I am trying to write to the windows event log from ASP.net. The app pool is running under a domain account rather than Network Service.
I've got everything working on my development environment, but there is a catch. Because the app pool runs as a domain account, I had to add (A;;0x0002;;;AU)
to the Application\CustomSD
registry key to allow Authenticated Users access to the event log. This is fine on my development box, but verbotten on the production server. (No registry tweaking, they say. F开发者_运维技巧ind another way.)
From what I've learned, the default event log on Windows Server 2k3 SP2 only allows logins with the LOGON32_LOGON_INTERACTIVE
, LOGON32_LOGON_BATCH
, or LOGON32_LOGON_SERVICE
flags set on their user sessions.
Is there a way to add one of these flags to the app pool's login? IIS does not set the flags when it starts an app pool. I've looked at using LogonUser
to create a temporary security context with the correct flags, but that requires storing a password somewhere and I want to avoid that if possible.
Any ideas on how to allow IIS to write to the event log using a custom app pool account without modifying the registry on Windows Server 2k3 SP2?
EDIT: I can't add the app pool account to the local admins group either, because of security restrictions.
Resources
Using programmatic Impersonation from an ASP.NET Page Allowing impersonated accounts to write to your custom event logThe account should be able to write to the event log just fine if only the event source is created/registered before the first write attempt. Creating the source requires administrative rights, but writing does not.
As the documentation page for the EventLog
class suggests, the event source should be created and configured during the installation of the application.
精彩评论