Permission denied when writing to eventlog from global.asa

Permission denied when writing to eventlog from global.asa

am 02.06.2005 15:55:10 von jonasback

I'm trying to log to the eventlog when a session dies on the IIS.

First I had problems writing to the event log from the application but after
adding (A;;0x2;;;S-1-5-21-1235689106-1732415182-1711286387-513) (where the
SID is the SID of the "Domain Users"-group) to
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLo g/Application and
the CustomSD-key it worked fine.

When I log from an asp page, eventlog writes an event and WSH as "Source",
but when I'm trying to log from global.asa Session_OnEnd I get permission
denied and Active Server Pages as "Source".

Which permission should I change to get this working?

RE: Permission denied when writing to eventlog from global.asa

am 03.06.2005 10:28:43 von v-wzhang

Hi,

If the ASP page allows anonymous access, its idenity should be
IUSR_ account (can be viewed in computer management).
This is local account which shouldn't be in domain users. So you will
need to change the CustomSD with its sid. Also you may remove IUSR
from guests group (by default it's in guests). As I know, accounts
included in guests may be restricted to write event log as well.

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

RE: Permission denied when writing to eventlog from global.asa

am 03.06.2005 12:40:03 von jonasback

Thanks for helping out!

We don't allow anonymous access to the page. That is - we have unchecked the
box "Enable anonymous access" on the "Directory Security" tab on the website
configuration. How do I do it then?

Is it maybe still the |USR-MACHINENAME account that tries to write to the log?

Thanks!


""WenJun Zhang[msft]"" wrote:

> Hi,
>
> If the ASP page allows anonymous access, its idenity should be
> IUSR_ account (can be viewed in computer management).
> This is local account which shouldn't be in domain users. So you will
> need to change the CustomSD with its sid. Also you may remove IUSR
> from guests group (by default it's in guests). As I know, accounts
> included in guests may be restricted to write event log as well.
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>

RE: Permission denied when writing to eventlog from global.asa

am 06.06.2005 11:46:08 von v-wzhang

If so, the authenticated user account must have permission to write
event log. Have you tried only using Basic authentication(or
integrated) and then use your administrator credential to access the
ASP page. Will the event writting works properly?

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

RE: Permission denied when writing to eventlog from global.asa

am 08.06.2005 09:23:02 von jonasback

Hmmm. I'mll try to verify. At first, writing to the event log didn't work
except for those users with administrator credentials on the server. What we
did then was to edit the CustomSD-key to allow also "Domain Users" to write
to the event log. Then everything worked!

The problem is now that if any user "time outs" (after 5 minutes) we want to
write that to the event log and that is done in the "Session_OnEnd portion of
global.asa. But when that occurs all we get is a "permission denied" in the
event log. So apparently - the user that is surfing the page (and had a
timeout) is no longer the user writing to the event log since we got a
Permission Denied, something we don't get when the user is active on the
page. So the quetion is: Which user writes to the event log when a timeout
occurs and the code that is writing to the log is in "Session_OnEnd" portion
of global.asa.

OR.. is there any other solution for us that you recommend to get a message
to the event log stating that the user run into a timeout?

""WenJun Zhang[msft]"" wrote:

> If so, the authenticated user account must have permission to write
> event log. Have you tried only using Basic authentication(or
> integrated) and then use your administrator credential to access the
> ASP page. Will the event writting works properly?
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>

RE: Permission denied when writing to eventlog from global.asa

am 09.06.2005 11:05:28 von v-wzhang

Maybe this is caused by a known bug. In Seesion_OnEnd, the running
context could be reverted to process identity - i.e:
IWAM_ or Local System.

BUG: Session_OnEnd Changes Security Context of InProcess Component
http://support.microsoft.com/kb/q243828/

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

RE: Permission denied when writing to eventlog from global.asa

am 10.06.2005 10:33:03 von jonasback

It's solved! Thank you very much for pointing me to the right direction.

After trying to allow some more SIDs to write to the eventlog
(IWAM_SERVERNAMNE, IUSR_SERVERNAME, LOCALSYSTEM) but still didn't get it to
work I finally realized that I earlier allowed the Anonynous (AN) to write to
the log:
(D;;0xf0002;;;AN)
but it should have been Built-In Guests (BG):
(A;;0xf0002;;;BG)
And then it worked!

So, the solution to allow Domain Users to write to the Event Log and also
Built-In-groups which is used on Session_OnEnd, we now have the following
string and it works perfect!
O:BAG:SYD:(D;;0xf0007;;;AN)(A;;0xf0002;;;BG)(A;;0xf0007;;;SY )(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3 ;;;S-1-5-3)(A;;0x2;;;S-1-5-21-1235689106-1791386253-43222863 87-513)

Thanks again for helping out. Hopefully in the next version of Windows they
will make it easier to administrate rights to the event log.



""WenJun Zhang[msft]"" wrote:

> Maybe this is caused by a known bug. In Seesion_OnEnd, the running
> context could be reverted to process identity - i.e:
> IWAM_ or Local System.
>
> BUG: Session_OnEnd Changes Security Context of InProcess Component
> http://support.microsoft.com/kb/q243828/
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>

RE: Permission denied when writing to eventlog from global.asa

am 10.06.2005 11:14:25 von v-wzhang

I'm glad to have been some help. :-)

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

RE: Permission denied when writing to eventlog from global.asa

am 27.06.2005 11:09:03 von jonasback

Hi again,

There's still a problem with this! Every night it stops working. All we have
to do is reboot and then it starts working again until the next night when it
stops working again and we get a Permission Denied.

