Umbraco, ELMAH (with SQL CE 4.0) and authentication

So this is the second blogpost I’m writing about Umbraco, ELMAH and authentication.
My previous blogpost wasn’t really good, because with forms-authentication authenticated members could also access elmah, which is not the way to go. So I’ve dropped MADAM.

This time I’ve managed to get both forms-authentication for umbraco and basic/windows-authentication for ELMAH. The trick is to create a subfolder called ‘elmah’, which we’ll convert to an application and enable basic/windows-authenticatioin for this app.
This is kind of tricky, because all web.config configurations will be inherited by the web.config for any sub-application. Also ELMAH filters the errors in the database based on the current Application string property, for example “/LM/W3SVC/24/ROOT”, but if you configure the elmah.axd handler in a sub-application, the application for the handler will be “/LM/W3SVC/24/ROOT/elmah” and you won’t see any logged errors of the main application.

To overcome this I had to make changes to ELMAH’s source code. I’ve cloned the Mercurial repo and changed some files. This way it’ll be easy to keep it up-to-date without losing my changes. There’s one extra thing I’ve changed; I’ve disabled logging the current user’s password, because of privacy reasons.

A step-by-step guide to get ELMAH and umbraco to play nicely side-by-side:

  1. Download this zipfile (which contains 3 other zip files)
  2. Unzip the file ‘1.‘ in the root of your project and include the whole folder in Visual Studio (so it’ll get deployed with WebDeploy)
  3. Unzip the file ‘2. elmah‘ somewhere in your project, where all third party assemblies reside and optionally add a reference in Visual Studio (if you’d like to use Error Signalling and if you’re using something like WebDeploy)
  4. Unzip the file ‘3. sqlce‘ in the root of your project and include both folders in Visual Studio. Inside VS select all files underneath the AMD64 and X86 folders and go to their properties. Set ‘Build action’ to ‘None’ and ‘Copy to Output Directory’ to ‘Copy if newer’ (screenshot below)
  5. Add the following to your web.config:
    <remove invariant=”System.Data.SqlServerCe.4.0″ />
    <add name=”Microsoft SQL Server Compact Data Provider 4.0″ invariant=”System.Data.SqlServerCe.4.0″ description=”.NET Framework Data Provider for Microsoft SQL Server Compact” type=”System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=, Culture=neutral, PublicKeyToken=89845dcd8080cc91″ />
  6. Add the following to your web.config (inside the runtimeassemblyBinding element):
    <assemblyIdentity name=”System.Data.SqlServerCe” publicKeyToken=”89845dcd8080cc91″ culture=”neutral” />
    <bindingRedirect oldVersion=”″ newVersion=”″ />
  7. If you were using ELMAH already in your project, remove any elmah.axd handlers in your web.config
  8. If you’ve registered none-umbraco httpModules, please add them to the removal list in ~elmahweb.config so they won’t be loaded for the ELMAH sub-application
  9. Open IIS Manager and navigate to your website underneath ‘Sites’. Expand you site so you’ll see the directories underneath it and right-click the ‘elmah’ folders and select ‘Convert to Application’ and select the AppPool your site is running in
  10. Next make sure this newly created sub-application is selected in the tree and open up ‘Authentication’. Enable ‘Basic Authentication’ and you’re ready to start logging and reading errors!

The ELMAH page can be accessed by navigating to ‘/elmah/’ or just ‘/elmah/elmah.axd’.
The SQL CE error log database will be stored in ‘~/App_Data/’. You could monitor the size of this file as it will grow to max 1024MB.

11 Replies to “Umbraco, ELMAH (with SQL CE 4.0) and authentication”

  1. Pingback: Umbraco, ELMAH, MADAM and authentication | kipusoep's tech blog

  2. Hi

    Very nice work! But it just doesn’t seems quite right to miss out on using NuGet to get updates on Elmah. What is the possibility to create a NuGet package “Elmah for Umbraco” – that would be really cool 🙂

    But great to see the Umbraco community embracing Elmah! It is a fantastic tool.

