Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Exception manegement application block can't write to Windows server 2003

Reply
Thread Tools

Exception manegement application block can't write to Windows server 2003

 
 
Lucas
Guest
Posts: n/a
 
      11-26-2003
Hi,
I have an ASP.Net application written with VS.Net 2002 (Net FWK 1.0). This
Web Application uses Exception Management Application Block to log Events to
Windows Event Log. We registered the Exception Management Application Block
using installutil.
Our Application uses impersonation and used to work fine on Windows 2000
Server.

Now we installed it on a Windows Server 2003 and when an exception is
raised, we get an "Access is denied" error when the application tries to log
the Exception to Event Log.

At the bottom you'll find the Stack Trace.

Any idea will be welcome

LucasC


Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open log for source {0}. You may not have
write access.]
System.Diagnostics.EventLog.OpenForWrite() +366
System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData) +280
System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType
type, Int32 eventID, Int16 category, Byte[] rawData) +463
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +68
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID, Int16 category) +21
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type, Int32 eventID) +15
System.Diagnostics.EventLog.WriteEntry(String source, String message,
EventLogEntryType type) +11

Microsoft.ApplicationBlocks.ExceptionManagement.De faultPublisher.WriteToLog(
String entry, EventLogEntryType type) +33

Microsoft.ApplicationBlocks.ExceptionManagement.De faultPublisher.Publish(Exc
eption exception, NameValueCollection additionalInfo, NameValueCollection
configSettings) +1758

Microsoft.ApplicationBlocks.ExceptionManagement.Ex ceptionManager.PublishInte
rnalException(Exception exception, NameValueCollection additionalInfo) +76

Microsoft.ApplicationBlocks.ExceptionManagement.Ex ceptionManager.Publish(Exc
eption exception, NameValueCollection additionalInfo) +1934



 
Reply With Quote
 
 
 
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      11-27-2003
Hi Lucas,

Based on the error message, this issue is a permission issue.

Firstly please check which account is used to run the ASP.NET application.
Is it the Network_Service account? Please check the w3wp.exe process in the
task manager.

Then please grant the account "Full Control" permission to the event log
folder and test this issue again.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
 
 
 
Lucas
Guest
Posts: n/a
 
      11-27-2003
The w3wp.exe is running with Network_Service account. We set "Full Control"
to the event Log Folder (windows\ system32\config IS OK?) to Network_Service
and to my own user (because we are using Impersonation and Integrated
Security).
We get the same error.
Can it be caused because our Web Application was developed with Net FWK 1.0
and we are using Win 2003 (Net FWK 1.1)?
Can it be a new security policy of Win 2003? (remember it works fine on Win
2000)

Thanks

Lucas

"Jacob Yang [MSFT]" <(E-Mail Removed)> escribió en el mensaje
news:Y%(E-Mail Removed)...
> Hi Lucas,
>
> Based on the error message, this issue is a permission issue.
>
> Firstly please check which account is used to run the ASP.NET application.
> Is it the Network_Service account? Please check the w3wp.exe process in

the
> task manager.
>
> Then please grant the account "Full Control" permission to the event log
> folder and test this issue again.
>
> I hope it helps.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ¨C www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>



 
Reply With Quote
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      11-28-2003
Hi Lucas,

Thank you for your update.

You are right that the security policy in Windows Server 2003 is very
different with Windows 2000. Based on my research and experience, please
try the following solutions.

1. Grant the NETWORK_SERVICE account and your user account read permissions
to the \VSWebCache folder. To do this, follow these steps:

1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
2) Right-click the "VSWebCache" folder, and then click "Properties".
3) On the "Security" tab, click "Add".
4) In the "Select Users or Groups" box, type "<Servername>\NETWORK_SERVICE"
(without the quotation marks) in the "Select Users or Groups" box.
5) Click "OK".
6) Make sure that the "Read & Execute" check box is selected, and then
click "OK".

Do the same steps for your user account.

