403 Forbidden Access after installing Update 14

Hi Charlie, funnily enough, your link is itself giving me a 503 error. 

Try again. It's Adobe's site, where I'd posted that blog entry. It worked when I posted it and works now. 

But if it still fails for you, it's a shorter version of a more extended post I did here:

https://www.carehart.org/blog/client/index.cfm/2019/11/13/when_how_update_cf_web_connector

Thanks, Charlie. Both links work now! 🙂

Thanks BKBK. I did not know they were cumulative. I will install update 16 and see if we are good to go and let you know. 

I installed update 16 and the same forbidden error returns. "The server understood the request but refuses to authorize it." 

I know this is an old thread and I've read everything there is about the 403 problem, but none of them could fix it for me. I'm running CF 2016 on IIS 10.

After I installed Update 14, I updated the connectors and added allowedRequestAttributesPattern=".*" to server.xml in my CF instance. But I got a 403 on my website. So I deleted the connector and created it again, using the wsconfig GUI tool. It made no difference. The server.xml connector line looks like this:

<Connector connectionTimeout="60000" maxThreads="500" port="8012" packetSize="65535" protocol="AJP/1.3" redirectPort="8445" secret="{long secret number}" tomcatAuthentication="false" allowedRequestAttributesPattern=".*" />

I thought if I then try applying Update 17 it might help, but it didn't. I've read all of Charlie's articles but 4 hours later I'm still completely stuck. (If only there was a CF 2016 installation exe that had Update 17 already applied, then I wouldn't have to go through the many steps of patching.)

Gary, I think you're very close. First, the secret attribute you show (on the AJP connector line in the server.xml file) should be requiredSecret. Did you edit that by hand? The cf update would have put in the correct attribute for you.

Then it's the secret in the worker.properties file that must match this. See the blog post I've done, as well as comments from myself and others (that you must expand to see, on the cf portal blog post comments).

Finally, you're right in your the lament regarding the need of a cf2016 installer which would fold the updates in, but that won't happen given that cf2016 reached end of life in Mar 2021.

Hi Charlie,

Thanks for your super quick reply. I didn't edit the "secret" attribute, it really does say that as the default. I checked my initial backup copy of server.xml and it says that too. Neither update 14 or 17 used "requiredSecret", even after deleting and adding a new connector using wsconfig.

I just updated the file as you suggested, restarted the CF service, but still got a 403. Browsing the site on the local web server showed the 403 error from Tomcat "The server understood the request but refuses to authorize it." and browsing from a remote desktop showed the 403 coming from IIS. I found that interesting but I guess that's normal.

There is no "secret" in the workers.properties file. The content is:

worker.list=WS01_DEV_1

worker.WS01_DEV_1.type=ajp13
worker.WS01_DEV_1.host=localhost
worker.WS01_DEV_1.port=8012
worker.WS01_DEV_1.connection_pool_size=500
worker.WS01_DEV_1.connection_pool_timeout=60
worker.WS01_DEV_1.max_reuse_connections=250

Does this file look how you'd expect it to be, or is it missing something too?

Thanks.

Gary.

Out of curiousity, are Adobe folding the latest updates into current 2018 and 2021 installers? I bet they're not as they've never done that before.

Hi,

please edit the file with your secret from server.xml

worker.list=WS01_DEV_1

worker.WS01_DEV_1.type=ajp13
worker.WS01_DEV_1.host=localhost
worker.WS01_DEV_1.port=8012
worker.WS01_DEV_1.connection_pool_size=500
worker.WS01_DEV_1.connection_pool_timeout=60
worker.WS01_DEV_1.max_reuse_connections=250
worker.WS01_DEV_1.secret={Your Secret Key}

This will require IIS restart. 

Thank you Priyank! That fixed it! 🙂

So the question should be asked why Update 14, and indeed Update 17 applied afterwards, both failed to include the secret in the workers.properties file? Wsconfig was used to both update and create the connections.

If I delete the connector from wsconfig and add it again, the workers.properties file is written without the secret - the whole line is missing and it's reproducable every time. I've got Update 17 installed. This must be a bug?

I've made careful notes of this so we can apply the updates to production servers. Thank you again.

@Gary__F  Glad that suggestion worked for you. 

That is very strange behavior, it should add the secret entry into workers.properties. Either it could be an update installation issue or may be a configuration. 

Gary, yes, the wsconfig tool should have done that. First, we're you using "run as admin"? You might see if that makes a difference. Second, if you remove the connector in question (using the wsconfig tool), is that worker.properties deleted? Please confirm. If it's not, then like Priyank says something seems surely amiss...though I have never heard of that happening.

Separately, Gary you asked me above "are Adobe folding the latest updates into current 2018 and 2021 installers? I bet they're not as they've never done that before."

Well, you write that as if I suggested it, but I did not. Still, the answer is a qualified yes, Adobe has on occasion created new installers that fold in the then-latest updates.

But to be clear, they do not do that for each update, if that's what you mean. With cf2021, they did it this past Sept, with the release of update 2. With cf2018, they did it Apr 2019 with its release 2. Usually it's done when some major change happens, like to support a new OS.

Sadly, this does mean that we can then go another year or two where no new installer has been released (even while the version IS supported), and so people are dealing with back-issues from earlier updates like in this case.

We can wish that Adobe would see the value of creating new installers more often, even just once a year.  They don't seem to see the value (for us, and them) over the cost (to them) to go through that process. I would 100% support encouraging them to reconsider. Let's see if Priyank may have any comment. 

Hi Charlie. Yes, I run wsconfig as administrator.

I removed the connector using wsconfig and the entire config/wsconfig/2 folder was deleted, which contained the workers.properties file.

I figured out how to upgrade the connectors and we are now working! Woohoo. To do this, run the wsconfig.exe found in your ColdFusion install directory. Then select the IIS web site you want to upgrade the connectors for. It takes about 20 seconds to complete the update.

Thanks all for the links.

Great to hear, and glad to help. I was writing my last note (how to upgrade the connectors) while you were sharing the good news. Thanks also for marking one of my answers as correct, though I hope readers will see and succeed in getting to the first link first. 🙂 

Hi Pokermon

Glad to hear you're up and running! 🙂

I offer more on how to update the connectors here:

https://www.carehart.org/blog/client/index.cfm/2019/11/13/when_how_update_cf_web_connector