    Best regards

  3. Hi Emil,

    I know, but I keep monitoring ELMAH for new releases and update my custom assembly as soon as there is a new release.
    I’ve never created a NuGet package before. Also this is not really an umbraco related modification… So naming it Elmah for Umbraco isn’t the right name anyway 😉

    I’ll post a new blogpost for each new release, so if you’re using this solution and want to keep yourself up-to-date just add my blog’s RSS feed to a RSS reader 🙂


  4. Your right about the naming – but I think you know what I mean 🙂

    I’m still considering the best approach to add proper authentication to Elmah – at the moment we just log on to the production machine, and access Elmah from localhost.

    I have subscribed to your RSS feed, so let’s see what happens.

    Best regards

  5. Well that’s one option. I’d like to receive RSS notifications from ELMAH for all our websites, so I need to have Basic Authentication working 🙂

  6. You should not have to modify the ELMAH sources for your ELMAH-as-a-sub-app scenario. All ErrorLog implementations like `SqlServerCompactErrorLog` that filter on the application name support a configuration attribute called `applicationName` that you can set explicitly. If none is supplied, ELMAH tries to guess or infer a reasonable one and which is why you are getting something along the lines of `/LM/W3SVC/24/ROOT/elmah`. So you could so configure away as follows:

    I’m not familiar with Umbraco but if it is plugging into the standard .NET user authorization model ([which it seems it does][1]) then you could also restict access to a particular URL by a user’s role membership. Check out the “[Understanding Role Management][2]” topic on MSDN for more on this and which does not even

    For more advanced and dynamic scenarios, ELMAH also supports custom request authorization that can also be coded up and configured orthogonally to a web application. Check out the thread “[Implementing more advanced authorization rules for web-based ELMAH error log Options][3]” in ELMAH’s discussion group for details.

    I guess what I’m trying to point out in so many words 🙂 is that there are lots options out there before you should need to fork and maintain a separate code base. There’s nothing inherently wrong with that, but as [Emil Rasmussen][4] pointed out, you lose the benefits of just relying on NuGet packages and standard releases. And BTW, [ELMAH recently switched to Mecurial][5], which is what you seem to have cloned. That repository, however, is major work (or re-work) in progress on version 2.0 and therefore risks being unstable (unless you want to be on the bleeding edge and I’d welcome the testing). All the 1.x code is still there in [the Subversion repository][6]. If you find that you still need to maintain a private fork for Umbraco and would work on something rather stable, I would recommend building on top of the latest official release (1.2 SP1 at the time of writing), which can be found in the [RB-1.2 branch][7]. You can also [download a snapshot of the sources][8] without going through the Subversion repository. There is currently no plan to make any further enhancements to 1.2.


  7. Wow, great comment Atif.
    Didn’t know I was working with version 2.0, which isn’t finished. I thought I was working with 1.2 SP1 😛
    Anyway, I saw the config key applicationName, problem is; I’d like it to be automatically generated on a application base, like it is now.
    Else we would have to alter that config property for every website we build, right?

    As for the advanced authorization module[3]; the problem is just that .NET doesn’t support multiple authentication modes in one application. And as far as I can tell, that’s still a no-go with the authorization module, or is it?

  8. The applicaton name is really only there for isolation purposes when you’re *sharing* the same back-end store for several applications. However, if every deployment is going to have a private SQL Server Compact database file and only one application’s errors will ever be logged there then using a fixed applicaton name shouldn’t really be an issue.

    Authorization is based on user or role membership regardless of how the user was authenticated any you’re already using multiple authentication schemes by having forms and Basic in your solution using [MADAM][1].


  9. Awesome, I will have a go with the original ELMAH, static application name (config) and MADAM/custom authorization.
    Thanks and when succeeded, I’ll blog again based on your advice and my actions taken 🙂

  10. Pingback: Umbraco, ELMAH (with SQL CE 4.0) and authentication – part 2 | kipusoep's tech blog

  11. You should never configure Elmah to be publically accessible , at least not without some kind of authentication. One solution is to aggregate the RSS feeds for each error log and expose the aggregate feed (it would need to be protected of course). Currently this isn’t that easy to do since Elmah produces RSS 0.91 feeds (not supported by the System.ServiceModel.Syndication classes in .NET). I have however sent a pull request to the Elmah project that adds support for RSS 2.0 so hopefully this will get added soon.

Leave a Reply

Your email address will not be published. Required fields are marked *