So, Daniel, first I would not be surprised if Adobe fails to test a reinstall of the auto lockdown tool with each update? Should they? Sure, if updates can somehow break it (which happened with the update that introduced the remote args problem, it seems).   But that was NOT your problem, as you'd added it. Are you saying this cfscripts error is misleading, and instead it was only about the password limit? And was that new with an update?   I realize you may not care to dig further, with your problem solved. I'm asking so as to help others who may run into this or similar problems.    And though we can be tempted to presume "the issues have been stated here", there's no guarantee anyone from Adobe will see it.   Please consider raising a bug report (tracker.adobe.com) for whichever things you feel are at issue. Even simply asserting (in its own bug report) that they should test the tool after each update is worthwhile.   Again, I get it, you may want to "just move on", but it's when people discern such issues that they need to raise a bug report otherwise it will be forgotten/lost in the dozens of threads here each--likely found only later via someone searching.   At a minimum, if you state specifically what was the solution, you/we can mark it as an "answer", to help others. It's just not clear what specifically in your last reply was the solution.  ... View more

And adding to Roberto's helpful suggestion, given the error (and what precedes it, saying "Trying to add virtual directory for cf_scripts", I'd wonder if there's an issue related to that.   Since you say that you have cf running before trying the tool, can you tell us the value shown in the cf admin "settings" page, for the default script arc directory"?  That is what this was wanting to change.   I'm wondering if it's somehow not liking whatever is your current value. I realize you may find it to be simply the default, /cf_scripts/scripts.  ... View more

@ponnada40 you say now that, "As per my obeservation, they replace the neo_datasource.xml and few other files copied from cf10 to cf24, this might cause the issue".   That would be a potentially grave mistake right there. Whoever had that idea of a shortcut isn't considering that the layout of those files can change between cf versions, especially in a jump of 5 versions from 10 to 23.   The other alternatives are the car file feature (in the cf admin), the cfsetup feature replacing it (command line tool enabling json export/import), the  "migration wizard" (offered on first launch of the admin, if a new cf is installed on a machine with an old cf), and the cfconfig tool from ortus (which preceded Adobe's cfsetup tool and which can be used for any cf instance, not just those running in CommandBox).   But I realize your folks may not want to hear such an admonition. "It's always worked", they may say (for whatever they'd experienced that with). Or "it's too late/too hard to correct now",  they may lament. I don't agree, but I leave you with the above. (And recall my first reply proposed in its point 7 that you might get value comparing the cf admin config of the two instances.  I elaborate on how to do that in a preso I did on this very topic of migrating cf admin settings safely between cf versions, available at carehart.org/presentations.)   One last suggestion related to all that: just keep in mind that this copying of neo files is a potential source of odd errors which may linger and appear in time as seeming "cf bugs". So you would help Adobe or us (when raising another issue) to mention that your folks had made this choice. Otherwise it would be like taking your car to a mechanic complaining about engine problems without telling them that you run your car on alternative fuels. 🙂   Finally, somehow the forums have messed up the presentation order of our replies. Later ones appear after earlier ones. Folks reading along might not notice the time stamps and could be confused by the topics seeming to jump around.   For example, the next reply here is from me from 2 days ago...and then it shows you responding to it just this morning, like this one above it that I'm now responding to. Oy.  ... View more

Before sending that email and awaiting their reply, had you tried what I'd suggested (in my reply just before Dave's note offering that address)? Correcting the permissions as I offered might have helped quickly resolved things.    As you'd not offered any reply to it, I can't tell if you maybe missed it. I've just been trying to help, since your first post last night.  ... View more

@saturnxviii , did you ever get a satisfactory resolution to your concern? From anyone else, if somehow my elaborated reply did not help?  ... View more

Thanks for the update, and hope things go well. ... View more

Thanks for the shout-out, Dave. And you're right about the email address for Adobe support.  They don't typically respond quickly, and when I wrote originally last night it seemed urgent. Anyway, since then, we three have have made good progress toward resolution.   Oddly, this note of yours (starting, "I'm not sure what you mean" about their reference to "Enterprise setup") is showing up LATER in the list than your earlier one where you offered the quick answer to the web.config permissions issue. (For those seeing this in days to come, on the day of posting the forums here report when posts were made, in terms of "seconds ago" or "minutes ago". That's what I'm basiing my comment on. By tomorrow and beyond it will just report "days ago".) Also, sometimes the order of the replies may well change. I refreshed this page and still saw Dave's "I'm not sure" as the current last one.   Oh, fun with the forums UI! 😞 ... View more

