cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

IIS7, CF9 windows authentication problem

Guest
Jul 12, 2012 Jul 12, 2012

My setup IIS7 windows 2008 R2 with ColdFusion 9 on a virtual server, using windows authentication.

Windows authentication worked perfectly in the previous version of IIS and on a conventional server setup and coldfusion 8.

Now when a person without permission requests a file in a protected folder, they are denied all files except the .cfm file. That file displays all the text.

Since this is IIS7 there is no "check that file exists setting" but this is supposed to be handled through the Handler Mappings.

The wildcard is mapped as well as the .cfm, .cfml etc specific extensions.

Documentation says:

How does the ColdFusion service interact with IIS in terms of security?

CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing.

IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application.

What am I overlooking? Any suggestions?

1.5K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 2 Replies 2
latest latest Jump to latest reply
tishward
New Here ,
Mar 06, 2014 Mar 06, 2014

Did you find a solution for this?  I have the same issue and cannot find an answer as to why cf is ignoring the ntfs perms.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
vishu_13
Enthusiast ,
Mar 18, 2014 Mar 18, 2014
LATEST

Hi

Since Verify File Exists” doesn’t work with IIS 7 so we can define "Authorization Rules"

Let's assume you have a website name CF9 in IIS which has two folders A and B. In this machine, you have two users A and B and one Administrator. The user A has access for folder A only and user B has access to folder B only

Log in with the Administrator account and set the Auhtorization rule on CF 9 as "Allow All users" (Allow for All users will already be there as inherited from the server). Enable Windows Authentication and disable all other Authentications

Now click on folder A in IIS and click on Authorization rules and allow for user A and deny for user B. Specify the same for folder B. Allow the Authorization Rule for user B and Deny the Authorization rules for user A

Windows Authentication

Capture2.JPG

Authorization rules Screenshot for folder A

Capture.JPG

Authorization rules Screenshot for folder B

Capture1.JPG

There will be three differnet web.config in your webroot.

Main Web.config will look like this

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <system.webServer>

        <handlers>

            <add name="JWildCardHandler" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\2\jrun_iis6_wildcard.dll" resourceType="Unspecified" requireAccess="None" />

            <add name="hbmxmlHandler" path="*.hbmxml" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="cfswfHandler" path="*.cfswf" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="cfrHandler" path="*.cfr" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="cfcHandler" path="*.cfc" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="cfmlHandler" path="*.cfml" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="cfmHandler" path="*.cfm" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="jwsHandler" path="*.jws" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

            <add name="jspHandler" path="*.jsp" verb="*" modules="IsapiModule" scriptProcessor="C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll" resourceType="Either" responseBufferLimit="0" />

        </handlers>

<defaultDocument>

            <files>

                <add value="index.cfm" />

            </files>

        </defaultDocument>

        <staticContent>

            <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package zip" />

        </staticContent>

        <security>

            <authorization>

                <remove users="*" roles="" verbs="" />

                <add accessType="Allow" users="*" />

            </authorization>

        </security>

    </system.webServer>

</configuration>

Web.config  for folder A

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <system.webServer>

        <security>

            <authorization>

                <remove users="*" roles="" verbs="" />

                <add accessType="Allow" users="A" />

                <add accessType="Deny" users="B" />

            </authorization>

        </security>

    </system.webServer>

</configuration>

Web.config  for folder B

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <system.webServer>

        <security>

            <authorization>

                <remove users="*" roles="" verbs="" />

                <add accessType="Allow" users="B" />

                <add accessType="Deny" users="A" />

            </authorization>

        </security>

    </system.webServer>

</configuration>

HTH

Thanks

VJ

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices