views:

96

answers:

1

I've got ELMAH working on my (Cassini) development server, and was quite happy with it, but now that I'm trying to move everything to my production server (IIS7), the honeymoon looks like being over.

I've got past the "gotcha" with IIS7, which frankly could have been better highlighted in the documentation, and if I just use the in-memory log then it works.

However, I'm trying to get it to use the SQL Server log (as I do on my development system), and I'm getting an error along the lines of:

The EXECUTE permission was denied on the object ELMAH_GetErrorsXml

Well, fine. I know how to grant database permissions, but I'm really struggling to understand which user and which stored procs/tables I need to grant access to.

The thing that's really confusing me is that I didn't have to do anything like this to get it to work on my development server. The only difference I can see is that on my development server it seems to connect as NT AUTHORITY\IUSR, whereas on my production server it seems to connect as NT AUTHORITY\NETWORK SERVICE. (It's just using a trusted connection so I've not explicitly configured it to do that - I presume it's to do with the web server). UPDATE: I've since established that because I'm using Cassini, it was actually logging in as me (an admin) and not IUSR, which explains why I didn't get any permission problems.

On my development server, the IUSR account is a member of the public database role, and has access to the required database (again as "public"). There's no explicit granting of object-level permissions. [See update above - this is irrelevant].

On my production server, I've added NETWORK SERVICE in exactly the same way (public database role, explicit access to the database as "public"). Yet, I get this permission error. Why?!! [See update above - the only reason I don't get a permission error is because I'm running as an admin].

And, of course, if the fact that it works locally is just "luck", I will need to know which SPs/tables to grant access to. My guess would be all 3 SPs and not the table, but it would be good (again) to see some documentation that makes this explicit.

+2  A: 

Are you providing ELMAH with a full connectionstring in the web.config? If so, you should know exactly what db user to grant permissions to, right? And yes, permission would be to execute the three ELMAH stored procedures...

Here's a configuration that I've used:

<elmah>
    <errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="elmah" />
</elmah>

<connectionStrings>
    <add name="elmah" connectionString="Data Source=XXX;Initial Catalog=XXX;User Id=XXX;Password=XXX;" providerName="System.Data.SqlClient" />
</connectionStrings>
Eric King
@Eric: I'm using a trusted connection, so the user actually varies depending on which machine it's running on. If I have to grant explicit permissions, then fine, I can do that. Thanks for confirming that it's just those 3 SPs. To insulate myself from which user it is, I'll create a database role, and make sure that the appropriate user (probably NETWORK SERVICE) is a member of the role. It's a shame that ELMAH doesn't create the roles as part of the setup (like the ASP.NET Membership provider for SQL Server does, for example). It's also a pity that they don't mention the need to do this!
Gary McGill