Skip to main content
A
Anonymous
July 12, 2012
Question

IIS7, CF9 windows authentication problem

  • July 12, 2012
  • 2 replies
  • 1556 views

My setup IIS7 windows 2008 R2 with ColdFusion 9 on a virtual server, using windows authentication.

Windows authentication worked perfectly in the previous version of IIS and on a conventional server setup and coldfusion 8.

Now when a person without permission requests a file in a protected folder, they are denied all files except the .cfm file. That file displays all the text.

Since this is IIS7 there is no "check that file exists setting" but this is supposed to be handled through the Handler Mappings.

The wildcard is mapped as well as the .cfm, .cfml etc specific extensions.

Documentation says:

How does the ColdFusion service interact with IIS in terms of security?

CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing.

IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application.

What am I overlooking? Any suggestions?

    This topic has been closed for replies.

    2 replies

    vishu_13
    vishu_13
    Inspiring
    March 18, 2014

    Hi

    Since Verify File Exists” doesn’t work with IIS 7 so we can define "Authorization Rules"

    Let's assume you have a website name CF9 in IIS which has two folders A and B. In this machine, you have two users A and B and one Administrator. The user A has access for folder A only and user B has access to folder B only

    Log in with the Administrator account and set the Auhtorization rule on CF 9 as "Allow All users" (Allow for All users will already be there as inherited from the server). Enable Windows Authentication and disable all other Authentications

    Now click on folder A in IIS and click on Authorization rules and allow for user A and deny for user B. Specify the same for folder B. Allow the Authorization Rule for user B and Deny the Authorization rules for user A

    Windows Authentication

    Authorization rules Screenshot for folder A

    Authorization rules Screenshot for folder B

    There will be three differnet web.config in your webroot.

    Main Web.config will look like this

    <?xml version="1.0" encoding="UTF-8"?>

    <configuration>

        <system.webServer>

            <handlers>

                <add name="JWildCardHandler" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\2\jrun_iis6_wildcard.dll" resourceType="Unspecified" requireAccess="None" />

                <add name="hbmxmlHandler" path="*.hbmxml" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="cfswfHandler" path="*.cfswf" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="cfrHandler" path="*.cfr" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="cfcHandler" path="*.cfc" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="cfmlHandler" path="*.cfml" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="cfmHandler" path="*.cfm" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="jwsHandler" path="*.jws" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

                <add name="jspHandler" path="*.jsp" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            </handlers>

    <defaultDocument>

                <files>

                    <add value="index.cfm" />

                </files>

            </defaultDocument>

            <staticContent>

                <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package zip" />

            </staticContent>

            <security>

                <authorization>

                    <remove users="*" roles="" verbs="" />

                    <add accessType="Allow" users="*" />

                </authorization>

            </security>

        </system.webServer>

    </configuration>

    Web.config  for folder A

    <?xml version="1.0" encoding="UTF-8"?>

    <configuration>

        <system.webServer>

            <security>

                <authorization>

                    <remove users="*" roles="" verbs="" />

                    <add accessType="Allow" users="A" />

                    <add accessType="Deny" users="B" />

                </authorization>

            </security>

        </system.webServer>

    </configuration>

    Web.config  for folder B

    <?xml version="1.0" encoding="UTF-8"?>

    <configuration>

        <system.webServer>

            <security>

                <authorization>

                    <remove users="*" roles="" verbs="" />

                    <add accessType="Allow" users="B" />

                    <add accessType="Deny" users="A" />

                </authorization>

            </security>

        </system.webServer>

    </configuration>

    HTH

    Thanks

    VJ

    T
    tishward
    Participating Frequently
    March 6, 2014

    Did you find a solution for this?  I have the same issue and cannot find an answer as to why cf is ignoring the ntfs perms.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices