How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings

If you use Elmah.Mvc they have quite fine grained security settings. You can easily secure the elmah page to only be available to logged in users in the Admin group for instance.

Elmah.Mvc supports the following items in <appSettings>

<appSettings>    <!-- ELMAH configuration. Admin page only available for logged in users in          the Admin role. -->    <add key="elmah.mvc.disableHandler" value="false" />    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />    <add key="elmah.mvc.requiresAuthentication" value="true" />    <add key="elmah.mvc.allowedRoles" value="Admin" />    <add key="elmah.mvc.route" value="elmah" /></appSettings>

The keys of interest are elmah.mvc.requiresAuthentication which switches on the user needing to be logged in. And elmah.mvc.allowedRoles which specifies which role the user must be in.

You can install Elmah.Mvc from nuget.

The above answer worked great, once I found out how to determine the Role when using Windows Authentication:

Open a command window and enter the following command:

cmd /k net user <user> /Domain

For <user>, substitute your user name. The command will list the groups you belong to.

The instructions came from "How to Create an Intranet Site Using ASP.NET MVC" at http://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx