Lock Down .cfm Pages in IIS

We are using IIS and All I care about it authentication not authorization right now.

I was hoping to use the CGI_Auth_User in the application .cfm

If you have anonymous login turned off and windows integrated or some
other IIS security turned on, then the cgi.authUser will be populated
with the domain/username of the logged in user.

We often use that in conjunction with <cfldap ...> to provide
authentication and validation with our systems. It is fairly straight
forward.

Are you getting a value in your cgi.auth_user field?

That would work too. You will still need to have a list somewhere of the authorized users so the comparison can be made and user authenticated.

I was hoping to use the CGI_Auth_User in the application .cfm

sorry, I am out of depth here. Maybe someone else can give some suggestions

I don't want to use a database, I want to utilize the Active Directory
groups in Windwos Security.


Can you detail how you have security setup for you websites?

I don't want to use a database, I want to utilize the Active Directory groups in Windwos Security.

Incase of a database athentication, you'll need to set up the database connection using the coldfusion administrator and then use <cflogin> to authenticate the user.
If you search the web, there are a number of cflogin scripts availabe. Look in easycfm.com

you mustbe using some database to authenticate the user. The same parameters can be used to authenticate whether the user should be allowed to view the cfm pages. You can also set ip addresses, url's that are allowed access etc. Depends on how you've set up authentication.

There is no application.cfm right now. If I add the application.cfm
what do you use to check that they are authenticated through Windows?
There are no cookies or sessions being set.


I'm not sure what your issue is. When I set security in IIS it applies
to all my templates htm, cfm or otherwise. Once security is set CFML
can access the user from the cgi.auth_user variable.