How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings

I've added elmah to an mvc 4 application. Logging is working and now I am trying to configure security but elmah is not picking up the settings and the logs remain visible by all users.

This is an intranet app and as such we are using windows integrated secuirty. I am trying to restrict access so that only members of the domain\log_readers ad group can read the logs.

I've read the setup guide here: and I've also read several posts on SO and other formums which has led me to add the roleManager and WindowsRoleProvider configuration, all to no avail.

Here are the elmah parts of my web.config:

    See for 
    more information on remote access and securing ELMAH.
<security allowRemoteAccess="true" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/Logs" />  
<location path="elmah.axd" inheritInChildApplications="false">
  <authentication mode="Windows" />

  <roleManager defaultProvider="WindowsProvider"
      enabled="true" cacheRolesInCookie="false">
        type="System.Web.Security.WindowsTokenRoleProvider" />
    <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
    See for 
    more information on using ASP.NET authorization securing ELMAH.
    <allow roles="domain\log_readers"/>
    <deny users="*" />

    <add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />

I have also tried a complete lock down by setting my autorisation config to deny everyone

<deny users="*" />

and also

<deny users="?" />

The logs remain open to everyone.

I suspect the problem may be with the location. I've made no changes to the elmah location. It is accessed from default location (http://server/myapp/elmah)


If you use Elmah.Mvc they have quite fine grained security settings. You can easily secure the elmah page to only be available to logged in users in the Admin group for instance.

Elmah.Mvc supports the following items in <appSettings>

    <!-- ELMAH configuration. Admin page only available for logged in users in 
         the Admin role. -->
    <add key="elmah.mvc.disableHandler" value="false" />
    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />
    <add key="elmah.mvc.requiresAuthentication" value="true" />
    <add key="elmah.mvc.allowedRoles" value="Admin" />
    <add key="elmah.mvc.route" value="elmah" />

The keys of interest are elmah.mvc.requiresAuthentication which switches on the user needing to be logged in. And elmah.mvc.allowedRoles which specifies which role the user must be in.

You can install Elmah.Mvc from nuget.

The above answer worked great, once I found out how to determine the Role when using Windows Authentication:

Open a command window and enter the following command:

cmd /k net user <user> /Domain

For <user>, substitute your user name. The command will list the groups you belong to.

The instructions came from "How to Create an Intranet Site Using ASP.NET MVC" at

Need Your Help

Does SQL Server allow constraint violations in a transaction as long as it's not committed yet?

sql sql-server transactions constraints

Does SQL Server allow constraint violations (i.e. deferred constraints) in a transaction as long as the transaction has not been committed yet?

How to determine whether a file is still being transferred via ftp

php ftp

I have a directory with files that need processing in a batch with PHP. The files are copied on the server via FTP. Some of the files are very big and take a long time to copy. How can I determine ...