NTLM authentication N/G under CF8

Report · Aug 10, 2008

Under CF7, I had a number of directories for which access was controlled quite nicely via NT permissions. Since I installed CF8, none of that seems to work. Users are as usual prompted for username/password, but server never authenticates them, and they always get "ACL doesn't allow you to access this page" errors.

This happens with EVERY user. EVERY user. So no, thanks for asking, it's not "mistyped passwords." It worked perfectly under CF7, doesn't work *at all* under CF8. Directory permissions haven't changed (they're still as I left them), still using same web server (IIS6 under Win2003 Server), the *only* change has been the CF server.

Is there something I've forgotten to set, somewhere? only

Report · Aug 12, 2008

When you had CF7 running, what credentials was it using? Did you verify those were reset for the CF8 service?

You might want to grab a copy of procmon from the Microsoft Sysinternals page.

Set it up and write a filter to show only "Access Denied" messages. Then try hitting your site.

It'll quickly show you what files are being denied. That'll help track down the problem.

Report · Aug 14, 2008

It was and is running under the "local system" account. I didn't do anything screwy or non-standard during the install process.

Procmon returns this:

Sequence: 43578
Date & Time: 8/14/2008 7:16:39 PM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: (the file name)
TID: 6176
Duration: 0.0001212
Desired Access: Generic Read
Disposition: Open
Options: No Buffering
Attributes: RE
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: MIRANDA\IUSR_MIRANDA

Report · Aug 18, 2008

That error should have a file path associated with it.

Follow it, and make sure the user CF/IIS is running under has privs to that path.

Report · Aug 18, 2008

CF is running under the "local system" account, and SYSTEM already has full control to both the directory and the files in question.

IWAM and IUSER have no privileges, because I specifically don't want anonymous access. Anonymous access works fine. I don't want anonymous access, I want authenticated-user access.

Let me reiterate--this setup was working flawlessly under CF 7. I changed not a single file permission when I installed CF 8. Now the "login" box is invoked as before, but the correct username/password doesn't work.

Report · Aug 18, 2008

In your post above you have:

Sequence: 43578
Date & Time: 8/14/2008 7:16:39 PM
Event Class: File System
Operation: CreateFile
Result: ACCESS DENIED
Path: (the file name)
TID: 6176
Duration: 0.0001212
Desired Access: Generic Read
Disposition: Open
Options: No Buffering
Attributes: RE
ShareMode: Read, Write, Delete
AllocationSize: n/a
Impersonating: MIRANDA\IUSR_MIRANDA

What is the path - where you have "(the file name)"? If you don't want to answer this, then the next question would be, is "the file name" something in your web document root? Or something under the cfusion/jrun4 folder?

Something is clearly getting called that does not have rights based on the user ID you are entering. While you might not have changed the permissions, an installer could have.

Report · Aug 19, 2008

Turns out the problem isn't CF at all (for my convenience), it's IIS. Apparently, IIS refuses to display files of any type, we're not even getting to CF.

Thanks for the assist--I'm off to call Microsoft. Wish me luck.

Report · Aug 20, 2008

They're going to have you do the same steps.

Your problem is here (based on what you posted):

MIRANDA\IUSR_MIRANDA is trying to access Path: (the file name) and can't.