Overview
Parameter:FALLBACKIMPERSONATION
Category: Logging
Default value: 1
Product: eTASK.Other (Logging)
What does this parameter do?
This parameter controls whether Windows impersonation is disabled when writing log entries. Impersonation means that the system temporarily acts under the identity of another user. When fallback is enabled, the identity of the application pool is used for logging, not that of the logged-in user.
What is this parameter used for?
Resolving permission issues when writing log files
Ensuring that logs can be written even with restricted user permissions
Preventing logging errors in environments with complex permission structures
Standardizing the logging identity at the application pool level
Technical Details (for Administrators)
Format: Integer / Boolean
Default value: 1
Valid values:
0= Impersonation enabled for logging (logs are written under user identity)1= Impersonation disabled during logging (logs are written under application pool identity)
Important notes:
If the value is
1, all log entries are written with the application pool's permissionsIf the value is
0permission issues may arise if users do not have write permissions to log directoriesThis parameter applies exclusively to the logging system, not to other system functions
The default value
1is optimal for most installations
When should you change this value?
Set the value to 0 (enable impersonation) if:
Log entries are to be written under the identity of the logged-in user
Detailed traceability at the user level is required
All users are guaranteed write permissions to log directories
Special compliance requirements demand it
Leave the value set to 1 (impersonation disabled) if:
The default logging configuration is used
Users may not have write permissions to log directories
Logging errors should be avoided
A central identity is desired for all logging operations
Important Notes
Avoiding Permission
Issues The default value1prevents permission issues, since the application pool typically has write permissions for log directories.No effect on log contents
The parameter does not change what information is logged, but only under which identity the log files are written.Windows Impersonation
Impersonation is a Windows mechanism in which a process temporarily runs under the identity of another user. This only affects file system operations during logging.Troubleshooting
If logging errors occur or log entries are missing, this parameter should first be set to1before adjusting file system permissions.
Security
Does changing this parameter affect security?
No, this parameter has no direct impact on security.
Practical Example
Initial situation:
A company has set FALLBACKIMPERSONATION to 0 . Users with limited Windows privileges can log in, but no log entries are written for their actions because they do not have write permissions to the log directory. Errors remain unlogged.
Configuration:
The administrator changes FALLBACKIMPERSONATION to 1.
After the change:
The system writes all log entries under the identity of the IIS application pool
The application pool has write permissions to the log directory
Actions by users without file system permissions are also logged correctly
Logging errors disappear
Error analysis is once again fully possible
Result:
Stable and complete logging for all users, regardless of their Windows file system permissions.
Recommended setting
For standard installations:1(Impersonation disabled)
Reason:
Prevents permission issues during logging
Ensures that all log entries are written
Simplifies the administration of file system permissions
Complies with best practices for IIS applications
Exceptions (very rare):
Value
0Only if it is explicitly required that logs be written under user identityIn this case, ensure that all users have write permissions to log directories
Tip: Leave this parameter at its default value
1unless you have specific requirements. If you encounter logging issues, this is one of the first parameters you should check.