Before rebooting I made sure that the setting is still correct, which is
(A;;0xf0002;;;BG). So I don't change ANYTHING before i reboot and after the
reboot it starts working again.

I've tried doing a gpupdate /force during the daytime but it doesn't stop
working when I do that. So can it still be because of the GPO-settings
getting applied at night?



The errormessage we get in the morning is:
Event Type: Warning
Event Source: Active Server Pages
Event Category: None
Event ID: 9
Date: 2005-06-27
Time: 08:34:02
User: N/A
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/18856186/Root/global.asa Line 52 Permission denied. .


""WenJun Zhang[msft]"" wrote:

> I'm glad to have been some help. :-)
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>

RE: Permission denied when writing to eventlog from global.asa

am 01.02.2006 18:49:31 von Moncef Jawadi

Good day:

I am running a dual processor on standalone server, Windows 2003 SP1
and all the hot fixes, The only application is running on this server
is, IIS6, FTP and SQL 2000.
I have the same problem with the server it stop working every night is
real frustrating
This is the error in the event log

Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
when the object is open..

Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'.

I have searched for this file in the Inetpub folder but I got over 50
global.asa files

I have looked at the posted fix, Truly I did not understand where do I
make the change, is it in the registry? I think it is referring to AD,
Domain and GPO issues but this server is standalone and never been part
of domain.

I would appreciate any help many thanks in advance.

Mon



*** Sent via Developersdex http://www.developersdex.com ***

Re: Permission denied when writing to eventlog from global.asa

am 02.02.2006 04:50:53 von Ken Schaefer

Hi,

This has nothing to do with GPOs or domains as far as I can tell.

Locate the website that has the ID 766998546 (you can do this in the IIS
Manager)

In the root folder for that website, locate the global.asa file

Post the first 10 lines of that file

Cheers
Ken

"Moncef Jawadi" wrote in message
news:uJcobf1JGHA.2628@TK2MSFTNGP15.phx.gbl...
:
: Good day:
:
: I am running a dual processor on standalone server, Windows 2003 SP1
: and all the hot fixes, The only application is running on this server
: is, IIS6, FTP and SQL 2000.
: I have the same problem with the server it stop working every night is
: real frustrating
: This is the error in the event log
:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
: when the object is open..
:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'.
:
: I have searched for this file in the Inetpub folder but I got over 50
: global.asa files
:
: I have looked at the posted fix, Truly I did not understand where do I
: make the change, is it in the registry? I think it is referring to AD,
: Domain and GPO issues but this server is standalone and never been part
: of domain.
:
: I would appreciate any help many thanks in advance.
:
: Mon
:
:
:
: *** Sent via Developersdex http://www.developersdex.com ***

RE: Permission denied when writing to eventlog from global.asa

am 04.02.2006 22:59:58 von Moncef Jawadi

I did follow the suggestion http://support.microsoft.com/kb/q243828/
But Unfortunately the server still stop responding. even I run IISreset
the web service still would not respond, I have to reboot the server
before I get the web sites back running.


In the event log I see the following error
Source: Active Server Pages
Event ID: 9
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. .

Followed by secomd error

Source: Active Server Pages
Event ID: 9
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
when the object is open.. .


I do have at least 2 site on this server, and many sites they do have
their Global.asa

This the Global.asa in the wwwroot
Global.asa

'Line 0
RUNAT="Server"
SCOPE="Application"
ID="conquerChatUsers"
PROGID="Scripting.Dictionary">


RUNAT="Server"
SCOPE="Application" 'this is line 10'
ID="conquerChatRooms"
PROGID="Scripting.Dictionary">


RUNAT="Server"
SCOPE="Application"
ID="conquerChatMessages"
PROGID="Scripting.Dictionary">

'Line 20


I have uninstalled the IIS and reinstalled it, no success.

Any suggestion will be much, much appreciated as I am pulling my hair


*** Sent via Developersdex http://www.developersdex.com ***

Re: Permission denied when writing to eventlog from global.asa

am 06.02.2006 01:49:24 von Ken Schaefer

Hi,

Please see my previous response to your problem.

Cheers
Ken



"Moncef Jawadi" wrote in message
news:%2318HYZdKGHA.1180@TK2MSFTNGP09.phx.gbl...
:
: I did follow the suggestion http://support.microsoft.com/kb/q243828/
: But Unfortunately the server still stop responding. even I run IISreset
: the web service still would not respond, I have to reboot the server
: before I get the web sites back running.
:
:
: In the event log I see the following error
: Source: Active Server Pages
: Event ID: 9
: Description:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. .
:
: Followed by secomd error
:
: Source: Active Server Pages
: Event ID: 9
: Description:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
: when the object is open.. .
:
:
: I do have at least 2 site on this server, and many sites they do have
: their Global.asa
:
: This the Global.asa in the wwwroot
: Global.asa
:
: 'Line 0
: : RUNAT="Server"
: SCOPE="Application"
: ID="conquerChatUsers"
: PROGID="Scripting.Dictionary">
:
:
: : RUNAT="Server"
: SCOPE="Application" 'this is line 10'
: ID="conquerChatRooms"
: PROGID="Scripting.Dictionary">
:
:
: : RUNAT="Server"
: SCOPE="Application"
: ID="conquerChatMessages"
: PROGID="Scripting.Dictionary">
:
: 'Line 20
:
:
: I have uninstalled the IIS and reinstalled it, no success.
:
: Any suggestion will be much, much appreciated as I am pulling my hair
:
:
: *** Sent via Developersdex http://www.developersdex.com ***