ColdFusion 2025 Auto-Lockdown Failing

Report · Nov 07, 2025

I've gone through multiple rounds of installing Windows Server 2022 and following the Lockdown guide to install ColdFusion 2025 and AutoLockdown. Just can't get it to work, have lost a lot of time, and losing hope.

Initially I couldn't get it to create the service user for me. May have been the complex password. Whatever. It seems to do that correctly now. After seeing a bug reported elsewhere I have added -Dcoldfusion.runtime.remotemethod.matchArguments=false to the JVM flags and restarted CF before running the AutoLockdown tool. I have checkpoints/snapshots in Hyper-V so that I can start the tool from scratch on each attempt.

Attached is the lockdown log if anyone can help me out.

Report · Nov 07, 2025

Just to clarify, I can get CF to work just fine. It is the lockdown that is fail. (would be really helpful to be able to edit posts)

Report · Nov 07, 2025

It is failing at this line.

2025-11-07 11:05:37 INFO - Old Value for scripts source: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Error</title> <link href="http://localhost:8500/cf_scripts/scripts/assets/style.css" rel="stylesheet"/> </head> <body> <div id="header"></div> <div id="spot"> <img src="http://localhost:8500/cf_scripts/scripts/assets/spot.png" /> <div id="title">Error</div> </div> <div id="content"> An error occurred while executing the application. Please try again or contact the administrator. </div> </body></html>
2025-11-07 11:05:37 ERROR - It seems there has been an error while getting the script source values.
java.lang.StringIndexOutOfBoundsException: Range [48, -1) out of bounds for length 530

Check your ColdFusion logs to see what error is being reported.

Report · Nov 07, 2025

And adding to Roberto's helpful suggestion, given the error (and what precedes it, saying "Trying to add virtual directory for cf_scripts", I'd wonder if there's an issue related to that.

Since you say that you have cf running before trying the tool, can you tell us the value shown in the cf admin "settings" page, for the default script arc directory"? That is what this was wanting to change.

I'm wondering if it's somehow not liking whatever is your current value. I realize you may find it to be simply the default, /cf_scripts/scripts.

/Charlie (troubleshooter, carehart. org)

Report · Nov 08, 2025

The cf_script value is the default /cf_scripts/scripts. The only setting changed after install of CF was the jvm matchArguments flag. I have tried running lockdown with and without a connector already in place for IIS. I can access cf_scripts static files through the internal webserver and IIS.

I figured out that it can't create the service user if the password is over a certain length. A 10 character password always works.

Well, I just got it to run succesfully by uninstalling update 4 first to get back to first version. After lockedown I was then able to install update 4 succesfully. Can't believe so much time was wasted on this. Now I can continue through the rest of the lockdown guide recommendations.

How are there bug like this? I'm doing nothing unique here. Did I miss something with update 4 that I needed to do after install? If not, does Adobe not automate the testing of at least a default product install and lockdown with every product and OS update?

Report · Nov 08, 2025

Hi @danielmroberts , sorry to hear about the lockdown installation issues. Glad to hear that you finally resolved it.

Thanks for sharing your solution.

Report · Nov 08, 2025

So, Daniel, first I would not be surprised if Adobe fails to test a reinstall of the auto lockdown tool with each update? Should they? Sure, if updates can somehow break it (which happened with the update that introduced the remote args problem, it seems).

But that was NOT your problem, as you'd added it. Are you saying this cfscripts error is misleading, and instead it was only about the password limit? And was that new with an update?

I realize you may not care to dig further, with your problem solved. I'm asking so as to help others who may run into this or similar problems.

And though we can be tempted to presume "the issues have been stated here", there's no guarantee anyone from Adobe will see it.

Please consider raising a bug report (tracker.adobe.com) for whichever things you feel are at issue. Even simply asserting (in its own bug report) that they should test the tool after each update is worthwhile.

Again, I get it, you may want to "just move on", but it's when people discern such issues that they need to raise a bug report otherwise it will be forgotten/lost in the dozens of threads here each--likely found only later via someone searching.

At a minimum, if you state specifically what was the solution, you/we can mark it as an "answer", to help others. It's just not clear what specifically in your last reply was the solution.

/Charlie (troubleshooter, carehart. org)

ColdFusion 2025 Auto-Lockdown Failing

1 Correct answer