Of course, I was writing my missive (that follows) with more details, while Dave as always cut to the chase. 🙂 If his wasn't enough of a clue for you to solve it, see what I wrote. Obviously, it took me longer to write that, and the forums here don't inform us whether someone else has offered an answer. (I sometimes check, but since I though I was responding pretty quckly I didn't bother this time!) . 🙂 ... View more

OK, well now that's enough detail to likely resolve things. Note what it says: IIS Cannot read the configuration file (C:\WebSites\restapi\web.config) due to insufficient permissions.     First, you may say "there is no such file in that folder"....but IIS can't even see into it to know. As you may know, when you create a site you name its webroot, and then IIS always tries to look in that webroot for a web.config (which has site-level config details, which can be set either in the IIS UI to be saved in that file, and vice-versa).   So to whom should such be "permissions" granted? The user running the site's application pool (the pool's "identity"). You can see what app pool a site uses by right-clicking the site and choosing "manage web site>advanced properties". The app pool is the first value shown. Then go to the application pools list (top left of IIS display), which will show all app pools and a column for their identity. (Since IIS 7.5, new sites get their own app pool by default, but one can change that when creating or editing a site.)   All that said, the DEFAULT identity for a new app pool (since IIS 7) is simply "applicationpoolidentity". So we could argue THAT is the user who needs permissions to read that file. But it's both a bit more complicated and also has a simple workaround you could consider.   First, how would you change a folder's permissions to name the user? Some may know you can go into Windows File explorer to view that webroot folder (in your case, C:\WebSites\restapi), and right-click it, then choose properties, then the "security" tab, which will show WHO currently has permission.   To modify it, click "edit" then "add"...but if you just type "applicationpoolidentity" as the user, that won't work. Formally, it's a hidden user: you won't even see it if you use the "advanced" button there and its "find" option. The formal name is: iis apppool\pool name (and yes, spaces are allowed, and case does not matter--but use \ not /). So if the site was "test site" and the app pool (created by default) was "test site", and its identity showed (by default) to be "applicationpoolidentity", the actual user would be: iis apppool\test site   (BTW, when entering ANY username while adding/editing that security tab, note that there's a "locations" option...and it might default to something other than this machine itself. You need to change that to this machine itself to work with such accounts that are on the machine. Click the "locations" button there, and normally the first value shown is the local machine itself.)   You need to give it only read permissions by default. Do that, and test the site now (no restart of anything needed).   And what if you don't want to bother with identifying the identity? If you google this problem you may even see someone proposing that the user to give permissions to is "IIS_IUSRS". Technically, that's a windows "group" that contains ALL the app pool identies for ALL sites. (Again, that's defined only for the machine itself, so be sure the "location" points to that when trying to add it.) And sure, you could just use that if you aren't concerned about limiting access for only the ONE identity of the app pool for the site. (Doing this also lifts the burden of dealing with if you or anyone ever CHANGES the identity for the pool, or changes what pool the site uses--which would now have a different identity.)   Finally, there are some situations where you may find you need to need to add as well one more user (with permission to that site root folder), another special local Windows user related to IIS is: IUSR. I've never fully explored when one might be needed over/in addition to the other. But consider that as an option.   I know that's all a lot to take in. In the interest of time, I am not taking screenshots--but you can find those in other resources on the web, as this is a VERY common IIS problem with these common solutions. Again, it's a matter of seconds of effort to change these things for one who knows what they're doing and who connects the dots from that error to the solution. And I didn't even want to guess originally that this might be your problem (It could have instead been a CF error, which is why I had you check the CF logs.)   Let us know if that gets you going. If not, we can see how ot goes here or again solve it far more quickly together in a shared desktop consulting session. ... View more

