Account for scheduled tasks in a Windows environment

If that is indeed the correct answer, it may help you and readers to assess how you'd posed the question. To be clear, by your adding a new user in the admin, that controls only the ability to login to the admin with that different username (versus the default "admin").  And when one does that, it control what admin pages that admin user SEES.

But to be clear it doesn't have anything to do with "what account the task runs under": that would be the account running cf itself (as set in the service running cf). 

I don't know if those distinctions will be helpful to you or others, but they seemed to be clarifications that might be appropriate. 

Charlie,

I am referring to the user name entered when setting up scheduled tasks, as shown in the attached screen shot. This account name should be an account created somewhere.... either in the OS as a user, or in CF as a user. The question is where should I create the account to match this user name?

Thanks,

Todd

Charlie,

Also, the ColdFusion service is not running as this account. I believe it's running as local system. These tasks were imported from a properly running server when I rebuilt the server. I did not see any local account therre, and I did see an admin account that had been created with the same name, limited to only sending mail. I assumed that was the right one, but when I rebuilt that account, it still did not run the tasks. I may need to restart CF after adding that account, but I can't do that until I have an authorized outage.

Todd

Thank you, Charlie, but now I am more confused. The question remains... for the account shown in the scheduled task set up page I posted, where do I recreate that account so that the job will run?

The only three possibilities I can think of are: 1) within the CF application. That is not the case because the account data is carried over with the SQL restoral, like all the accounts for the actual application, and it did not come over when I restored the database, so it is not an application account. 2) a local account on the IIS server. I checked the old server where it was working, and there is no such local account. 3) within ColdFusion. That seems likely, but the only place to put an account in CF is in the administrator account creation portion, which I have done, but it did not yet work (will find out after a restart). 
Is there anywhere else it could be? Surely setting up an account for scheduled tasks is a fairly standard operation for ColdFusion, but the documentation just says to enter the account name and password. It does not tell me where this account is stored or how to recreate it (or it's too difficult for me to find).

Todd, you need to take a breath. 🙂 It seems your head is spinning at possibilities. The answer is likely "none of those 3". But we can get to your answer. 

Please reconsider my first paragraph in my answer you're replying to. I said that the user name field you're referring to is "about providing authentication for running the url offered in the scheduled task, if such auth would be required by the web server serving that url.".

Let's cut to the chase: take that url shown in the scheduled task and run it in a browser. Since it's a localhost url, run it on a browser on the machine running cf. What do you get? Do you get a prompt for a username and password? If you don't, then none is needed, it seems. Then I'd ask what has led you to pursue all this, as cf's providing one in the task would be ignored by the web server. 

More important, can you still access the old server you are comparing to? What if you run the same url there (In a browser on that machine)? If it's a different response, then the point is the web server there is configured differently. 

As for what web server it may be you mention iis. Is that used on both machines (old and new)? I see the url for the task shows having no port indicated, and is using http, so running by default on port 80. That likely means that Cf is NOT the web server running this request, so we can take cf out of the running. (I don't mean to say cf is not RUNNING the request. I mean some other web server is likely receiving the request, and doing the authentication, and then handing the request onto cf--if indeed the end of your blacked out url is a cf request)

Let's hear what your testing shows before we guess at any more possibilities. 

Charlie,

Breathing is an excellent idea. Apologies if my requests were not clear. So the user name and password entered in a scheduled task is there only for the case where the cfm that the task points to requires it, which would have been programmed into that function. As usual, the documentation does not cover this (that I could find). It is probably considered obvious by whoever wrote the docs. Probably a linux person!

In the end, your suggestion of running the task manually on the server, and noticing that it was running as http, showed me exactly what the problem was. When I built the server, I set it to https only, so these were being silently rejected. The task was reporting as having run successfully despite the fact that it was erroring out on the web server. I have adjusted the server, and sent a note to the developers that they need to change these tasks to run securely, even though they run as localhost.

As usual, you got me to the answer in the challenging world of ColdFusion.

Many thanks,

Todd

A follow up question to scheduled tasks. Currently these tasks run as http commands. I tried to run them as https, but they fail because when the server (IIS Server with dll connection to CF's Apache), it prompts for a smart card authentication which the scheduled tasks cannot perform, so it just hangs waiting. Is there any recommended way to get these to run as https, or to run any other way that does not force me to leave the http port active on the server?

Todd, yes there may be a way. 

