Setup user rights assignment for security log

Overview

  • This is a feature which logs detailed information about log in/log out requests/responses to a database and/or Windows Security Log.
  • Enabling a log option (database/Windows Security Log) requires 2 steps:
    • Enable a handler for the option.
    • Set up storage: setting up database or register Identify to Windows Security Event Log.

Log to database

  • Note: This option is enabled and set up correctly by default
  • Enable the log-to-database handler by going to the WindsorAuditUserRequest.config file which can be found in the Runtime folder
<components>
<component id="CompositeAuditUserRequest" lifestyle="Singleton" service="Safewhere.IdentityProviderModel.IAuditUserRequest, Safewhere.IdentityProviderModel" type="Safewhere.IdentityProviderModel.CompositeAuditUserRequest, Safewhere.IdentityProviderModel">
<parameters>
<auditUserRequests>
<array>
<item>${SqlAuditUserRequest}</item>
<!-- Windows Security Event Log: needs to register GAD component first -->
<!--<item>${WindowsSecurityLogAuditUserRequest}</item>-->
<!-- In case both SqlAudit and WindowsSecurityAudit are disabled, NullAudit must be enabled -->
<!--<item>${NullAuditUserRequest}</item>-->
</array>
</auditUserRequests>
</parameters>
</component>
<component id="SqlAuditUserRequest" lifestyle="Singleton" service="Safewhere.IdentityProviderModel.IAuditUserRequest, Safewhere.IdentityProviderModel"
type="Safewhere.IdentityProvider.Audit.Sql.SqlAuditUserRequest, Safewhere.IdentityProvider.Audit.Sql"/>
<!--<component id="WindowsSecurityLogAuditUserRequest" lifestyle="Singleton" service="Safewhere.IdentityProviderModel.IAuditUserRequest, Safewhere.IdentityProviderModel"
type="Safewhere.IdentityProvider.RuntimeModel.WindowsSecurityLogAuditUserRequest, Safewhere.IdentityProvider.RuntimeModel"/>-->
<!-- In case both SqlAudit and WindowsSecurityAudit are disabled, NullAudit must be enabled -->
<!--<component id="NullAuditUserRequest" lifestyle="Singleton" service="Safewhere.IdentityProviderModel.IAuditUserRequest, Safewhere.IdentityProviderModel"
type="Safewhere.IdentityProviderModel.NullAuditUserRequest, Safewhere.IdentityProviderModel"/>-->
</components>
  • Make sure that SqlAuditUserRequest element is uncommented.
  • The default destination database to log is the IdentifyAudit.AuditUserRequest table which is specified by the following key in web.config:
<add name="IdentifyProviderUserRequestSecurityAudit" connectionString="Server=localhost; Database=IdentifyAudit; uid=sa; pwd=x;"/>
  • Although the key is set to the IdentifyAudit database by default, which is the same with the IdentityProviderAudit key, the fact that we have a separate key allows us to use another database than IdentifyAudit for storing audit data. The destination database must have two tables: Audit and AuditUserRequest. A customer can run provided script to create these tables.
  • Finally, restart Identify Runtime.

Log to Windows Security Log

  • To enable the handler for this option, uncomment WindowsSecurityLogAuditUserRequest item and the corresponding component in the config file above.
  • Check the following link to enable logging to Security Log for custom applications: http://msdn.microsoft.com/en-us/magazine/cc163718.aspx
    1. Run the secpol.msc Microsoft Management Console (MMC) snap-in
    2. Selecting Local Policies, then selecting Audit Policy > Audit Object Access
    3. Right click and check Success & Failure
    4. In case Identify's application pool is running under a domain user account, make sure the account is added to list of users who have permission to generate security audit events:
  • For some testing purpose, where Identify is installed in DC
    1. Administrator Tools > Group Policy Management: select to edit GPM
    2. Add the user account to manage application pool to generate security audit events as above
  • On a Dev machine, open VS command prompt, go to the Tools folder and execute "IdentifySecurityLoggingMessage - register.bat" to register a logging component to Windows Security Log.
  • On a production server:
    • Start cmd as Administrator
    • Since 3.3.113, go to C:\Program Files\Safewhere\Identify\Tools and execute the "IdentifySecurityLoggingMessage - register.bat" file.But for those whose version is less than 3.3.113 , you can download this file : identifysecurityloggingmessage_-register-register_dll_only-_can_be_used_for_production_servers.bat.zip for executing. For the older version, you don't have to input the tenant nme)
    • when the .bat file is executed, input the tenant name.
  • Important notes:
    • Do not open any Event Viewer windows while doing registration.
    • Restart ISS after finishing registration. The registration script also contains a command call to restart IIS.
    • In order to view logged events :
      • For the tenant whose version is less than 3.3.113, we canto right click on the Security log → Filter Current log → Check Identify in the Event sources drop down list.
      • For the tenant whose version is from 3.3.113, we canto right click on the Security log → Filter Current log → Check Identify with its tenant name in the Event sources drop down list.

Disable logging

  • Sometimes, one may wants to disable logging. The required steps are:
    • Comment out both WindowsSecurityLogAuditUserRequest and SqlAuditUserRequest.
    • Enable NullAuditUserRequest.
  • Hopefully we can eliminate the need to enable NullAuditUserRequest when we upgrade Identify to use a newer version of Windsor Castle.