Copy link to clipboard
Copied
We recently installed and configured a CF10 server on a 08 r2 box. After following the Adobe recommended setup (custom accounts for each of the services - iis, cf) in the lockdown guide and a reboot, cfm pages are no longer properly handled (redirected).
The web server trace identifies this as the root problem:
DllName | [home_dir]\config\wsconfig\1\isapi_redirect.dll |
---|
Warning
145. -MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName | IsapiModule |
---|---|
Notification | 128 |
HttpStatus | 403 |
HttpReason | Forbidden |
HttpSubStatus | 0 |
ErrorCode | 0 |
ConfigExceptionInfo | |
Notification | EXECUTE_REQUEST_HANDLER |
ErrorCode | The operation completed successfully. (0x0) |
User from token | NT AUTHORITY\IUSR |
---|
We've already made sure that exe rights are provided for the IUSR (as well as cf and iis) to both that .dll as well as the entire folder.
We have also tried changing the handler mapping (invoke only if req is mapped to file/folder) as well as it's access config (none, script, exec).
The only time we get a different error mesage is when we disable the *.cfm mapping - which rightly so yields a 500 or a 404 error message.
By not processing .cfm page correctly the cf admin is not accessible either.
Any ideas on this would be appreciated.
p.s. there is no subcode (substatus) to the 403.
Copy link to clipboard
Copied
Check the Identity on the ApplicationPool for the site. Make sure that you have granted the required privileges to the ApplicationPoolIdentity user. IIRC, that can be tricky, so this article may help: http://www.iis.net/learn/manage/configuring-security/application-pool-identities.
-Carl V.
Copy link to clipboard
Copied
The AppPool was running under the same coldfusion-service user that we created which does have execution privileges over that dll.
However we tried switching the user for that app pool to LocalSystem (just in case) and still no chage.