I am trying to write to the Windows event log from ASP.net. The application pool runs under a domain account, not with a network service.
Everything works for me on my development environment, but there is a catch. Since the application pool works as a domain account, I had to add (A;;0x0002;;;AU) to the Application\CustomSD registry Application\CustomSD to allow authenticated users access to the event log. This is good in my development box, but verbotten on a production server. (There is no registry setting, they say. Find another way.)
From what I learned, the default event log on Windows Server 2k3 SP2 only allows logins with the LOGON32_LOGON_INTERACTIVE , LOGON32_LOGON_BATCH or LOGON32_LOGON_SERVICE set in their user sessions.
Is there a way to add one of these flags to my application pool account? IIS does not set flags when starting the application pool. I have considered using LogonUser to create a temporary security context with the correct flags, but this requires storing the password somewhere, and I want to avoid this if possible.
Any ideas on how to enable IIS to write to the event log using a custom application pool account without modifying the registry on Windows Server 2k3 SP2?
EDIT: I cannot add the application pool account to the local administrators group either due to security restrictions.
Resources
Using software impersonation from an ASP.NET page
Allow issued accounts to write to own event log
source share