That's still not enough for us to know. It could be either an error in cf or in iis.    First, go into iis and change the server level "error pages" feature to enable "detailed errors", so that you can see more. (You can revert it later to the default of detail for local, custom for others).    With that detail, what's the error. We don't HAVE To have screenshot. You can just paste the text.    Look also in the coldfusion application.log, which tracks a line for each cf error (and the exception.log, which tracks several lines per error). And BEWARE that since you're using multiple instances, each has its own log directory (or it would by default, though some mistakenly change that to have all write to one folder--a terrible idea.) And don't presume to look only in the logs folder of the instance you "see" is mapped to for the site, per that wsconfig screenshot. That's what CF thinks...but someone could have manually tweaked how IIS is configured.    This may sound daunting or overwhelming, but it's really not...especially for someone who sees it all and helps people assess it daily like I do.    I've tried to give you enough detail here that you MAY be able to solve things with the above alone. Some need more detail, others might find info that needs MORE explanation. We won't know what's amiss until you report back.    I'm guessing this not production, or your folks wouldn't be making you wait to get help. Do remind them that you're honestly spending more time capturing and sharing info than we may need to fix it, not to mention the time for us to see then reply, then rinse and repeat. Have them also consider about the "hourly" rate that if we're done in 15 mins, you'll pay only a quarter of that rate.  ... View more

Well, yes. If you put the correct username and password (along with the proxy server and port) into that page, then it should indeed allow the package manager page (updates, etc) to work--if your cf instance somehow would otherwise NOT be able to connect to the internet (or the Adobe domains specifically). Same with the license and activation page (and the ongoing license activation), which uses the same proxy settings.   Can you confirm for those work for you? With and/or without that proxy info?   The easiest test will be to use the "check for updates" button. If it responds immediately, great. If it hangs, test with and without the proxy info. (The cf logs also track if such requests out of cf fail.)    Let us know how that goes.  ... View more

I have very good news for you. First, note that Adobe offers an image for EACH update, for all three of cf2025, 2023, and 2021. They're all at the AdobeColdFusion docker hub page , or Amazon ecr. Choose the specific image for a given version, then see the "tags" on the right, where there is a different tag for each update. For example, you could use adobecoldfusion/coldfusion2025:2025.0.4   There's also a considerable docs page from Adobe on using those images, linked to from there. It's a great way to be introduced to what's configurable with them.   Finally, for even more, note that I have a github repo with dozens of examples on using the Adobe (and Lucee and Commandbox) images in various ways (including choosing versions and LOTS more), at https://github.com/carehart/awesome-cf-compose.   And of course I can help directly with all aspects of using them, if needed.  ... View more

Now that you've concluded for sure that the jvm arg IS there but is NOT helping, it sounds like you're hitting the same problem someone reported about 2 months ago at https://tracker.adobe.com/#/view/CF-4227376. They, too, are using encrypted querystrings--and it may be that this (or the post-processing you guys want to do) is where the problem is happening. Anyway, add a vote there, at a minimum. And while you can add a "vote comment", that box is tiny. Add a regular comment instead, which is a larger box (easier to read, as well).   And in the meantime perhaps someone else (Adobe or otherwise) may chime in here or there with other thoughts for you. ... View more

I'm sorry to hear of your challenges. First you have not shown what the error is. Your screenshots show that Cf itself is working, which is a great start. I suspect it's something in your iis configuration. The error message may help us, but perhaps not.    I'll say as well that I am confident I could have your server back up (cf site serving requests again) today, perhaps in as little as 15 minutes, via remote screenshare consulting. For more on my rates, approach, satisfaction guarantee, online calendar, email, phone, and more, see the consulting page at carehart.org. I have open slots now and into this evening. I can also help after what's offered on the calendar.    Hope we get you back on your feet ASAP, one way or the other.  ... View more

