Some CF2023 Installation Questions

Report · Nov 04, 2025

Hi, all. I will be installing CF2023 side-by-side with CF2021 on an important server soon, and I have some questions related to my particular situation that I have not been able to answer by searching the Web:

In the CF2023 Administrator, in Package Manager -> Settings, there are Proxy fields at the bottom. After installing CF2023 on other servers, I find that Proxy Username (admin) and Proxy Password (*******) are already filled on first access of the page, and yet I don't know of anywhere that I specified them during CF2023 installation. Can anyone tell me what this magic password is, and where the Username/Password came from?
I'll be using the standard GUI exe installer and specifying the Server Configuration (No J2EE). Should I run the installer as administrator?
When installing CF2023 side-by-side on other machines, I was at some point offered the option to import the admin settings from CF2021. Can I expect that option every time I install CF2023 side-by-side with CF2021, or is it somehow conditional?

Thanks in advance for any answers.

Report · Nov 04, 2025

Hello Dorrecht,

Please find the responses below

1- In the CF2023 Administrator, in Package Manager -> Settings, there are Proxy fields at the bottom. After installing CF2023 on other servers, I find that Proxy Username (admin) and Proxy Password (*******) are already filled on first access of the page, and yet I don't know of anywhere that I specified them during CF2023 installation. Can anyone tell me what this magic password is, and where the Username/Password came from?

If you do not have proxy configured for the server where you have installed ColdFusion, you can leave the fields blank . You can leave both username and Password fields blank

2 - I'll be using the standard GUI exe installer and specifying the Server Configuration (No J2EE). Should I run the installer as administrator?

Yes, you need to run the installer as Administrator

3- When installing CF2023 side-by-side on other machines, I was at some point offered the option to import the admin settings from CF2021. Can I expect that option every time I install CF2023 side-by-side with CF2021, or is it somehow conditional?

Yes, when you install CF 2021 and CF 2023 side by side for the first time when you access CF 2023 Admin Console after installation it will detect the previous version ColdFusion settings and gives you the option for importing the settings into ColdFusion 2023 .

Thanks & Regards

Ravi

Report · Nov 04, 2025

Thank you, Ravi. The answers for questions 2 and 3 were helpful! For question 1, though, I'm not looking to ignore the proxy settings because I need them to work. I had asked, "Can anyone tell me what this magic password is, and where the Username/Password came from?" I'm still in need of these answers

Report · Nov 04, 2025

Oh - In my sitation, possibly the username and password were copied over from CF2021 when CF2023 was installed. Maybe I assume incorrectly that the fields are populated with something by default.

Report · Nov 04, 2025

Yes, when you run the Migration Wizard the settings would have been imported from CF 2021, there is no default password for proxy settings, If you have Proxy Server which needs username and Password then you need to provided the UID/Pwd if not you can leave them blank

Thanks & Regards

Ravi

Report · Nov 04, 2025

@Dordrecht, I think I can explain your point 1 differently than what you guys are suggesting. I suspect that the username and password field you see there IS NOT being populated by CF--nor from a migration, nor is it "magical". 🙂 But I understand it seems "mysterious".. And I have a suggestion for Adobe.

1) First, can you open the admin in a new private window (if in Firefox) or new incognito windows (in Chrome or Edge)? Does the "magic password" and username appear for that proxy page?

If not, that proves it's not coming from cf. Instead it's your browser, and specifically I suspect it's your browser's built-in password manager--whose cache is empty by default when you open such a private/incognito window.

Let us know how that test goes. I did considerable testing earlier today when I saw this thread, to confirm this from my end. It's a frequent problem for many. And there are in fact many cf admin pages with passwords, where this can happen. (And FWIW there's an xml file for each that you could also inspect to see that cf has no such current info/password., but the test above is easier)

2) Finally Ravi, here's the suggestion for you guys, which should prevent this problem. (Something has been tried, but I find it's done incompletely on some pages and not at all on this one.)

Add autocomplete="new-password" to the various admin password fields on the many admin pages asking for them.

Some have autocomplete="off", which is not doing the job, while this page's password field has neither.

Of course, if the admin code DOES find a password in the neo xml file and fills that in on the page itself, that WILL be rendered despite this attribute. The problem is that the browser pw mgr autocomplete is stepping in when it's empty. (And I appreciate that this matter can be challenging to resolve.)

Hope that helps both of you, and other readers. I'm open to correction or feedback.

/Charlie (troubleshooter, carehart. org)

Report · Nov 05, 2025

Hi, @Charlie Arehart . Thanks.

I loaded the Package Manager Settings page in Edge in a "New InPrivate Window" and the username/password were still populated. There are no other browsers installed on the servers and I'm not allowed to install another. You mentioned an xml file I might check?