2. Please try to add the NETWORK_SERVICE account and your user account to
the administrators group.

3. If the above two solutions do not work, we need to use the Filemon and
Regmon to check what really caused the "Access is denied" error.

Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Note:
The third-party products that are discussed in this article are
manufactured by companies that are independent of Microsoft. Microsoft
makes no warranty, implied or otherwise, regarding the performance or
reliability of these products.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
Lucas
Guest
Posts: n/a
 
      11-28-2003
Jacob,
1. I couldn't find VSWebCache folder. This is a VS.Net folder, isn't it? My
Win server 2003 is for testing purposes and doesn't has VS.
2. If I add myself to Administrators group of the win server 2003. Event Log
is written correctly. I can't use this solution in Production environments.


I tried adding myself to Power Users group but nothing happened. I tried
given Full Control to C:\WINDOWS\system32\config (where app log resides) to
Everyone user and my own user but nothing happens.

Summary:
The only way it works (write in event log) is when I was part of
Administrators group, but this is not a valid scenario. This help me to know
that this is just a security issue. As I said before, it works fine in Win
2000 so I suppose it must work fine here too.

Any other idea?

Thanks

LucasC

"Jacob Yang [MSFT]" <(E-Mail Removed)> escribió en el mensaje
news:(E-Mail Removed)...
> Hi Lucas,
>
> Thank you for your update.
>
> You are right that the security policy in Windows Server 2003 is very
> different with Windows 2000. Based on my research and experience, please
> try the following solutions.
>
> 1. Grant the NETWORK_SERVICE account and your user account read

permissions
> to the \VSWebCache folder. To do this, follow these steps:
>
> 1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
> 2) Right-click the "VSWebCache" folder, and then click "Properties".
> 3) On the "Security" tab, click "Add".
> 4) In the "Select Users or Groups" box, type

"<Servername>\NETWORK_SERVICE"
> (without the quotation marks) in the "Select Users or Groups" box.
> 5) Click "OK".
> 6) Make sure that the "Read & Execute" check box is selected, and then
> click "OK".
>
> Do the same steps for your user account.
>
> 2. Please try to add the NETWORK_SERVICE account and your user account to
> the administrators group.
>
> 3. If the above two solutions do not work, we need to use the Filemon and
> Regmon to check what really caused the "Access is denied" error.
>
> Filemon
> http://www.sysinternals.com/ntw2k/source/filemon.shtml
>
> Regmon
> http://www.sysinternals.com/ntw2k/source/regmon.shtml
>
> Note:
> The third-party products that are discussed in this article are
> manufactured by companies that are independent of Microsoft. Microsoft
> makes no warranty, implied or otherwise, regarding the performance or
> reliability of these products.
>
> I hope it helps.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ¨C www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>



 
Reply With Quote
 
Lucas
Guest
Posts: n/a
 
      11-28-2003
In order to Add something, I found this article
(http://msdn.microsoft.com/library/de...-us/dnnetsec/h
tml/THCMCh19.asp)
If you go to the Event Log section it says:

"Least privileged accounts, such as ASPNET, have sufficient permissions to
be able to write records to the event log using existing event sources."

Thanks

LucasC

"Lucas" <(E-Mail Removed)> escribió en el mensaje
news:(E-Mail Removed)...
> Jacob,
> 1. I couldn't find VSWebCache folder. This is a VS.Net folder, isn't it?