Well, first I'm glad that checking the files showed the value actually having been set. I hope you appreciate the suggestion to look there--but perhaps that's tempered by your remaining concern that something seems wrong with cf.   I see it differently. I suspect the "someone else" was on that page and may have been setting ANY of the many settings...and THEIR browser's password manager filled in those values, so cf accepted them. (It does not validate them in any way.)   And to be clear, yes, since you say you see their the cf admin username and pw (sadly, in clear text in that file, which I agree is its own problem), that further confirms my suspicion. When a browser password manager fills in the field, it's NOT paying attention to the NAME of the field. It associates a username and pw with a domain/ip, and fills that in on any field asking for a pw on any page in that site. (That's why I made the suggestion above to adobe, about how to stop that.)   As for getting further proof that "someone else did it", I will note (as some may consider it) that while the CF Admin DOES log MANY changes one may make to the CF Admin (in the audit.log within CF's logs folder), sadly I just confirmed that it does NOT log changes to THIS page. I hope to create bug reports for that, as well as for that clear-text password shown in that file, as well the suggestion of autocomplete="new-password". If anyone else may jump on it, please share the bug id's here. ... View more

I am proposing that you please just create a simple few-line simple example that demonstrates ONLY the problem that remains, in as few lines as possible, and WITHOUT using any variables which come from your queries or your app session scope or any previously run code. Keep it minimal, do only what's needed to cause the problem.  That might even be one line. Doing this really will help you as much as us. You're well on your way, it seems.   BTW, then being only a few lines, you can just type them here, as your way to then have it available when you get home (off the DOD network) to try running it in one of the fiddles. I'm trying to help you see around all the roadblocks in front of you. 🙂    On that and as for Dreamweaver, finally, a rant: if someone works with CF with any regularity (more than once a week) and unless they are retiring/leaving CF in the next month, it would seem REALLY worth their time and effort to learn to use ANYTHING other than DW. 🙂 Not least of which because besides your bugginess it hasn't had CFML support in more than 10 years.   How about using any of the popular free VSCode (for which one can turn off MS telemtry and AI support), or the open-source vscodium alternative to it (which has no MS telemtry)? Those have current CFML support from Adobe (ColdFusion Builder...and yes, you can install CFB into codium using a vsix file) and from others.   Or how about Sublime, which has CFML support updated in 2025, or NotePad++ or  which at least had CFML support until some years ago? Or use any of those without the CFML support. Or heck in that case use notepad on Windows (or vim or nano on Linux), and so on.   I keep a list of editors, both those WITH and WITHOUT CFML support at cf411.com. The benefits DW offers most people can be provided for in about any other modern editor (though wysiwyg editing and ftp--rather than sftp--are ignored or frowned upon by most of them). ... View more

Matthew, that's certainly some interesting gymnastics you've had to go through.   I'd like to focus on your last point. You say you added Dcoldfusion.runtime.remotemethod.matchArguments=false but it didn't help. First, let's confirm that is indeed set as you think it is. If you just dump the server.systemproperties, it will show you a few dozen things--among which will be any such JVM args, whether set by you in the CF admin or jvm.config. But there are also others that CF sets, and ones that the OS and Java and Tomcat set that are shown. So look for the ones starting with "coldfusion."   And I've created a github jist of some code to do just that for you. See it here.   BTW, I was writing that and this up while I see you offered your next reply with examples. I may not have time soon to try that, but perhaps others will. In the meantime, please do run that code I offer and see if you DO see that env var set. If not, you'll want to pursue why it's not set when you thought it was.   Granted, fixing your code would be better, but I suspect you'd like to do the update if not for this problem, so if the JVM arg DOES work for you then it DOES allow you to proceed. Then maybe your example will help Adobe or us here to see what it is about your code that doesn't work without it. ... View more

That's certainly interesting to hear (that it would seem NOT to be about the browser). Time will tell. As for the file to check for THIS page, it's neo_updates.xml--such as may be in \ColdFusion2023\cfusion\lib\, or if you're running multiple instances, look in \ColdFusion2025\[yourinstance]\lib\.   And FWIW, a default ("empty") one (specifically for CF2023 only) would show: <?xml version="1.0" encoding="UTF-8"?> <settings> <update autocheck="false" checkinterval="10" checkperiodically="false" sendupdate="true"> <url>https://www.adobe.com/go/coldfusion-updates</url> <defaulturl>https://www.adobe.com/go/coldfusion-updates</defaulturl> <packagesurl>https://www.adobe.com/go/cf2023_packages</packagesurl> <defaultpackagesurl>https://www.adobe.com/go/cf2023_packages</defaultpackagesurl> <notification> <emaillist/> <fromemail/> </notification> </update> <proxy> <hostname /> <port></port> <username></username> <password></password> </proxy> </settings> That said, don't just blindly overwrite what you may have with this. Notice all the values in the update section above the proxy section, which may well have been changed upon install or since install of your CF. ... View more

