|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Permission denied when writing to eventlog from global.asaI'm trying to log to the eventlog when a session dies on the IIS.
First I had problems writing to the event log from the application but after adding (A;;0x2;;;S-1-5-21-1235689106-1732415182-1711286387-513) (where the SID is the SID of the "Domain Users"-group) to HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/Application and the CustomSD-key it worked fine. When I log from an asp page, eventlog writes an event and WSH as "Source", but when I'm trying to log from global.asa Session_OnEnd I get permission denied and Active Server Pages as "Source". Which permission should I change to get this working? Hi,
If the ASP page allows anonymous access, its idenity should be IUSR_<machinename> account (can be viewed in computer management). This is local account which shouldn't be in domain users. So you will need to change the CustomSD with its sid. Also you may remove IUSR from guests group (by default it's in guests). As I know, accounts included in guests may be restricted to write event log as well. Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Thanks for helping out!
We don't allow anonymous access to the page. That is - we have unchecked the box "Enable anonymous access" on the "Directory Security" tab on the website configuration. How do I do it then? Is it maybe still the |USR-MACHINENAME account that tries to write to the log? Thanks! ""WenJun Zhang[msft]"" wrote: Show quoteHide quote > Hi, > > If the ASP page allows anonymous access, its idenity should be > IUSR_<machinename> account (can be viewed in computer management). > This is local account which shouldn't be in domain users. So you will > need to change the CustomSD with its sid. Also you may remove IUSR > from guests group (by default it's in guests). As I know, accounts > included in guests may be restricted to write event log as well. > > Thanks. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > If so, the authenticated user account must have permission to write
event log. Have you tried only using Basic authentication(or integrated) and then use your administrator credential to access the ASP page. Will the event writting works properly? Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Hmmm. I'mll try to verify. At first, writing to the event log didn't work
except for those users with administrator credentials on the server. What we did then was to edit the CustomSD-key to allow also "Domain Users" to write to the event log. Then everything worked! The problem is now that if any user "time outs" (after 5 minutes) we want to write that to the event log and that is done in the "Session_OnEnd portion of global.asa. But when that occurs all we get is a "permission denied" in the event log. So apparently - the user that is surfing the page (and had a timeout) is no longer the user writing to the event log since we got a Permission Denied, something we don't get when the user is active on the page. So the quetion is: Which user writes to the event log when a timeout occurs and the code that is writing to the log is in "Session_OnEnd" portion of global.asa. OR.. is there any other solution for us that you recommend to get a message to the event log stating that the user run into a timeout? ""WenJun Zhang[msft]"" wrote: Show quoteHide quote > If so, the authenticated user account must have permission to write > event log. Have you tried only using Basic authentication(or > integrated) and then use your administrator credential to access the > ASP page. Will the event writting works properly? > > Thanks. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Maybe this is caused by a known bug. In Seesion_OnEnd, the running
context could be reverted to process identity - i.e: IWAM_<servername> or Local System. BUG: Session_OnEnd Changes Security Context of InProcess Component http://support.microsoft.com/kb/q243828/ Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. It's solved! Thank you very much for pointing me to the right direction.
After trying to allow some more SIDs to write to the eventlog (IWAM_SERVERNAMNE, IUSR_SERVERNAME, LOCALSYSTEM) but still didn't get it to work I finally realized that I earlier allowed the Anonynous (AN) to write to the log: (D;;0xf0002;;;AN) but it should have been Built-In Guests (BG): (A;;0xf0002;;;BG) And then it worked! So, the solution to allow Domain Users to write to the Event Log and also Built-In-groups which is used on Session_OnEnd, we now have the following string and it works perfect! O:BAG:SYD:(D;;0xf0007;;;AN)(A;;0xf0002;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;;S-1-5-21-1235689106-1791386253-4322286387-513) Thanks again for helping out. Hopefully in the next version of Windows they will make it easier to administrate rights to the event log. ""WenJun Zhang[msft]"" wrote: Show quoteHide quote > Maybe this is caused by a known bug. In Seesion_OnEnd, the running > context could be reverted to process identity - i.e: > IWAM_<servername> or Local System. > > BUG: Session_OnEnd Changes Security Context of InProcess Component > http://support.microsoft.com/kb/q243828/ > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > I'm glad to have been some help. :-)
Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Hi again,
There's still a problem with this! Every night it stops working. All we have to do is reboot and then it starts working again until the next night when it stops working again and we get a Permission Denied. Before rebooting I made sure that the setting is still correct, which is (A;;0xf0002;;;BG). So I don't change ANYTHING before i reboot and after the reboot it starts working again. I've tried doing a gpupdate /force during the daytime but it doesn't stop working when I do that. So can it still be because of the GPO-settings getting applied at night? The errormessage we get in the morning is: Event Type: Warning Event Source: Active Server Pages Event Category: None Event ID: 9 Date: 2005-06-27 Time: 08:34:02 User: N/A Description: Warning: IIS log failed to write entry, File /LM/W3SVC/18856186/Root/global.asa Line 52 Permission denied. . ""WenJun Zhang[msft]"" wrote: Show quoteHide quote > I'm glad to have been some help. :-) > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Good day:
