From: TCurtin on
I have Server 2003 IIS 6.0

I am using windows authentication for a web site hosted in IIS.
Anonymous Access is off

The way IIS and IE are configured is so that the user gets a credentials
prompt when trying to get to the Web Resource. This is a requirement for me.
I also need the url and IP in the windows event log.

I have a WebFailureAuditEvent [in .net] that logs the url and IP of a failed
login. When I raise the event myself from the webpage I get the information
in the event logs as expected. The problem is I need this custom event to be
raised when the user enters the wrong credentials after trying to access the
web resource [they have not hit the WebPage yet]. What ends up in the event
log in that case is the standard Logon/Logoff event. This event gets raised
somehow by the .net framework on the machine.

I know that I can change health monitoring to use custom audit event but
they only get raised one the user actually hits the page after entering
correct credentials.

what I need is to replace whatever the default webfalureAuditEvent is with
one that gets more info. Is this possible?


From: Ken Schaefer on
..NET framework is an ISAPI handler that gets invoked after the inbuilt
Windows and IIS event handling occurs. you can look up the failed login
events in the IIS log (or enable failed login auditing on your Windows
Server - it is off by default - to see this in the Windows event log)

Cheers
Ken

"TCurtin" <TCurtin(a)discussions.microsoft.com> wrote in message
news:676D4EB2-14B5-411F-BA4F-294CF910B7FF(a)microsoft.com...
> I have Server 2003 IIS 6.0
>
> I am using windows authentication for a web site hosted in IIS.
> Anonymous Access is off
>
> The way IIS and IE are configured is so that the user gets a credentials
> prompt when trying to get to the Web Resource. This is a requirement for
> me.
> I also need the url and IP in the windows event log.
>
> I have a WebFailureAuditEvent [in .net] that logs the url and IP of a
> failed
> login. When I raise the event myself from the webpage I get the
> information
> in the event logs as expected. The problem is I need this custom event to
> be
> raised when the user enters the wrong credentials after trying to access
> the
> web resource [they have not hit the WebPage yet]. What ends up in the
> event
> log in that case is the standard Logon/Logoff event. This event gets
> raised
> somehow by the .net framework on the machine.
>
> I know that I can change health monitoring to use custom audit event but
> they only get raised one the user actually hits the page after entering
> correct credentials.
>
> what I need is to replace whatever the default webfalureAuditEvent is with
> one that gets more info. Is this possible?
>
>
From: TCurtin on
I thought my post indicated that I am aware of the IIS and windows login
audit options. What I was trying to ask is if I can modify those to include
additional information in the case where the Web page is not hit yet because
the user is not authenticated. What I need is the IP and the url.

This info is in the IIS logs but not associated with a windows logon/logoff
event in the security log.

Sorry for being unclear