Giving Application Pools Event Log Access

Giving Application Pools Event Log Access

Overview

When the database becomes inaccessible, Secret Server will try to log errors to the Windows event log. By default, network service and standard service accounts will not have permissions to the event log. Permissions must be added to specific event log registry keys.

Required Registry Permissions

The follow permissions are required for the identity configured on the SS application pool in IIS:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog

Applies to key and subkeys

  • Read permissions:

    • Query Value
    • Enumerate Subkeys
    • Notify
    • Read Control

  • Set Value permission

  • Create Subkey permission

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog > Security

Applies to key and subkeys

Read permissions:

  • Query Value
  • Enumerate Subkeys
  • Notify
  • Read Control

Applying Windows Event Log Permissions

  1. Determine the account that is running SS:

    1. Log on SS.

    2. Go to Admin > Diagnostics.

    3. Look for any of the Thread Identity labels. These contain the identity of SS (often NT AUTHORITY\NETWORK SERVICE or IIS APPPOOL\SecretServer or the service account set up for IWA. See Running the IIS Application Pool As a Service Account.

      Note: You can also determine the identity by logging in and navigating to http://yoursecretserverurl/Installer.aspx. The first step of this page will tells you the application pool identity.

  2. Open the Windows registry editor on the machine running SS (regedit at the command prompt or Window search text box).

  3. On the left, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog.

  4. Right click the EventLog folder in your registry editor and select Permissions. A permissions dialog box appears.

  5. Click the Advanced button.

  6. On the Permissions tab, Click the Add button. A Permission Entry dialog appears.

  7. Click the Select a principal link. The Select User, Computer… dialog box appears.

  8. Find the account running SS, such as Thycotic_Service (svc_thycotic@test.com).

  9. Click the OK button. The dialog box closes.

  10. In the Basic Permissions section of the Permission Entry dialog, click to select the Read check box.

  11. Click the Show advanced permissions link. The pane switches.

  12. Click to select the Set Value and Create Subkey check boxes in the Advanced Permissions section.

  13. Click OK buttons on the remaining dialogs to apply the permissions. You are returned to the main registry editor window.

  14. Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog > Security, right-click and select “Permissions…“

  15. Right click Security folder and select Permissions. A permissions dialog box appears.

  16. Click the Add button.

  17. Find the account running SS.

  18. Click the OK button.

  19. Click to select the Read check box in the Allow column.

  20. Click the OK button to apply the permission.

 

作者:Chuck Lu    GitHub
posted @   ChuckLu  阅读(216)  评论(0编辑  收藏  举报
编辑推荐:
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
历史上的今天:
2018-07-26 Can't remove netstandard folder from output path (.net standard)
2018-07-26 website项目的reference问题
2018-07-26 The type exists in both DLLs
2017-07-26 how to backup and restore database of SQL Server
点击右上角即可分享
微信分享提示