Report · Nov 05, 2025

That's certainly interesting to hear (that it would seem NOT to be about the browser). Time will tell.

As for the file to check for THIS page, it's neo_updates.xml--such as may be in \ColdFusion2023\cfusion\lib\, or if you're running multiple instances, look in \ColdFusion2025\[yourinstance]\lib\.

And FWIW, a default ("empty") one (specifically for CF2023 only) would show:

<?xml version="1.0" encoding="UTF-8"?>
<settings>
    <update autocheck="false" checkinterval="10" checkperiodically="false" sendupdate="true">
        <url>https://www.adobe.com/go/coldfusion-updates</url>
        <defaulturl>https://www.adobe.com/go/coldfusion-updates</defaulturl>
        <packagesurl>https://www.adobe.com/go/cf2023_packages</packagesurl>
        <defaultpackagesurl>https://www.adobe.com/go/cf2023_packages</defaultpackagesurl>
        <notification>
		<emaillist/>
		<fromemail/>
	</notification>
    </update>
    <proxy>
        <hostname />
        <port></port>
        <username></username>
        <password></password>
    </proxy>
</settings>

That said, don't just blindly overwrite what you may have with this. Notice all the values in the update section above the proxy section, which may well have been changed upon install or since install of your CF.

/Charlie (troubleshooter, carehart. org)

Report · Nov 05, 2025

I looked in neo_updates.xml on two separate development servers. In both cases, the username and password listed there exactly match the CF admin username/password, which differed from server to server. Interestingly, I recognize one of the passwords as one concocted by someone who almost surely would not have had a connection to the person who set up the proxy, which makes me think the proxy username/password just automatically gets set to the CF admin password. Even more oddly to me, the proxy settings actually work on both servers. Possibly the proxy works regardless of provided username/password. I know the same proxy settings work in the generic Windows Proxy settings panel on both servers to allow outbound Web access through a browser, and that Windows panel doesn't even offer username/password fields.

Report · Nov 05, 2025

Well, first I'm glad that checking the files showed the value actually having been set. I hope you appreciate the suggestion to look there--but perhaps that's tempered by your remaining concern that something seems wrong with cf.

I see it differently. I suspect the "someone else" was on that page and may have been setting ANY of the many settings...and THEIR browser's password manager filled in those values, so cf accepted them. (It does not validate them in any way.)

And to be clear, yes, since you say you see their the cf admin username and pw (sadly, in clear text in that file, which I agree is its own problem), that further confirms my suspicion. When a browser password manager fills in the field, it's NOT paying attention to the NAME of the field. It associates a username and pw with a domain/ip, and fills that in on any field asking for a pw on any page in that site. (That's why I made the suggestion above to adobe, about how to stop that.)

As for getting further proof that "someone else did it", I will note (as some may consider it) that while the CF Admin DOES log MANY changes one may make to the CF Admin (in the audit.log within CF's logs folder), sadly I just confirmed that it does NOT log changes to THIS page. I hope to create bug reports for that, as well as for that clear-text password shown in that file, as well the suggestion of autocomplete="new-password". If anyone else may jump on it, please share the bug id's here.

/Charlie (troubleshooter, carehart. org)

Report · Nov 05, 2025

@Charlie Arehart, I ALWAYS appreciate your help! Although I access the proxy settings mentioned above often, and the username/password are prefilled, my concern was that I would one day need to use the proxy in an emergency situation and find that the fields were no longer prefilled. Not knowing the password in such a case was one of my issues, and wanting to know how CF determines what to put in there was for general knowledge so I could be better at CF setup and administration in the future.

The neo_updates.xml file answered the first question. Much appreciated! It brought up more questions about why the usernames/passwords work, because I'm still quite sure the proxy server guy had no knowledge or use of ColdFusion, its administrator, or its password. I suspect the proxy server is set up to ignore username/password, and that the username/password are populated on that page because someone at some point did what you suggest - saved proxy settings after the passwords pre-filled due to the password manager. That all makes sense. Thank you for explaining it! Someday when I'm not in critical mode, I will try to change that password in the proxy settings to see if it still works, but probably not soon. Thanks again!

Report · Nov 05, 2025

Well, yes. If you put the correct username and password (along with the proxy server and port) into that page, then it should indeed allow the package manager page (updates, etc) to work--if your cf instance somehow would otherwise NOT be able to connect to the internet (or the Adobe domains specifically). Same with the license and activation page (and the ongoing license activation), which uses the same proxy settings.

Can you confirm for those work for you? With and/or without that proxy info?

The easiest test will be to use the "check for updates" button. If it responds immediately, great. If it hangs, test with and without the proxy info. (The cf logs also track if such requests out of cf fail.)

Let us know how that goes.

/Charlie (troubleshooter, carehart. org)