«

Issue
Our web application requires access to write to a custom event log, yet access is denied. This access is denied because we are using impersonation, and our end-users do not (should not) have permissions to write to a custom event log. We would like to know if someone out there has resolved this problem without incorporating registry hacks, elevating end-user account permissions to admin OR calling native code to logon as the account running our Application Pool

Ideally, we would like to use our Application Pool account identity to create the event log entries and we do not mind providing the necessary permissions to this accoun

Details
-Web App hosted on Windows 2003 serve
-Web App is using a custom application pool, running under a specified identity
-Web App uses its own (custom) event lo
-Web App uses impersonation, thus we loose the application pool identity when trying to create an event log entr

Hopefully this link will provide your answer:
http://support.microsoft.com/?id=329291

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"cjk" <> wrote in message
news:2A20F183-1659-4E77-B094-...
> Issue:
> Our web application requires access to write to a custom event log, yet
access is denied. This access is denied because we are using impersonation,
and our end-users do not (should not) have permissions to write to a custom
event log. We would like to know if someone out there has resolved this
problem without incorporating registry hacks, elevating end-user account
permissions to admin OR calling native code to logon as the account running
our Application Pool.
>
> Ideally, we would like to use our Application Pool account identity to
create the event log entries and we do not mind providing the necessary
permissions to this account
>
> Details:
> -Web App hosted on Windows 2003 server
> -Web App is using a custom application pool, running under a specified
identity
> -Web App uses its own (custom) event log
> -Web App uses impersonation, thus we loose the application pool identity
when trying to create an event log entry
>
>
>
>

try:

[DllImport("advapi32")] private extern static bool RevertToSelf();

WindowsIdentity id = WindowsIdentity.GetCurrent();
RevertToSelf();

// do your work here

id.Impersonate();


-- bruce (sqlwork.com)


"cjk" <> wrote in message
news:2A20F183-1659-4E77-B094-...
> Issue:
> Our web application requires access to write to a custom event log, yet
access is denied. This access is denied because we are using impersonation,
and our end-users do not (should not) have permissions to write to a custom
event log. We would like to know if someone out there has resolved this
problem without incorporating registry hacks, elevating end-user account
permissions to admin OR calling native code to logon as the account running
our Application Pool.
>
> Ideally, we would like to use our Application Pool account identity to
create the event log entries and we do not mind providing the necessary
permissions to this account
>
> Details:
> -Web App hosted on Windows 2003 server
> -Web App is using a custom application pool, running under a specified
identity
> -Web App uses its own (custom) event log
> -Web App uses impersonation, thus we loose the application pool identity
when trying to create an event log entry
>
>
>
>

I'm having the same problem. Unfortunately the link provided does not
apply to my situation because I create the EventLog source in my
ASP.NET app installer. The problem is that even after the EventLog
source is created, my ASP.NET app can not log to the custom event
source when running under Windows Server 2003. It works fine under
Windows 2000.

Details:

ASP.NET app
impersonation=true in web.config
can not elevate user accounts to admin group just for logging

Any ideas? I've found several people asking for help with this
situation but no solutions offered.

Scott


"Steve C. Orr [MVP, MCSD]" <> writes:

>Hopefully this link will provide your answer:
>http://support.microsoft.com/?id=329291

>--
>I hope this helps,
>Steve C. Orr, MCSD, MVP
>http://Steve.Orr.net


>"cjk" <> wrote in message
>news:2A20F183-1659-4E77-B094-...
>> Issue:
>> Our web application requires access to write to a custom event log, yet
>access is denied. This access is denied because we are using impersonation,
>and our end-users do not (should not) have permissions to write to a custom
>event log. We would like to know if someone out there has resolved this
>problem without incorporating registry hacks, elevating end-user account
>permissions to admin OR calling native code to logon as the account running
>our Application Pool.
>>
>> Ideally, we would like to use our Application Pool account identity to
>create the event log entries and we do not mind providing the necessary
>permissions to this account
>>
>> Details:
>> -Web App hosted on Windows 2003 server
>> -Web App is using a custom application pool, running under a specified
>identity
>> -Web App uses its own (custom) event log
>> -Web App uses impersonation, thus we loose the application pool identity
>when trying to create an event log entry
>>
>>
>>
>>

[nosperantos]

Hi,

I've mined Google through and through and dug up a million articles over a few days now. Nothing helped, especially not Microsoft documents.
I'm trying to use WSH objects from ASP code in order to write messages to the application event log. Logging on as administrator does the job, though using the IIS's user (IUSR_Whatever) or any other member of the guests group fails everytime due to lack of permissions.
I'm using plain old ASP (not .NET). And it's installed on IIS-6, Windows 2003.
My code looks as following:
-------------------------------------------------------------------------

<%@ Language=VBScript %>
<HTML>
<BODY>
<%
'Use these Constants to designate the type of Event Log.
const SUCCESS = 0
const ERROR = 1
const WARNING = 2
const INFORMATION = 4
const AUDIT_SUCCESS = 8
const AUDIT_FAILURE = 16

dim sessionID
sessionID = session.sessionID
dim WshShell
set WshShell = Server.CreateObject("WScript.Shell")
wshshell.Logevent AUDIT_SUCCESS, "Event logged successfully for session number "&sessionID
set wshshell=nothing
Response.write "Event logged successfully for session number "&sessionID
Session.Abandon

%>
</BODY>
</HTML>

-----------------------------------------------------------------------
No matter what changes I've made in registry, using SDDL permissions, security policy, permissions to event log file itself, it doesn't work

Seems like no change to CustomSD works in registry.

My CustomSID key looks like this:

O:BAG:SYDD;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0x f0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU) (A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;; S-1-5-21-1444055606-3596881769-3846073516-1007)

whereas S-1-5-21-1444055606-3596881769-3846073516-1007 is the user I use to run the script.
Is there something I'm missing here ?


Thank you very much to whoever answers my riddle.