<< Using a run-time defined connection string with Enterprise Library's Data Access Block. | Home | Tech recruiters outsourcing phone work to India? >>

The finer points of ASP.NET authentication and some other things I learned today.

I've been involved with ASP.NET development pretty much since it was in beta and I thought that I really knew what was going on and could cut code pretty well.  I must have gotten rusty or something cuz I feel like I've learned a TON in the last month.  Usually the knowledge is aquired in spurts and usually on a day that tries a man's (or woman's) soul.  Today was one of those days.

Four things I learned today:

  1. If your web.config “authentication mode” (< authentication mode="Forms" >) is set to “Forms“ and you want to access the user's Windows username through NTLM, you are out of luck.  No amount of futzing with the IIS directory settings or “< identity impersonate="true" / >“ will get you what you need.  You have to pick either mode=“Forms“ or mode=“Windows“.  What I wanted to do was to have my ASP.NET security first try to auth using the WindowsIdentity and if that isn't available fall back to Forms authentication.  It looks like that automatic authorization without an IE login prompt won't be possible. 
  2. ASP.NET runs as “NETWORK SERVICE“ on Windows 2003 and not ASPNET.  (read up)
  3. If the server that is running your ASP.NET application has a dot (aka “a period“, “.“) in the address, Internet Explorer won't attempt to negotiate NTLM unless you've added that site to IE's local intranet zone.  If there's a dot, IE assumes that you're hitting an internet site rather than an intranet set.  (read up)
  4. The Microsoft Patterns & Practices Enterprise Library Data Access Block (MPAPELDAB, for short) is trying to do something with the Event Log and/or the registry that it absolutely doesn't have permissions to do.  Whenever there's a data access problem (SqlException, etc), it tries to log the exception -- fails -- then everything comes crashing down like a load of extra-heavy, jet-powered bricks.  This blog post has been somewhat helpful....especially the comment that suggested going into the source code and editing out all the calls that try to write to the event log.  There's also another FAQ.  And this post, too.  Alas, the problem is still not solved.  I've tried running ASP.NET as an administrator.  I've tried running “installutil“ over the MPAPELDAB dlls.  (See exception/stack trace below)

If anyone has any ideas on item #1 or item #4, please let me know.  Definitely let me know if you think I'm misunderstanding something about the security stuff. 

Major thanks to Mike Miller for helping me research and test out the Windows/Forms security stuff.  (He's definitely one of the smartest guys I know.)

-Ben

 

Here's the exception:
[Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open log for source {0}. You may not have write access.]
   System.Diagnostics.EventLog.OpenForWrite() +363
   System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category, EventLogEntryType type, String[] strings, Byte[] rawData) +280
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +462
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category) +21
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID) +15
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type) +11
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.PerformanceCounterInstances.ReportCounterFailure(String message)

[InvalidOperationException: Exception in ReportCounterFailure("Failed to create instances of performance counter '# of Command Failures/Sec' - Couldn't get process information from remote machine..".  Here's the debugging trace...Start;new EventLog('Application', '.', 'Enterprise Library Instrumentation');]
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.PerformanceCounterInstances.ReportCounterFailure(String message)
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.PerformanceCounterInstances..ctor(String categoryName, String counterName, Boolean createNewInstance)
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.InstrumentedEvent.AddPerformanceCounter(String category, String[] counterNames, Boolean createNewInstance)
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.InstrumentedEvent.Initialize(String counterCategory, String[] counterNames, Boolean createNewInstance, String eventLogSource, EventLogIdentifier[] eventIds)
   Microsoft.Practices.EnterpriseLibrary.Common.Instrumentation.InstrumentedEvent..ctor(String counterCategory, String[] counterNames, Boolean createNewInstance)
   Microsoft.Practices.EnterpriseLibrary.Data.Instrumentation.DataServiceEvent..ctor(String[] counterNames)
   Microsoft.Practices.EnterpriseLibrary.Data.Instrumentation.DataCommandFailedEvent..ctor(String[] counterNames)
   Microsoft.Practices.EnterpriseLibrary.Data.Instrumentation.DataCommandFailedEvent..cctor()

