Access is Denied error (EventLog with Sharepoint Services 2.0 SP2)

Hey Guys,

I have a .net remoting singleton hosted in IIS 6.0 (Win Server 2k3 SP1) and
sharepoint services 2.0 (Sp2) is installed on my box.

My .net remoting component tries to write to the eventlog of windows under a
special category "LxxServer". Each time it tries, it get the following
exception :

System.InvalidOperationException: Cannot open log for source {0}. You may
not have write access. ---> System.ComponentModel.Win32Exception: Access is
denied
--- End of inner exception stack trace ---
at System.Diagnostics.EventLog.OpenForWrite()
at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type)
at System.Diagnostics.EventLog.WriteEntry(String message)


----------------------------

NOTE : If I remove sharepoint from the machine, I have no problem.

Also : the app pool hosting my .net remoting component runs under Network
Service (although I've tried almost every possible user).

I've also tried to elevate the trust level of the default web site to "Full
trust", nothing works for me.

Any ideas?

lukezhan
Tue Sep 12 01:02:13 CDT 2006

------=_NextPart_0001_3E5CA680
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

As I understand, the remoting application is running in WSS site with the
application pool identity "Network Service", is this correct?

I suggest you may perform such a test:

1. Create a new web site on the server for your remoting application
2. Create a new application pool for the new web site and set its identity
to a local administrator.
3. For the remoting application, ensure your web.config contains <identity
impersonate="true" />

And then, test the remoting application to see if it can write the event
log successfully. If so, it should be a security issue. You may consider
adjust the WSS application pool's identity or consider a new application
pool as work around.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_3E5CA680
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hello,
\par
\par As I understand, the remoting application is running in WSS site with the application pool identity "Network Service", is this correct?
\par
\par I suggest you may perform such a test:
\par
\par 1. Create a new web site on the server for your remoting application
\par 2. Create a new application pool for the new web site and set its identity to a local administrator.
\par 3. For the remoting application, ensure your web.config contains <identity impersonate="true" />
\par
\par And then, test the remoting application to see if it can write the event log successfully. If so, it should be a security issue. You may consider adjust the WSS application pool's identity or consider a new application pool as work around.
\par
\par Sincerely,
\par
\par Luke Zhang
\par
\par Microsoft Online Community Support
\par ==================================================
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par ==================================================
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_3E5CA680--

redStorm
Tue Sep 12 08:03:02 CDT 2006

Hey Luke

You understood it correctly.

However I've tried to create a new web site (called testWS) and move my .net
remoting component from Default Web Site to testWS. I created a new
application pool (Test) and had it run as Administrator. Finally i added the
<identity impersonate=true /> line in the web.config of my .net remoting
component.

I still get the same error.

HOWEVER, I played around a little and was able to make it work by changing
the IUSR_MachineName user to a Administrator in the Authentication Methods
dialog (Directory Security, click on the first edit button). I still have
Enable anonymous access checked. Do you see any other way I could make this
work. I'm a little confused over those two sets of credentials (Anonymous
impersonating user and the user that runs the App pool).

Thanks
Olivier

"Luke Zhang [MSFT]" wrote:

> Hello,
>
> As I understand, the remoting application is running in WSS site with the
> application pool identity "Network Service", is this correct?
>
> I suggest you may perform such a test:
>
> 1. Create a new web site on the server for your remoting application
> 2. Create a new application pool for the new web site and set its identity
> to a local administrator.
> 3. For the remoting application, ensure your web.config contains <identity
> impersonate="true" />
>
> And then, test the remoting application to see if it can write the event
> log successfully. If so, it should be a security issue. You may consider
> adjust the WSS application pool's identity or consider a new application
> pool as work around.
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights

lukezhan
Wed Sep 13 02:57:22 CDT 2006

------=_NextPart_0001_44112D94
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi Olivier,

Thank you for the update. When enable the anonymous access, the user
account will be impersonated as IUser_ComputerName.So this may be why you
can make it work after add IUser_ComputerName to local administrator.

If you disable anonymous access in IIS, restart IIS, and test again with
testWS. If it still didn't work, you may remove <identity
impersonate="true" /> from the web.config, and then what is the result?

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_44112D94
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Olivier,
\par
\par Thank you for the update. When enable the anonymous access, the user account will be impersonated as IUser_ComputerName.So this may be why you can make it work after add IUser_ComputerName to local administrator.
\par
\par If you disable anonymous access in IIS, restart IIS, and test again with testWS. If it still didn't work, you may remove <identity impersonate="true" /> from the web.config, and then what is the result?
\par
\par Sincerely,
\par
\par Luke Zhang
\par
\par Microsoft Online Community Support
\par ==================================================
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par ==================================================
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_44112D94--

redStorm
Wed Sep 13 06:45:02 CDT 2006

Hi Luke,

I have conducted some more tests and this is what I found. If I disable
Anonymous access, my client to the .net remoting (hosted in IIS) component
gets a 401 since it doesn't pack the credentials in the call. That's
understandable. On the other hand, if I enable Anonymous Access, I've
determined that the user that I specify needs to NOT be a member of Guests.
If he is, it doesn't work. Is it possible that the Guests group is more
restrictive when WSS is installed?

