Mombu the Microsoft Forum sponsored links

Go Back   Mombu the Microsoft Forum > Microsoft > INTERNET INFORMATION SERVICES (IIS) (TECHNET) > Permission denied when writing to eventlog from global.asa
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 12th August 21:08
jonas back
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


I'm trying to log to the eventlog when a session dies on the IIS.

First I had problems writing to the event log from the application but after
adding (A;;0x2;;;S-1-5-21-1235689106-1732415182-1711286387-513) (where the
SID is the SID of the "Domain Users"-group) to
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/EventLog/Application and
the CustomSD-key it worked fine.

When I log from an asp page, eventlog writes an event and WSH as "Source",
but when I'm trying to log from global.asa Session_OnEnd I get permission
denied and Active Server Pages as "Source".

Which permission should I change to get this working?
  Reply With Quote


  sponsored links


2 13th August 00:06
v-wzhang@onlinemicrosoftcom wenjun
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Hi,

If the ASP page allows anonymous access, its idenity should be
IUSR_<machinename> account (can be viewed in computer management).
This is local account which shouldn't be in domain users. So you will
need to change the CustomSD with its sid. Also you may remove IUSR
from guests group (by default it's in guests). As I know, accounts
included in guests may be restricted to write event log as well.

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.
  Reply With Quote
3 13th August 00:07
jonas back
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Thanks for helping out!

We don't allow anonymous access to the page. That is - we have unchecked the
box "Enable anonymous access" on the "Directory Security" tab on the website
configuration. How do I do it then?

Is it maybe still the |USR-MACHINENAME account that tries to write to the log?

Thanks!
  Reply With Quote
4 13th August 10:18
v-wzhang@onlinemicrosoftcom wenjun
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Maybe this is caused by a known bug. In Seesion_OnEnd, the running
context could be reverted to process identity - i.e:
IWAM_<servername> or Local System.

BUG: Session_OnEnd Changes Security Context of InProcess Component
http://support.microsoft.com/kb/q243828/

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.
  Reply With Quote
5 13th August 11:40
jonas back
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


It's solved! Thank you very much for pointing me to the right direction.

After trying to allow some more SIDs to write to the eventlog
(IWAM_SERVERNAMNE, IUSR_SERVERNAME, LOCALSYSTEM) but still didn't get it to
work I finally realized that I earlier allowed the Anonynous (AN) to write to
the log:
(D;;0xf0002;;;AN)
but it should have been Built-In Guests (BG):
(A;;0xf0002;;;BG)
And then it worked!

So, the solution to allow Domain Users to write to the Event Log and also
Built-In-groups which is used on Session_OnEnd, we now have the following
string and it works perfect!
O:BAG:SYDD;;0xf0007;;;AN)(A;;0xf0002;;;BG)(A;;0x f0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU) (A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x2;;;S-1-5-21-1235689106-1791386253-4322286387-513)

Thanks again for helping out. Hopefully in the next version of Windows they
will make it easier to administrate rights to the event log.
  Reply With Quote
6 13th August 11:40
v-wzhang@onlinemicrosoftcom wenjun
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


I'm glad to have been some help. :-)

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.
  Reply With Quote
7 14th August 09:14
jonas back
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Hi again,

There's still a problem with this! Every night it stops working. All we have
to do is reboot and then it starts working again until the next night when it
stops working again and we get a Permission Denied.

Before rebooting I made sure that the setting is still correct, which is
(A;;0xf0002;;;BG). So I don't change ANYTHING before i reboot and after the
reboot it starts working again.

I've tried doing a gpupdate /force during the daytime but it doesn't stop
working when I do that. So can it still be because of the GPO-settings
getting applied at night?

The errormessage we get in the morning is:
Event Type: Warning
Event Source: Active Server Pages
Event Category: None
Event ID: 9
Date: 2005-06-27
Time: 08:34:02
User: N/A
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/18856186/Root/global.asa Line 52 Permission denied. .
  Reply With Quote
8 31st August 13:59
moncef jawadi
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Good day:

I am running a dual processor on standalone server, Windows 2003 SP1
and all the hot fixes, The only application is running on this server
is, IIS6, FTP and SQL 2000.
I have the same problem with the server it stop working every night is
real frustrating
This is the error in the event log

Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
when the object is open..

Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'.

I have searched for this file in the Inetpub folder but I got over 50
global.asa files

I have looked at the posted fix, Truly I did not understand where do I
make the change, is it in the registry? I think it is referring to AD,
Domain and GPO issues but this server is standalone and never been part
of domain.

I would appreciate any help many thanks in advance.

Mon

*** Sent via Developersdex http://www.developersdex.com ***
  Reply With Quote
9 31st August 14:01
ken schaefer
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


Hi,

This has nothing to do with GPOs or domains as far as I can tell.

Locate the website that has the ID 766998546 (you can do this in the IIS
Manager)

In the root folder for that website, locate the global.asa file

Post the first 10 lines of that file

Cheers
Ken

:
: Good day:
:
: I am running a dual processor on standalone server, Windows 2003 SP1
: and all the hot fixes, The only application is running on this server
: is, IIS6, FTP and SQL 2000.
: I have the same problem with the server it stop working every night is
: real frustrating
: This is the error in the event log
:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
: when the object is open..
:
: Warning: IIS log failed to write entry, File
: /LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'.
:
: I have searched for this file in the Inetpub folder but I got over 50
: global.asa files
:
: I have looked at the posted fix, Truly I did not understand where do I
: make the change, is it in the registry? I think it is referring to AD,
: Domain and GPO issues but this server is standalone and never been part
: of domain.
:
: I would appreciate any help many thanks in advance.
:
: Mon
:
:
:
: *** Sent via Developersdex http://www.developersdex.com ***
  Reply With Quote
10 31st August 14:06
moncef jawadi
External User
 
Posts: 1
Default Permission denied when writing to eventlog from global.asa


I did follow the suggestion http://support.microsoft.com/kb/q243828/
But Unfortunately the server still stop responding. even I run IISreset
the web service still would not respond, I have to reboot the server
before I get the web sites back running.


In the event log I see the following error
Source: Active Server Pages
Event ID: 9
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Object required: 'conn'. .

Followed by secomd error

Source: Active Server Pages
Event ID: 9
Description:
Warning: IIS log failed to write entry, File
/LM/W3SVC/766998546/Root/global.asa Line 10 Operation is not allowed
when the object is open.. .


I do have at least 2 site on this server, and many sites they do have
their Global.asa

This the Global.asa in the wwwroot
Global.asa

'Line 0
<OBJECT
RUNAT="Server"
SCOPE="Application"
ID="conquerChatUsers"
PROGID="Scripting.Dictionary">
</OBJECT>

<OBJECT
RUNAT="Server"
SCOPE="Application" 'this is line 10'
ID="conquerChatRooms"
PROGID="Scripting.Dictionary">
</OBJECT>

<OBJECT
RUNAT="Server"
SCOPE="Application"
ID="conquerChatMessages"
PROGID="Scripting.Dictionary">
</OBJECT>
'Line 20


I have uninstalled the IIS and reinstalled it, no success.

Any suggestion will be much, much appreciated as I am pulling my hair


*** Sent via Developersdex http://www.developersdex.com ***
  Reply With Quote
Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666