ColdFusion 2023 Auto Lockdown Failing

Report · Apr 15, 2025

I have downloaded the latest version of the auto-lockdown tool from the adobe website and have the latest CF update/hotfix (13) installed. I have tried running the auto-lockdown tool (for Windows/IIS) several times , following the lockdown guide to the letter. I was able to install this on another server with no issue. I have tried the following multiple times:

1. running tool, uninstalling tool , running tool again

2. running tool, uninstalling tool, uninstalling CF, uninstalling IIS, deleting the user created by the tool, clearing partitions, restarting server, reinstalling CF, running tool

Everytime I run the tool, it finishes, but says there are errors. In the installation log, the only thing that looks odd is after it tries to remove the new CF user from all groups - it says "Failed to create the user!", but doesn't specify what user it's trying to create (The new CF User account was already created earlier in the process, so maybe it's an IIS User?):

2025-04-15 14:20:40 INFO - Removed all unwanted groups!
2025-04-15 14:20:40 INFO - Trying to give permissions to the user!
2025-04-15 14:20:40 INFO -
2025-04-15 14:20:40 INFO - Failed to create the user!
2025-04-15 14:20:40 INFO - Rolling back the changes because of the Lockdown failure
2025-04-15 14:20:40 INFO - Nothing to rollback as Lockdown has been successful!

...it then proceeds to rollback everything:

2025-04-15 14:20:40 INFO - Rolling back: getRequestFilteringData
2025-04-15 14:20:40 INFO - Now trying to delete all settings for website: mysite
2025-04-15 14:20:40 INFO - First, trying to remove all allowed sequences

...and ends with the following:

2025-04-15 14:20:43 DEBUG - com.zerog.ia.api.pub.NonfatalInstallException

at com.adobe.ia.action.coldfusion.LockdownColdFusion.install(LockdownColdFusion.java:76)

at com.zerog.ia.installer.actions.CustomAction.installSelf(Unknown Source)

at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)

at com.zerog.ia.installer.GhostDirectory.install(Unknown Source)

at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)

at com.zerog.ia.installer.Installer.install(Unknown Source)

at com.zerog.ia.installer.actions.InstallProgressAction.ae(Unknown Source)

at com.zerog.ia.installer.actions.ProgressPanelAction$1.run(Unknown Source)

Strangely, it doesn't rollback/delete the new CF User Account it created.

I've attached the full lockdown installation log for context.

Can someone help me figure out why this won't complete successfully? I noticed while trying to run the lockdown tool, I couldn't get past the "create a CF user" step without several tries trying different passwords, until it finally accepted one that was pretty short. Are there undocumented password requirements for the lockdown tool? Could there be an issue with the lockdown tool accepting/using password of the main Windows Administrator account (it has special characters and such)?

Report · Apr 16, 2025

Is the ColdFusion 2023 Update 13 installation free of errors? Check the installation log and ColdFusion's log files.

Let's assume all is well with ColdFusion 2023. Since you are prepared to uninstall the Lockdown tool, I would suggest the following:

Install the Lockdown tool.
Use an uninstaller such as Bulk Crap Uninstaller to uninstall the tool. When you do, let the uninstaller remove every remnant of the tool.
Re-install the tool by right-clicking on the installer and choosing to "Run as Administrator" .

Report · Apr 16, 2025

CF 2023 and Update 13 installs both completed with no issues/errors.

CF 2023 Install:

Summary
-------

Installation: Successful.

2760 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

Action Notes:

None

Update 13 Result:

Summary
-------

Installation: Successful.

502 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

Action Notes:

None

Report · Apr 16, 2025

@ericbelair , It's good to hear that ColdFusion 2023 Update 13 is installed without any errors. On second thoughts, I have modified the last line in my previous post. Could the Administrator perhaps be the "other" user you mentioned?

Report · Apr 16, 2025

After talking to someone offline, I think the Failed to Create User message is a red herring. It looks like the real issue is with setting permissions for the CF user account - perhaps as the account serving as the login for the service or for security on the directories. No idea what's causing it.

Report · Apr 17, 2025

"Setting permissions for the CF user account" does indeed sound like a plausible cause. I had thought of permissions too. That is why I suggested installing the Lockdown tool as Administrator. At least, as a test for the purposes of elimination.

In any case the debug exception is non-fatal. So you would expect the Lockdown tool to work, even if only partially.

Is ColdFusion running as "Local System"? I ask because the issue seems to hinge on the Lockdown installer's failure to "create the user". That said, what then follows is bizarre:

2025-04-15 14:20:40 INFO  - Rolling back the changes because of the Lockdown failure
2025-04-15 14:20:40 INFO  - Nothing to rollback as Lockdown has been successful!

The first line talks of Lockdown's failure, the second of its success.

Report · Apr 17, 2025

Yes it's very confusing. It the purpose of the log file is to help you find and resolve issues, then is not working as designed.

Also, yes I have tried running the lockdown tool as both myself (an Administrator) and with the context menu option Run as Administrator. Same result every time.

Report · Apr 16, 2025

@ericbelair I will test it and get back.

Thanks,

Vikram

ColdFusion 2023 Auto Lockdown Failing

Photos