"Luke Zhang [MSFT]" wrote:

> Hi Olivier,
>
> Thank you for the update. When enable the anonymous access, the user
> account will be impersonated as IUser_ComputerName.So this may be why you
> can make it work after add IUser_ComputerName to local administrator.
>
> If you disable anonymous access in IIS, restart IIS, and test again with
> testWS. If it still didn't work, you may remove <identity
> impersonate="true" /> from the web.config, and then what is the result?
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights

lukezhan
Thu Sep 14 01:22:14 CDT 2006

------=_NextPart_0001_48BBBB2F
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I test a guest account with my WSS site ( The Account is in Users group in
current server and it has been added in WSS users as "reader". It seems
this account can open the WSS without any permssion issue. I also checked
documents but I didn't see anything about accounts in Guests group cannot
access WSS site. So there may be other issues which cause the problem.

In my option, we had better use windows authentication for a remoting or
web service application for securty. If we leave anonymous enabled, the
remoting application may be consumed by any other applications, which is
not a safe way.

And, would you please let me know why you need to host the remoting
application on a WSS site, not a normal ASP.NET site? This may make things
complicated since we also need to consider the security of WSS.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_48BBBB2F
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 I test a guest account with my WSS site ( The Account is in Users group in current server and it has been added in WSS users as "reader". It seems this account can open the WSS without any permssion issue. I also checked documents but I didn't see anything about accounts in Guests group cannot access WSS site. So there may be other issues which cause the problem.
\par
\par In my option, we had better use windows authentication for a remoting or web service application for securty. If we leave anonymous enabled, the remoting application may be consumed by any other applications, which is not a safe way.
\par
\par And, would you please let me know why you need to host the remoting application on a WSS site, not a normal ASP.NET site? This may make things complicated since we also need to consider the security of WSS.
\par
\par Sincerely,
\par
\par Luke Zhang
\par
\par Microsoft Online Community Support
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_48BBBB2F--

redStorm
Thu Sep 14 06:54:02 CDT 2006

Hi Luke,

I agree with you that we should remove the anonymous access on our .net
remoting component. That's what we'll do.

However, I think I don't understand something about WSS. When you ask why
my component is hosted in a WSS site instead of a normal ASP.NET site, what
do you mean? I taught that excluding the virtual directory path of my .net
component from the list of WSS managed path would kind of do that?

Please shed some light on this issue to help me understand better. Thanks
a lot for your answerS. ;)

Olivier

"Luke Zhang [MSFT]" wrote:

> I test a guest account with my WSS site ( The Account is in Users group in
> current server and it has been added in WSS users as "reader". It seems
> this account can open the WSS without any permssion issue. I also checked
> documents but I didn't see anything about accounts in Guests group cannot
> access WSS site. So there may be other issues which cause the problem.
>
> In my option, we had better use windows authentication for a remoting or
> web service application for securty. If we leave anonymous enabled, the
> remoting application may be consumed by any other applications, which is
> not a safe way.
>
> And, would you please let me know why you need to host the remoting
> application on a WSS site, not a normal ASP.NET site? This may make things
> complicated since we also need to consider the security of WSS.
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> This posting is provided "AS IS" with no warranties, and confers no rights

lukezhan
Fri Sep 15 03:07:41 CDT 2006

------=_NextPart_0001_4E429797
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

When we host a http remoting or web service application, we normally put
them in an ASP.NET web site. ( when hosting in a WSS site, it will be
hanlded WSS first and this may bring some security and performance issue).
For this issue , excluding the virtual directory path is also a nice way,
it just like the applicaiton is host on an ASP.NET web site.

If there is any further question on this issue, please feel free to let us
know :)

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_4E429797
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hello,
\par
\par When we host a http remoting or web service application, we normally put them in an ASP.NET web site. ( when hosting in a WSS site, it will be hanlded WSS first and this may bring some security and performance issue). For this issue , excluding the virtual directory path is also a nice way, it just like the applicaiton is host on an ASP.NET web site.
\par
\par If there is any further question on this issue, please feel free to let us know :)
\par
\par Sincerely,
\par
\par Luke Zhang
\par
\par Microsoft Online Community Support
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_4E429797--

redStorm
Fri Sep 15 06:57:02 CDT 2006

This thread allowed me to fix my problem and gain some knowledge, thanks Luke.

"Luke Zhang [MSFT]" wrote:

> Hello,
>
> When we host a http remoting or web service application, we normally put
> them in an ASP.NET web site. ( when hosting in a WSS site, it will be
> hanlded WSS first and this may bring some security and performance issue).
> For this issue , excluding the virtual directory path is also a nice way,
> it just like the applicaiton is host on an ASP.NET web site.
>
> If there is any further question on this issue, please feel free to let us
> know :)
>
> Sincerely,
>
> Luke Zhang
>
> Microsoft Online Community Support
> This posting is provided "AS IS" with no warranties, and confers no rights

lukezhan
Mon Sep 18 01:47:25 CDT 2006

------=_NextPart_0001_0614E3F7
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

You are welcome :)

If there is any further questions, please feel free to post here.

Sincerely,

Luke Zhang

Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_0614E3F7
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 You are welcome :)
\par
\par If there is any further questions, please feel free to post here.
\par
\par Sincerely,
\par
\par Luke Zhang
\par
\par Microsoft Online Community Support
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_0614E3F7--