All geek questions in one place

ASP.NET/IIS7.5 Log file entry does not work (permissions, UAC, Config., ???)

We are having problems migrating our ASP.NET applications to Windows Server 2008 R2 x64 and IIS7.5. The problem is that our ASP.NET applications write log files and these log files are not written. The only way applications write their log files is if I logged on to the server as a local administrator user or if I right-clicked and started IE as “Run as administrator”, none of them is an acceptable solution for us.

Our platform: Windows Server 2008 R2 x64 (UAC is the default) IIS7.5 ASP.NET 4.0 (using Windows authentication and impersonation, as in web.config)

Our application is installed on: D: [application_name] [appnameWebSite] (all .aspx, .dll, etc. files) \ Log (the application is trying to write a log file to this folder)

On the server: Created a new application pool (name: [appname] ,. NET 4.0, managed pipeline mode: classic, identifier: ApplicationPoolIdentity, Load User Profile: False, all other properties are the default values) The created IIS application pointed to D: [ appname] [appnameWebSite] and added it to the new application pool (full level of trust) At the domain user in the local Administrators group

With all the settings and default settings listed above, ASP.NET will not write the log file. The application works fine in the browser, but not the log.txt file.

To try to “fix” these problems, we tried many things: Tried Application Pool setting: Managed pipeline mode: integrated Application pool setting: Identity: NetworkService Application pool setting: Identity: LocalSystem Tried Application Pool setting: Download user profile: True Gave Users fully controls the file system for our application folder structure (I tried the appname folder, tried only the log folder, only tried to use the names in the names, Got IIS AppPool [appname] (corresponding to the new application pool) full control on hell is the file system for our application folder structure (I tried the appname folder, tried only the "Log" folder, only tried to enter the file names and only in the "Name log" folders)

None of these things helped. Again, the application will work just fine, just the log file is not created.

As mentioned above, the only way to create a log file at application startup is if we log in to the server using a local administrator account (which makes sense since he is the superuser), or if we run IE as an administrator and increase privileges.

Any suggestions? Help? Questions?

Thanks!

+6
source share
3 answers

Well, after days of checking each IIS setting, user and group accounts, file system permissions, Process Explorer, etc., I think we got it working:

  • We reset all our IIS application pools and website settings to their default values.
  • We also reset the permissions of the folder / file system in our log folder to the default settings
  • Then we turned off the Internet Explorer advanced security setting on the server

And success! The log file is written as expected, regardless of which user is using the ASP.NET application, and whether it is running on the server itself or from the workstation.

I don’t know whether disabling Internet Explorer’s advanced security setting on the server is the “right” thing or if it violates any recommendations, but it seems to work for us.

Does anyone have something to add?

+4
source

I tried granting all permissions and still have not received any log files. Finally, I came across this one that suggested changing ownership of my journal catalog. I checked and the owner of the directory was set to SYSTEM. I changed it to administrators and applied recursive changes. I dropped IIS, hit the webpage from the site in the browser, and now I have the log files. Hurrah!

Note. The thing that knocked me over was checking the system event log. I was getting 15006 errors saying: "The owner of the log file or directory C: \ inetpub \ logfiles \ W3SVC1 \ some.log is not valid. This may be because another user has already created the log file or directory."

+8
source

I struggled with this for a while. ApplicationPoolIdentity is a member of the Users group, and the Users group has limited access.

From Explorer, right-click on the folder you are trying to write to and go to the "Security" section. Click the "Advanced" button. You will see that users have Read and Execute permission, and the Users group may or may not have special permissions. If not, click "Change Permissions" and give users the option to Create files / write data and Create folders / add data . This restriction applies to this folder. I use a subfolder so that I do not provide write access to the entire site.

Try creating the log files again. This is the only permission I needed to configure for it to work.

+3
source

Source: https://habr.com/ru/post/887980/

More articles:


All Articles