Unless you want to leave it be with that conclusion, and since you seem to be leaning toward a change in how your different cf versions work, please proceed to create a few-line test that demonstrates what you're now suggesting is the problem. Run it locally, then run it on the public fiddles which allow you to test against past versions.  ... View more

Ah, I missed that the brackets in your original code are OUTSIDE the function. Sorry.    But since you say (in the original post) that you're "getting an error that position 1 of the array doesn't exist", then instead dump the RESULT of the function. Is THAT an array? Is it indeed empty?    Next, you go on to suggest that somehow the ASSIGNMENT of the function result to a session var somehow makes the assignment fail. I can't see how that could be so. (Even so, you may want to dump the session scope right before the assignment to confirm you have a valid session.)    Finally you go on here to refer to differences when you comment out stuff. That's where it's so valuable to create a standalone demo, to exhibit what you're experiencing. That will help you also, to narrow down what it takes specifically to make the error, no more and no less. (And I know you're a longtime CFer also, and even help others here. I'm not meaning to be condescending with what I'm saying. It's as much for future readers following along.)    Will be very interesting to hear what more you may find or share.  ... View more

I've read all the replies so far. If you remain stumped after doing what bkbk and Pete have suggested, then please do this: Dump cgi.SSL_CLIENT_S_DN_CN right before the code that's failing. Is it indeed an array? And is array element 1 what you'd expect? Dump to_char(dateObject, 'YYYY-MM-DD') and separately just dateobject just before the line using those. Do those have what you expect.  Please don't presume other similar dumps in other places prove "you've done it already": do those, right there (to a file if you must). Let us see the value of the date dumps.  If you remain stumped, you may be presuming there's a problem with CF or perhaps your application.cfc/cfm. In that case, please create a standalone few-line program that demonstrates the problem. Then try running that on its own folder with its own empty application.cfc. Does the error/unexpected behavior persist? If so, run that code on cffiddle.org or trycf.com, both of which will let you run it against different cf versions. If it fails on them, on different versions, do you have some environment where this demo code runs well? If so, tell us it cf version and update level that is. Maybe it's on an older update (those sites don't let you try different update levels). You might want to share the few-line demo here for us to try. Some of us can test on different update levels.  ... View more

So it's possible then that the use of such caching has never worked on this one instance, right? I'm curious: are all 4 instances running the exact same code? Or does this one run its own?   I ask because if they differ, then another thing to consider is your application.cfc/cfm controlling the app in questions. It could be that you specify caching characteristics in that file, which would override whatever is in the admin.   All that said, the dump that bkbk helpfully suggested may give useful clarification (as it too would be affected by app-level config).  ... View more

@Dordrecht, I think I can explain your point 1 differently than what you guys are suggesting. I suspect that the username and password field you see there IS NOT being populated by CF--nor from a migration, nor is it "magical". 🙂 But I understand it seems "mysterious".. And I have a suggestion for Adobe.    1) First, can you open the admin in a new private window (if in Firefox) or new incognito windows (in Chrome or Edge)? Does the "magic password" and username appear for that proxy page?   If not, that proves it's not coming from cf. Instead it's your browser, and specifically I suspect it's your browser's built-in password manager--whose cache is empty by default when you open such a private/incognito window.   Let us know how that test goes. I did considerable testing earlier today when I saw this thread, to confirm this from my end. It's a frequent problem for many. And there are in fact many cf admin pages with passwords, where this can happen. (And FWIW there's an xml file for each that you could also inspect to see that cf has no such current info/password., but the test above is easier)    2) Finally Ravi, here's the suggestion for you guys, which should prevent this problem. (Something has been tried, but I find it's done incompletely on some pages and not at all on this one.)    Add autocomplete="new-password" to the various admin password fields on the many admin pages asking for them.   Some have autocomplete="off", which is not doing the job, while this page's password field has neither.    Of course, if the admin code DOES find a password in the neo xml file and fills that in on the page itself, that WILL be rendered despite this attribute. The problem is that the browser pw mgr autocomplete is stepping in when it's empty. (And I appreciate that this matter can be challenging to resolve.)   Hope that helps both of you, and other readers. I'm open to correction or feedback.  ... View more

