Custom authorization with ELMAH and ASP.NET Identity Framework

If you’re using any of the most recent ASP.NET MVC 5 project templates with authentication and authorization built in, then you’re probably using the ASP.NET Identity Framework. With any ASP.NET project, it’s smart to add references to the ELMAH library just in case any unhandled exceptions occur. You can use both of these libraries together to restrict access to the remote ELMAH page with custom authorization.

First, install the Elmah.MVC package from NuGet. This should download the correct libraries and add the necessary lines to your web.config.

<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="*" />
<add key="elmah.mvc.allowedUsers" value="your_user_name" />

Substitute the “your_user_name” entry with your own username that you’ve setup in the ASP.NET Identity Framework backend. For example, the AspNetUsers table in SQL Server contains your usernames. It appears that ELMAH does get the authentication information from the current thread principal, which the ASP.NET Identity Framework will establish on your behalf upon login.

Add a comment

Your email address will not be published.


  1. In fact Elmah.MVC uses a combination of the IsAuthenticated flag and the principel on the HTTP context to decide if the user is allowed or not. ASP.NET sets the principel on the thread as well, but you would need to set both the IsAuthenticated as well as the HTTP context identity, if you would need to implement this manually.

    For details, check out the code here:

    With that said, pretty much every identity framework for .NET works this way: ASP.NET Membership provider, ASP.NET Identity etc.