10

We're having trouble migrating our ASP.NET applications to Windows Server 2008 R2 x64 and IIS7.5. The problem is that our ASP.NET apps write log files, and these log files are not being written. The only way the apps write their log files is if I'm logged into the server as the local Administrator user or if I right click and run IE as Run as Administrator, neither of which is an acceptable solution for us.

Our platform is: Windows Server 2008 R2 x64 (UAC setting is the default setting) IIS7.5 ASP.NET 4.0 (using Windows authentication and impersonation, both on in web.config)

Our app gets installed to: D:[appname] [appnameWebSite] (all the .aspx, .dll, etc. files are in here) \Log (the app tries to write the log file to this folder)

On the server: Created new App Pool (name: [appname], .NET 4.0, Managed Pipeline Mode: Classic, Identity: ApplicationPoolIdentity, Load User Profile: False, all other properties are the defaults) Created IIS application pointing to D:[appname][appnameWebSite] and added it the the new App Pool (Full trust level) Have a domain user in local Administrators group

With all the configuration and default settings listed above, the ASP.NET app will not write the log file. The app appears to work fine in the browser, but no log.txt file.

To try to "fix" this issues, we've tried many things: Tried Application Pool setting: Managed Pipeline Mode: Integrated Tried Application Pool setting: Identity: NetworkService Tried Application Pool setting: Identity: LocalSystem Tried Application Pool setting: Load User Profile: True Gave Users group full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only) Gave IIS AppPool[appname] (matching the new App Pool) user full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only)

None of these things helped. Again, the app would run fine, just no log file created.

As mentioned above, the only way that the log file is created when the app runs is if we log into the server using the local Administrator account (which makes sense since he's a super user) or if we run IE as administrator and elevate privileges.

Any suggestions? Help? Questions?

Thanks!

lmttag
  • 2,499
  • 4
  • 26
  • 30

4 Answers4

9

I tried granting every permission possible and still wasn't getting any log files. Finally I came across this which suggested changing the ownership of my logfiles directory. I checked, and the directory ownership was set to SYSTEM. I changed it to Administrators and applied the change recursively. I bounced IIS, hit a webpage from the site in the browser, and now I have log files. Hooray!

Note: the thing that tipped me off was checking the System event log. I was getting 15006 errors saying "Owner of the log file or directory C:\inetpub\logfiles\W3SVC1\some.log is invalid. This could be because another user has already created the log file or the directory."

Oran Dennison
  • 3,237
  • 1
  • 29
  • 37
5

Well, after days of trying every IIS option, user and group accounts, file system permissions, Process Explorer, etc., I think we got it working:

  • We reset all our IIS app pool and web site settings to their default values
  • We also reset the folder/file system permissions on our Log folder to the default settings
  • Then we turned off Internet Explorer Enhanced Security Configuration on the server

And success! The log file is written as expected no matter what user is using the ASP.NET application, and no matter if they're running it on the server itself or from a workstation.

I don't know if turning off Internet Explorer Enhanced Security Configuration on the server is the "correct" thing to do or if it violates any best practices, but it seems to work for us.

Does anyone have anything to add?

Michael
  • 8,362
  • 6
  • 61
  • 88
lmttag
  • 2,499
  • 4
  • 26
  • 30
3

I struggled with this one for a while. The ApplicationPoolIdentity is a member of the Users group and the Users group has limited access.

From Explorer, right-click on the folder where you are trying to write and go to Security. Click the Advanced button. you will see that Users have Read and Execute permission and the Users group may or may not have Special permissions. If not, Click on Change Permissions and give Users the ability to Create files / write data and Create folders / append data. This is restricted to this folder. I usially use a subfolder so that I not provide write access to my whole website.

Try creating log files again. This is the only permission that I needed to set to make it work.

Leons
  • 2,679
  • 1
  • 21
  • 25
  • Thank you for the info. I've tried playing with file system permissions on the Log folder but still no luck. As I mentioned before, I have a domain user that is in the Administrators group on the server. I'm logging into the server as that domain user. I gave the local Users group full control (read, write, everything) to the the Log folder in the file system (i.e., the Users group got full control to D:\appname\Log). Note the local Administrators group already has full read/write/modify control (inherited) to the file system Log folder. Still no log file being created. – lmttag May 13 '11 at 15:43
  • I gave the actual domain user full control (read, write, everything) to the the Log folder in the file system (i.e., the domain user got full control to D:\appname\Log). Still no log file being created. I gave IIS AppPool\[appname] (matching the new App Pool) user full control (read, write, everything) to the the Log folder in the file system (i.e., the IIS AppPool\[appname] user got full control to D:\appname\Log). Still no log file being created. – lmttag May 13 '11 at 15:43
  • I gave the local IIS_IUSRS group full control (read, write, everything) to the the Log folder in the file system (i.e., the IIS_IUSRS group got full control to D:\appname\Log). Still no log file being created. None of these things helped. So, I've tried giving full file system control to all pertinent users and groups and still no log file. I'm thinking it can't be a file system permissions issue. – lmttag May 13 '11 at 15:43
  • Any suggestions? Help? Questions? Thanks! – lmttag May 13 '11 at 15:44
  • Wow - I will take a closer look at my configuration in case there are anything else that might provide a clue. It sounds like a security issue since it does work when you run as Administrator, but you gave all permissions to all users, so it should work. – Leons May 13 '11 at 17:04
  • I know, weird, right? Now here's an even more confusing twist. As mentioned above, I've tried logging into the server directly with all sorts of different file system permissions. But, since this is an ASP.NET app, I thought I'd try from a client workstation. I reset all the file system and IIS settings and permissions to the default settings as if I had just created the Log folder and the IIS web site. – lmttag May 13 '11 at 20:45
  • I logged into the client workstation (Win 7 Pro x-64) with a different domain user. The workstation's domain user is in the local Administrators group on the client workstation, and that same domain user is in the Administrators group on the server (to give us the Windows authentication and impersonation that our app requires). When I run the ASP.NET app from the client workstation, the log file is written without any problems on the server to the D:\appname\Log folder! This works as expected. – lmttag May 13 '11 at 20:45
  • So, now I'm really at a loss. Why, when logging in from a workstation, the log file is created but, when logging in on the server itself, the file is never created???? – lmttag May 13 '11 at 20:46
0

For me the trick was giving write access for SYSTEM and Administrators not only to the log folder itself, but also every folder in the path. This is not how permissions usually work in Windows, but IIS appears to be really rather particular about it. Not that there is a good reason to remove these two from the ACLs to begin with.

If you suspect this to be the problem, check the Event Log under Windows Logs / System. This issue manifests itself as an Error entry from source HttpEvent, and reads "Unable to create log file C:\path\to\logs\W3SVC1\u_extend1.log. Make sure that the logging directory is correct and this computer has write access to that directory."

P.S. This is true for IIS 10 but may apply to other versions too.

Roman Starkov
  • 59,298
  • 38
  • 251
  • 324