@ponnada40, while you may await someone offering "the answer", I'll ask some clarifying questions, which may help lead to it. And the first three relate to the only other occasion of someone raising this error. If it's not that, I offer still others: If you had recently applied a cf update, was that instance updated separately from the others for any reason? Either way, were there any errors in the update log? Are you familiar with where to look?  If nothing else, are there any errors during startup of the instance, in its coldfusion-out.log? Especially while packages are being started? Especially the cache one?  As for this instance in question, was the caching feature working previously? Or might this be the first time you tried using caching in a query on that instance? If it was running until recently, what changed since when it was working? Beyond the update questions above, beware that some changes don't take effect until a cf restart, so you can't look at just "what was changed the day it started failing": it could have been a change made well before that, after the last prior restart. You can see when that was using the server.log, among others. Compare especially the ehcache.xml between the working and failing instances. It's in the lib folder under each instance's folder You may even want to compare other aspects of the admin configuration between them    I'll add that doing all the above may seem daunting, but someone experienced doing them could do it all quickly. It's just not easy to communicate here EVERYTHING to consider in each task.    If you don't get resolution soon either on your own or from our help here, and if you need this solved ASAP (rather than waiting hours or days), I'll add that I can help solve this via remote screenshare consulting--likely in as little as a half hour, maybe less. For more on my rates, approach, satisfaction guarantee, online calendar and more, see the consulting page at carehart.org.   Let us know if you solve it or have answers (you can just offer the numbers) or might offer feedback on the above.  ... View more

Wonderful, thanks so much. I'd checked your blog back in April when this was introduced, but somehow missed this June post. I'll double check my rss follower, as I don't want to miss any of your posts. 🙂 Thanks for your ongoing work in cf security! ... View more

@Brian__, good stuff. Thanks. Can you elaborate on your final point about sandbox/multi-tenant?  ... View more

@wtlaughlin, any update on things? ... View more

@shashank_4461 My question of 3 days ago really is pertinent, not impudent. I hope you'll consider it and let us know a bit more, to be able to answer you correctly. ... View more

Before sharing alternatives, I'll note that you should report that to Adobe. They may or may not see this discussion. Simply send an email to cfinstal@adobe.com.   As for alternatives, note first that those who buy cf are given a login to a different place, so this does affect only those using that trial page (which doesn't diminish its importance: I just mean that's an alternative  available to some but not all). Those are either account.adobe.com/products or licensing.adobe.com.    But some will want to consider getting cf installers from cfmlrepo.com, managed by community members with, installers back to CF1.5 (seriously!)   Finally, if one wanted only the zip installer (a new approach since cf2021, quite different from and perhaps not suited for many preferring the traditional installer experience), that's offered both on that trial download page (not working for you) AND at the cf downloads page, https://helpx.adobe.com/coldfusion/kb/coldfusiondownloads.html. That page does NOT offer the full installers. The cfmlrepo site offers both kinds.  ... View more

Before giving up (and before others might go to the effort to confirm if it works for them, and before others might chime in with various alternatives), let's see if we can fix your root cause problem--and perhaps benefit others who may find this later.   Can you first try simply using your browser's new incognito/new private window feature? (Or you could just try another browser.)   The thing is, usually such form submission oddities at the Adobe site come down to being cookie issues, as they are often numerous, exacerbated by the various enterprise software used in Adobe sites.   So of course yet another idea would be to simply clear all cookies for the site, but that's not something many are familiar with. (And while some resources suggest clearing ALL cookies in the browser, that's over-the-top and I'd never recommend that.) Just trying a new private/incognito window is easier and has no ongoing potential impact like clearing cookies can.   Please let us know if you try. (It certainly could be that there IS a problem at the site, but that's rare for that particular page.)  ... View more