
privileges to the ASPNET a/c and N/W service a/c to the registry key
HKLM/CurrentControlSet/Services/EventLog/<CustomEventLog>. Later, I
discovered the problem was with the app server and removed the additional
privileges from the above mentioned key. Now, the I get a error "Registry
access denied" whenever the web app tries to log errors to the custom event
log. Now even if I re-grant read/write access to same the registry key the
"Registry access denied" error is repeated.
Any quick pointers will be greatly appreciated.
Thank you.
Magdelin
"[MSFT]" wrote:
[Original message clipped]
|
|
|
| |
|
|
| |
| |
| [MSFT] (VIP) |
Is the web server with IIS 6.0? If so, you need grant permission to the
NETWORK SERVICE account. You may temporarily add this account to local
administrators group to see if it will help. If so, it will still be a
permission issue. I suggest you may trace the registry and file access with
two utilities: regmon and filemon. They can record any access to registry
and files. With them we can found what cause the access denied error. You
can found free download these two utilities: www.systeminternals.com
Luke
|
|
|
| |
|
|
| |
| |
| Magdelin |
Thanks Luke. I discovered that it is not a permission problem afetr adding
the n/w service a/c to the administrators group. I deleted and recreated the
custom event log and it worked fine.
Thanks one again.
Magdelin
"[MSFT]" wrote:
[Original message clipped]
|
|
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
BootFX
Reliable and powerful .NET application framework. |
|
|
|
|
|
|
