Re: security exception within Microsoft Application Block ExceptionManager.vb

From: Hazzard (hazz_at_sonic.net)
Date: 05/29/03 

Date: Thu, 29 May 2003 11:34:49 -0700

Yes, I found out I don't need impersonation. And after reviewing IIS
properties, I unchecked anonymous and the writing to the event log via the
ExceptionManagement Publisher is working now.

No need to pursue this further Matjaz. I am learning by doing and I am sure
some moment soon this will all become more clear to me.

Thanks for your help.

Greg

"Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
news:ucSWuygJDHA.2232@TK2MSFTNGP10.phx.gbl...
> I don't know if I understand your problem now. Why do you need
impersonation
> ? You could just leave impersonation out and leave the system to run under
> ASPNET account ? Why do you need IUSR_... account ?
> Do you need to authenticate users with windows authentication ? If yes,
than
> you have to uncheck anonymous, because anonymous will precede NTLM. Can
you
> be more specific about what are you trying to achieve ?
>
> Regards
>
> Matjaz Ladava
>
> "Hazzard" <hazz@sonic.net> wrote in message
> news:eT2nWcgJDHA.1760@TK2MSFTNGP09.phx.gbl...
> > I am still not getting it. I just 'unchecked' anonymous access with
> username
> > IUSR_TOSHIBA-USER and now I don't have a problem at that part of the
code
> > that wants to write to the eventlog. attached is a .jpg of that part of
> the
> > virtual directory security configuration setting that I too often forget
> to
> > check.
> >
> > I just don't get the connection yet. Kindof sortof...but not like I know
> how
> > to make a curry.
> >
> > I did add the eventlog entry to the registry hive as indicated on page
174
> > of Building Secure ASP.NET Applications.
> >
> > Greg Hazzard
> >
> >
> > "Hazzard" <hazz@sonic.net> wrote in message
> > news:%23kWTW9WJDHA.2052@TK2MSFTNGP11.phx.gbl...
> > > Thank you Matjaz !
> > > Back to work. I am in the registry now.
> > > I guess I should have continued on into Building Secure ASP.NET....
> > > Page 174 and 175. Accessing the Event Log was right there in the table
> of
> > > contents.
> > > I will post a reply after I have reached the light at the other end.
> Thank
> > > you for the flashlight.
> > >
> > > Appreciatively,
> > > Greg Hazzard
> > >
> > > "Matjaz Ladava" <matjaz@_nospam_ladava.com> wrote in message
> > > news:e0TquLWJDHA.336@tk2msftngp13.phx.gbl...
> > > > If you set impersonation = true that you were impersonating IUSR
> account
> > > (If
> > > > you had enabled anonymous on your IIS). To verify use
> > > > WindowsIdentity.GetCurrent().Name in your ASP.NET application.
> > > > ASPNET account doesn't have permission to create EventLog's, so it
is
> > > > advised (also in the pdf you mentioned) , to pre-create EventLog's
by
> > > > installation program. Don't leave you ASP.NET application in charge
of
> > > > creating Event's log.
> > > > Quote taken from Building Secure ASP.NET....
> > > >
> > > > Accessing the Event Log
> > > > Least privileged accounts have sufficient permissions to be able to
> > write
> > > > records to the event log by using existing event sources. However,
> they
> > do
> > > > not have sufficient permissions to create new event sources. This
> > requires
> > > a
> > > > new entry to be placed beneath the following registry hive.
> > > >
> > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<log>
> > > > To avoid this issue, create the event sources used by your
application
> > at
> > > > installation time, when administrator privileges are available. A
good
> > > > approach is to use a .NET installer class, which can be instantiated
> by
> > > the
> > > > Windows Installer (if you are using .msi deployment) or by the
> > > > InstallUtil.exe system utility if you are not.
> > > >
> > > > If you are unable to create event sources at installation time, you
> must
> > > add
> > > > permission to the following registry key and grant access to the
> ASP.NET
> > > > process account (of any impersonated account if your application
uses
> > > > impersonation).
> > > >
> > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
> > > > The account(s) must have the following minimum permissions:
> > > >
> > > > a.. Query key value
> > > > b.. Set key value
> > > > c.. Create subkey
> > > > d.. Enumerate subkeys
> > > > e.. Notify
> > > > f.. Read
> > > > The following code can be used to write to the Application event log
> > from
> > > > ASP.NET once permissions have been applied to the registry:
> > > >
> > > > string source = "Your Application Source";
> > > > string logToWriteTo = "Application";
> > > > string eventText = "Sample Event";
> > > >
> > > > if (!EventLog.SourceExists(source))
> > > > {
> > > > EventLog.CreateEventSource(source, logToWriteTo);
> > > > }
> > > > EventLog.WriteEntry(source, eventText, EventLogEntryType.Warning,
> > > > 234);
> > > > Regards
> > > >
> > > > Matjaz Ladava
> > > >
> > > > "Hazzard" <hazz@sonic.net> wrote in message
> > > > news:u%23bR6CWJDHA.1656@TK2MSFTNGP10.phx.gbl...
> > > > > 70 KB .JPG attached as reference - Exhibit A.
> > > > >
> > > > > How do I solve this? Impersonation = true in machine.config or
> > > web.config
> > > > > does not work.
> > > > >
> > > > > I did remove ASP.NET from Group Administrator Policy - which not
> only
> > > did
> > > > > not solve the problem but also would likely give away the store in
a
> > > > virtual
> > > > > looting as I understand and do not want to ever test.
> > > > >
> > > > > I feel like I a well rounded solutions provider but I moments like
> > this
> > > > put
> > > > > me in the 'developer in distress' category.
> > > > >
> > > > > I am getting better on the theory - impersonation - delegation -
> iis -
> > > > > IUSR - windows authentication --- but I am still in the paint by
> > number
> > > > mode
> > > > > here.
> > > > >
> > > > > I was ready to plunge back into the 608 pages of secnet.pdf -
> Building
> > > > > Secure ASP.NET Applications..well, I am plunging back into it as I
> > > write..
> > > > >
> > > > > but if someone can help....I would be very grateful. (shouldn't it
> be
> > > > > greatfull?) i would be full of great...
> > > > >
> > > > > Appreciatively,
> > > > >
> > > > > Greg Hazzard
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>