Web service cannot write to Event Log when called by anonymous user

Question

SUMMARY: How to configure a web service such that writing to the Event Log is always possible (regardless of caller)? DETAILS: I have a web service which writes an entry to the Application Log. I established the event source for this by means of a little console application and I think I understand that part of things. When I test this WS, I see I am successfully writing my entry to the Event log.

The virtual directory which hosts this WS does NOT allow anonymous access and is configured for Integrated Windows Auth only.

I have a web client application that calls this Webservice. When the web client site is configured for Integrated Windows Auth only, calls to the Webservice result in logging as desired.

Yet, if I change the web client site to allow anonymous access then the Webservice attempt to log results in an InvalidOperationException. I ignore it but it would be nice to know how to get logging in the webservice regardless of how it is called. Here is a bit of my code:

   public FileService()
    {
        try
        {
            if (!EventLog.SourceExists(g_EventSource))
                EventLog.CreateEventSource(g_EventSource, g_EventLog);

            System.Security.Principal.WindowsIdentity UserIdentityInfo;
            UserIdentityInfo = System.Security.Principal.WindowsIdentity.GetCurrent();
            string AuthType = UserIdentityInfo.AuthenticationType;

 if (AuthType == "Kerberos")
 { engineWSE.Credentials = System.Net.CredentialCache.DefaultCredentials; }
 else
 { engineWSE.Credentials = new System.Net.NetworkCredential("u", "p", "domain"); }

 EventLog.WriteEntry(g_EventSource,
                "Caller: " + UserIdentityInfo.Name +
                " AuthType: " + UserIdentityInfo.AuthenticationType,
                EventLogEntryType.Information, 1);
        }
        catch (InvalidOperationException e)
        {
            // do nothing to ignore: "Cannot open log for source 'myAppSourceName'. You may not have write access." 
        }
    }

The example in the constructor above is sort of contrived for here (I am mainly interested in being able to write out info related to errors in the web service).

I hope there is a way to configure the web service virtual directory (or the code within) so that logging is possible regardless of how it got called.

Answer 1

Network Service is allowed to write to the Event Log, but not create an event source. you could give permissions to HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ to allow it to create - but if you've already created it at install time, there's no need.

It's possible that it's failing on the SourceExists as well - since that requires enumerating the same registry key. I'd probably just remove the SourceExists/Create check and trust that it's there - if you're anonymous, you can't create it anyway.

Answer 2

You should also check your web.config.

If IIS is set to anonymous and web.config is set to windows / impersonate. Then it will be the anonymous IIS user that is trying to write to the event log.