[TypeInitializationException: The type initializer for "Microsoft.Practices.EnterpriseLibrary.Data.Instrumentation.DataCommandFailedEvent" threw an exception.]
   Com.Benday.Search.SearchDA.Execute(SearchDefinition search)
   Com.Benday.Search.SearchManager.Execute(SearchDefinition search)
   Timesheet.WebUI.Global.InitializeValues(String searchName, String storeAsKey) in c:\inetpub\wwwroot\Timesheet.WebUI\Global.asax.cs:50
   Timesheet.WebUI.Global.InitializeLookupValues() in c:\inetpub\wwwroot\Timesheet.WebUI\Global.asax.cs:30
   Timesheet.WebUI.Global.Application_BeginRequest(Object sender, EventArgs e) in c:\inetpub\wwwroot\Timesheet.WebUI\Global.asax.cs:79
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +60
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87


 

posted @ Thursday, May 05, 2005 10:20 PM

Print

Comments on this entry:

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by dragoljub at 5/24/2005 10:48 PM
Gravatar
well, i'm stuck with #4 for a few days, every time i thought it was solved it wasn't

every article says it can be done, but i just can't seem to write a simple entry in a custom log with a custom source

the message says "access denied"

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Mark Grant at 6/6/2005 8:45 AM
Gravatar
Hi Ben,

I have resolved 1 but it was painful. It involved using windows authentication and then writing my own forms authentication if windows authentication failed. After lots of research this proved the only way to do it.

Regards,
Mark Grant

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Mark Grant at 6/6/2005 8:50 AM
Gravatar
dragoljub,

If you are trying to write an event log message from a website then you need to check which user account the website is running under.

Go to IIS, your website open properties and click on directory security. Go to anonymous access etc and click edit.

If the anonymous access check box is checked then the website runs as the user below it. Typically you will want (local machine name)\ASPNET as this has all the correct settings.

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Benjamin Day at 6/6/2005 8:53 AM
Gravatar
I really need to mod this blog software....it would be great to be able to get the email addresses of people who post comments.

Mark, if you see this, could you pop me a line directly? benday at benday dot com

-Ben

# Enterprise Library and ASP.NET can get along after all

Left by Bryan Corazza at 6/8/2005 12:45 PM
Gravatar

# Enterprise Library and ASP.NET can get along after all

Left by Bryan Corazza at 6/8/2005 12:55 PM
Gravatar

# Enterprise Library and ASP.NET can get along after all

Left by Bryan Corazza at 6/13/2005 10:17 PM
Gravatar

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Sergio Pereira at 6/30/2005 3:10 PM
Gravatar
Have you tried to add your ASPNET (or NETWORK SERVICE) user to the Performance Counter Users Group ?
I'm not sure this will solve it but may be worth trying.

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Benjamin Day at 6/30/2005 4:29 PM
Gravatar
Actually, I've completely given up on trying to get that eventlog and perf counter code working. Nothing....absolutely NOTHING has gotten it to work reliably.

I've tried a lot of different things and sometime I can get it to work for a little while but that error message always comes back. When the application I'm writing hit production, this was no longer an option. Plus, I'd already wasted hours upon hours upon hours with this $#$@#!@ bug.

-Ben

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by CodyTownsley at 9/28/2005 10:04 AM
Gravatar

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Ali at 11/23/2005 12:03 PM
Gravatar
I get Win32Exception (0x80004005): Access is denied with Microsoft Patterns & Practices Enterprise Library Data when I set
<identity impersonate="true" /> and when
<identity impersonate="false" /> it works.How can i make it to wrol with <identity impersonate="true" />

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Benjamin Day at 11/26/2005 5:48 PM
Gravatar
Hmm....not sure exactly what's going on with the <identity> thing. It's clearly a permissions problem. It looks like the "NETWORK SERVICE" or "ASPNET" user has permissions but the impersonated user does not.

It's probably the same bug that I was ranting about when I originally wrote this post.

-Ben

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Paul at 8/25/2006 12:22 PM
Gravatar
Benjamin were you ever able to resolve problem 4 . I have the same issue

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by The Man at 9/26/2006 11:25 AM
Gravatar
All you need to do is add IMPERSONATE=TRUE in the web.config file and run the webservice under an account that has admin privileges on the web server machine. Thats it!

# re: The finer points of ASP.NET authentication and some other things I learned today.

Left by Jim Stanski at 8/20/2008 2:31 PM
Gravatar
I had a similar problem. Two things listed in this thread were helpful

1. Modify IIS site properties -> directory security and provide the appropriate login/passwd

2. Set impersonate=true in web.config

Jim

Your comment:



 (will not be displayed)


 
 
 
Please add 3 and 2 and type the answer here:
 

Live Comment Preview:

 
Archives
Post Categories
Image Galleries
Food / Wine
Interesting
Misc
Music
Other Blogs
Team Foundation Server
Visual Studio Team System
Syndication:

RSS ATOM

«July»
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678