But it won't have anything to do with coldfusion. It's all about your web server, as we discussed earlier this month. To be clear, as you note, cf cannot respond to the web server's requesting of such authentication credentials. 

So you would need to modify the web server to NOT require that security if called from a cf scheduled task running on the ip address of the cf server. (You need to be that explicit so that bad guys can't make a request to that web server masquerading merely as cf scheduled task.)

And you CAN at least modify the authentication capability of IIS to configure specifics of request authentication, either at the iis server or site or even folder level. (Some people might even set up a new iis site to respond JUST to scheduled tasks and apply various specific security configuration for those.) But this is well beyond the topic of cf, and you may need lots more info which you might better seek/find in other resources.

BTW, two more points of clarification: first, you'd said in your last reply (on Apr 4) that the cf admin sched task username and pw were demanded "where the cfm that the task points to requires it, which would have been programmed into that function (emphasis mine). " I opted not to correct you then, since you acknowledged that the problem then was showing to be about https. My reply now is making this clarification more clear, that this is indeed about how your web server (iis) is responding to the request (rather than how the cf" function" is "programmed"). That may be merely a quibble.

But second here's another, and I correct it just to avoid any confusion: you refer in your last comment to "(IIS Server with dll connection to CF's Apache)",  but instead of apache you meant tomcat, right? It's indeed a source of common confusion: Apache is both the name of a web server AND the name of a broad open source project which encompasses that web server (yes, Apache>Apache) AND the Tomcat app server that cf runs atop (Apache>Tomcat), as well as hundreds of other Apache project tools and products.

But I hope my first points here may help you get to resolution of the problem. It's indeed a long-standing situation that cfhttp and cf scheduled tasks can't provide much in response to such web server authentication requests.

Indeed, you may want to explore beyond cf to the underlying Quartz open source library, which Adobe embeds in cf as the scheduled task engine. Maybe that community (quartz.org) could have more to say on the matter (though they'll not know how to spell coldfusion, so don't mention or look for that). They may even offer a clever workaround for your need. You're not alone...though within the community of folks who respond here this need may be very niche. 

Greetings Charlie and Dave,

Thanks again for the info. No worries on the "correction." I was saying the same thing... that the issue isn't with the user name and password as I originally considered. That is related to CF authentication (programmed), and in this case a red herring. HTTPS authentication is the issue here. I know it's not strictly a CF issue, but the fact that CF (Quartz) isn't set up to respond is limiting. Apache (tomcat) isn't part of the issue, so I was not being particularly precise. I only mentioned it to indicate that the issue is on the IIS level, not the actual engine CF uses. Apologies for any confusion this may have caused. I know I get annoyed when users say "My Adobe isn't working..." or some such, not indicating the specific product. But I'm pretty sure we are on the same page regarding where the problem lies, and it isn't with Tomcat (or however I manage to mangle its label).
Right now I have the main site working on https required, and the tasks running as http, but any user could send a command to launch a task. Not a huge deal, because the tasks just run reports, but IA won't allow it and I agree it's not ideal. Better to set the tasks up as thier own site, and deny access from anywhere but localhost. I will have to see if I can get IIS to jump through that hoop. They may insist that I get the task site to run https even so, because that's what cyber security people do, but I will try this first.
Thank you both!
Todd

Ugh, authentication can be a pain. Is it possible to set up an IIS virtual server that doesn't use smart card authentication? That virtual server can be configured to just listen on localhost (HTTPS or maybe just HTTP) and perhaps can be configured to use Basic Authentication with a user account that doesn't use PIV or whatever. Talk to your security team about this before you do any of it, if possible. If you can do it, you can then change your URLs in CFSCHEDULE/CFHTTP to point to https://localhost/ or http://localhost/.  You'll get a TLS connection error from HTTPS unless you install a self-signed certificate or use Let's Encrypt to create a certificate, so HTTP would be easier - but your security team might ding you for that since it's not encrypted.

Dave Watts, Eidolon LLC

In case it was lost within my last reply (which addressed a few things, I realize), that was indeed one of my suggestions : "Some people might even set up a new iis site to respond JUST to scheduled tasks and apply various specific security configuration for those.".

Always glad to find when you and I might be on the same page on a suggestion. (Dave was solving problems with CF before the turn of the century, when I sat at his feet first as a cfug attendee then even later as a co-worker and fellow cfug speaker and cf trainer.)