My
> Win server 2003 is for testing purposes and doesn't has VS.
> 2. If I add myself to Administrators group of the win server 2003. Event

Log
> is written correctly. I can't use this solution in Production

environments.
>
>
> I tried adding myself to Power Users group but nothing happened. I tried
> given Full Control to C:\WINDOWS\system32\config (where app log resides)

to
> Everyone user and my own user but nothing happens.
>
> Summary:
> The only way it works (write in event log) is when I was part of
> Administrators group, but this is not a valid scenario. This help me to

know
> that this is just a security issue. As I said before, it works fine in Win
> 2000 so I suppose it must work fine here too.
>
> Any other idea?
>
> Thanks
>
> LucasC
>
> "Jacob Yang [MSFT]" <(E-Mail Removed)> escribió en el mensaje
> news:(E-Mail Removed)...
> > Hi Lucas,
> >
> > Thank you for your update.
> >
> > You are right that the security policy in Windows Server 2003 is very
> > different with Windows 2000. Based on my research and experience, please
> > try the following solutions.
> >
> > 1. Grant the NETWORK_SERVICE account and your user account read

> permissions
> > to the \VSWebCache folder. To do this, follow these steps:
> >
> > 1) In Windows Explorer, locate C:\Documents and Settings\<Username>.
> > 2) Right-click the "VSWebCache" folder, and then click "Properties".
> > 3) On the "Security" tab, click "Add".
> > 4) In the "Select Users or Groups" box, type

> "<Servername>\NETWORK_SERVICE"
> > (without the quotation marks) in the "Select Users or Groups" box.
> > 5) Click "OK".
> > 6) Make sure that the "Read & Execute" check box is selected, and then
> > click "OK".
> >
> > Do the same steps for your user account.
> >
> > 2. Please try to add the NETWORK_SERVICE account and your user account

to
> > the administrators group.
> >
> > 3. If the above two solutions do not work, we need to use the Filemon

and
> > Regmon to check what really caused the "Access is denied" error.
> >
> > Filemon
> > http://www.sysinternals.com/ntw2k/source/filemon.shtml
> >
> > Regmon
> > http://www.sysinternals.com/ntw2k/source/regmon.shtml
> >
> > Note:
> > The third-party products that are discussed in this article are
> > manufactured by companies that are independent of Microsoft. Microsoft
> > makes no warranty, implied or otherwise, regarding the performance or
> > reliability of these products.
> >
> > I hope it helps.
> >
> > Best regards,
> >
> > Jacob Yang
> > Microsoft Online Partner Support
> > Get Secure! ¨C www.microsoft.com/security
> > This posting is provided "as is" with no warranties and confers no

rights.
> >

>
>



 
Reply With Quote
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      12-01-2003
Hi Lucas,

Thank you for your update.

You are right that the VSWebCache folder is a VS.Net folder.

As I have mentioned before, this issue is a permission issue. I am not sure
about what the exact permissions are needed for this issue so I suggest
using the administrator. Thank you for your understanding.

Since you cannot accept the administrator solution, we need to use the
Filemon and Regmon to check what really caused the "Access is denied"
error. Have you tried them?

Filemon
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Note:
The third-party products that are discussed in this article are
manufactured by companies that are independent of Microsoft. Microsoft
makes no warranty, implied or otherwise, regarding the performance or
reliability of these products.

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
mattsmith321
Guest
Posts: n/a
 
      12-06-2003

Hi Lucas,

I am encountering the exact same scenario in my app: Impersonating a
user from a lower-privileged group does not writing to the Event Log.
Have you had any luck since your last post? I went ahead and tried the
FileMon and RegMon, but didn't see anything that indicated specifically
what was going wrong.

I know that there are numerous articles out there that address similar
situations and they seem to recommend wrapping the code that needs the
permissions with some combination of Assert/Demand. However, I keep
holding out for an easier solution before embarking on that path.


mattsmith321
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message118170.html

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fo:Block can you check to see if a block contains any text by using the block id? morrell XML 1 10-10-2006 07:18 PM
Help with Server 2003 x64 and Exchange 2003 install - deploy block =?Utf-8?B?VG9tIERpZw==?= Windows 64bit 2 03-20-2006 06:55 PM
Problem in using Microsoft Exception Block code in Windows 2003 se =?Utf-8?B?SGVnZGVT?= ASP .Net 0 09-15-2004 12:05 PM
Exception manegement application block can't write to Windows server 2003 Lucas ASP .Net Security 6 01-06-2004 06:10 PM



Advertisments