I am running a dual processor on standalone server, Windows 2003 SP1 and all the hot fixes, The only application is running on this server is, IIS6, FTP and SQL 2000. I have the same problem with the server it stop working every night is real frustrating This is the error in the event log Warning: IIS log failed to write entry, File /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed when the object is open.. Warning: IIS log failed to write entry, File /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. I have searched for this file in the Inetpub folder but I got over 50 global.asa files I have looked at the posted fix, Truly I did not understand where do I make the change, is it in the registry? I think it is referring to AD, Domain and GPO issues but this server is standalone and never been part of domain. I would appreciate any help many thanks in advance. Mon *** Sent via Developersdex http://www.developersdex.com *** Hi,
This has nothing to do with GPOs or domains as far as I can tell. Locate the website that has the ID 766998546 (you can do this in the IIS Manager) In the root folder for that website, locate the global.asa file Post the first 10 lines of that file Cheers Ken Show quoteHide quote "Moncef Jawadi" <jawa***@yahoo.com> wrote in message news:uJcobf1JGHA.2628@TK2MSFTNGP15.phx.gbl... : : Good day: : : I am running a dual processor on standalone server, Windows 2003 SP1 : and all the hot fixes, The only application is running on this server : is, IIS6, FTP and SQL 2000. : I have the same problem with the server it stop working every night is : real frustrating : This is the error in the event log : : Warning: IIS log failed to write entry, File : /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed : when the object is open.. : : Warning: IIS log failed to write entry, File : /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. : : I have searched for this file in the Inetpub folder but I got over 50 : global.asa files : : I have looked at the posted fix, Truly I did not understand where do I : make the change, is it in the registry? I think it is referring to AD, : Domain and GPO issues but this server is standalone and never been part : of domain. : : I would appreciate any help many thanks in advance. : : Mon : : : : *** Sent via Developersdex http://www.developersdex.com *** I did follow the suggestion http://support.microsoft.com/kb/q243828/
But Unfortunately the server still stop responding. even I run IISreset the web service still would not respond, I have to reboot the server before I get the web sites back running. In the event log I see the following error Source: Active Server Pages Event ID: 9 Description: Warning: IIS log failed to write entry, File /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. . Followed by secomd error Source: Active Server Pages Event ID: 9 Description: Warning: IIS log failed to write entry, File /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed when the object is open.. . I do have at least 2 site on this server, and many sites they do have their Global.asa This the Global.asa in the wwwroot Global.asa 'Line 0 <OBJECT RUNAT="Server" SCOPE="Application" ID="conquerChatUsers" PROGID="Scripting.Dictionary"> </OBJECT> <OBJECT RUNAT="Server" SCOPE="Application" 'this is line 10' ID="conquerChatRooms" PROGID="Scripting.Dictionary"> </OBJECT> <OBJECT RUNAT="Server" SCOPE="Application" ID="conquerChatMessages" PROGID="Scripting.Dictionary"> </OBJECT> 'Line 20 I have uninstalled the IIS and reinstalled it, no success. Any suggestion will be much, much appreciated as I am pulling my hair *** Sent via Developersdex http://www.developersdex.com *** Hi,
Please see my previous response to your problem. Cheers Ken Show quoteHide quote "Moncef Jawadi" <jawa***@yahoo.com> wrote in message news:%2318HYZdKGHA.1180@TK2MSFTNGP09.phx.gbl... : : I did follow the suggestion http://support.microsoft.com/kb/q243828/ : But Unfortunately the server still stop responding. even I run IISreset : the web service still would not respond, I have to reboot the server : before I get the web sites back running. : : : In the event log I see the following error : Source: Active Server Pages : Event ID: 9 : Description: : Warning: IIS log failed to write entry, File : /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. . : : Followed by secomd error : : Source: Active Server Pages : Event ID: 9 : Description: : Warning: IIS log failed to write entry, File : /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed : when the object is open.. . : : : I do have at least 2 site on this server, and many sites they do have : their Global.asa : : This the Global.asa in the wwwroot : Global.asa : : 'Line 0 : <OBJECT : RUNAT="Server" : SCOPE="Application" : ID="conquerChatUsers" : PROGID="Scripting.Dictionary"> : </OBJECT> : : <OBJECT : RUNAT="Server" : SCOPE="Application" 'this is line 10' : ID="conquerChatRooms" : PROGID="Scripting.Dictionary"> : </OBJECT> : : <OBJECT : RUNAT="Server" : SCOPE="Application" : ID="conquerChatMessages" : PROGID="Scripting.Dictionary"> : </OBJECT> : 'Line 20 : : : I have uninstalled the IIS and reinstalled it, no success. : : Any suggestion will be much, much appreciated as I am pulling my hair : : : *** Sent via Developersdex http://www.developersdex.com *** 
Other interesting topics
401 errors filling logfile
certificate services fails to start Username/Password input dialog IIS 6 Impersonate failed for ASP How to control bandwidth per web site on IIS Problem with IUSR account Is the sessionState cookie a security risk. Using integrated authentication Response splitting IP address and domain name restrictions |
|||||||||||||||||||||||
