I have seen a few people have problems with the Instrumentation in Enterprise Library… you know that dreaded “can’t create instance of performance counter …”.  Here is hopefully a step by step approach to help you guys out.

Here is a question from a discussion alias :

Hi all,

a strange behavior was appeared on my web app based on EntLib. Every time DAAB was used to call store procedures the processing hanged and blocked IIS until working process was restarted.

Environment was W2K3 SP1, .Net 1.1 SP1, EntLib 1.1 + 1475 patch. Using entlib symbols I noted that code hangs on

currentInstanceName = Process.GetCurrentProcess().ProcessName;

instruction (Common/Instrumentation/PerformanceCounterInstances.cs line 84 ).

Just before hanging, entlib traced on event log “Failed to create instances of performance counter 'Client: # of Logs Written/Sec'” error message. I tried to run again installservice.bat and installutil manually on entlib assemblies but nothing changed neither the error nor hanging.

Does anyone have experienced on this problem? How could I check counters installation?

  • The privilege should be granted to the app pool user account (not the iis user account).
  • This should only be necessary if the app pool is not running under the Network Service account but rather a custom account

 

Below is a check list we have used on a project that used earlier versions of App Blocks (pre EntLib), for which we created a Domain\UserName for the App Pool, intended to be similar to the built in Network Service account.

 

I believe that these configurations still apply for EntLib (and will gladly appreciate any feedback on this matter J)

 

 

On Domain Controler, use Active Directory Users app to set the following account settings:

 

 

On each machine on which the account is used for an App Pool:

 

  1. Log on as an Administrator
  2. Start | Control Panel | Administrative Tools | Local Security Policy | Local Policies | User Rights Assignment
    1. Apply the following rights to the user account

·         Access this computer from the network

·         Adjust Memory Quotas For Process

·         Deny logon locally (disallow interactive logon – we didn’t need it)

·         Log on as a batch job (not needed since already attributed to IIS_WPG machine group)

·         Log on as a service

·         Replace a Process Level Token (held by the built-inL Network Service Account)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx

 

  1. Do as Tom mentioned:
    1. My Computer | Right Click | Manage
    2. Select Local Users & Groups | Groups

·         IIS_WPG | Add | Domain\UserName

·         Performance Log Users | Add | Domain\UserName

 

  1. Windows Explorer
    1. As per Building Secure ASP.NET applications & Threats & Counter Measures, Attribute file system privileges to Domain\UserName. Strikethrough entries correspond to recommended action from Patterns & Practices, as explained on Notes column

Path

Properties | Security privileges attributed to Domain_name\AppPool_UserName

Notes

%windir%\temp

List/Read Data + Delete

These are the same as the ones attributed to Network Service. Built in account. Building Secure ASP.NET book mentions different privileges.

Application Folder

Read, Write, Delete

 

Web Site Root Folder

Read

Web Site Root Folder may be distinct than C:\INETPUB. Not needed since already attributed to IIS_WPG

%windir%\system32

Read

 

%windir%\assembly

Read

Although mentioned on online content, this directory does not have associated Security Settings. Thus not doable.

%windir%\Microsoft.Net\Framework\ v1.1.4322

Read

Not needed since already attributed to IIS_WPG

%windir%\Microsoft.NET\Framework\ v1.1.4322\Temporary ASP.NET Files

Full Control

Not needed since already attributed to IIS_WPG

Parent Directories of Context

Now playing: Guns N' Roses - Welcome to the Jungle