cgi.remote_user set for / but not for /index.cfm

Report · May 17, 2013

This is on a ColdFusion 10 install on Windows 2008 R2 with IIS 7.5. We have an additional authentication module, Cosign, installed for single sign-on.

If I make a request for https://[servername]/test/ and dump the CGI variables, cgi.auth_type is set to Cosign and cgi.auth_user and cgi.remote_user are both set to my username.

If I make a request for https://[servername]/test/index.cfm and dump the CGI variables, cgi.auth_type, cgi.auth_user, and cgi.remote_user are all set to [empty string].

Some of the things we've tried (largely based on the posts Coldfusion 10 with IIS 7 Windows authenticaiton and cgi.auth_user not staying set😞

Moving the Cosign module to the top of the modules list in IIS
Enabling Windows auth at the server level in IIS (index.cfm then required additional authorization beyond Cosign)
Enabling Windows auth at the directory level in IIS (no change--remote_user not populated)
Disabling Anonymous auth at the server level in IIS (index.cfm then returned a 401 Unauthorized message)

It's strange because the cgi.script_name value is set to /test/index.cfm in both cases, but the credentials are passed for /test/ and not /test/index.cfm.

It's a longshot that anyone here is using Cosign, but just wondering if anyone has other ideas for what might be causing this.

Report · May 18, 2013

I wonder what would happen if you set index.cfm as a default page in IIS. To do that, you have to configure like this: IIS Manager => Your Server Name => Your site => Under HTTP features => Default document => Add index.cfm

In Response To BKBK · May 18, 2013

Thanks for the suggestion. I checked and index.cfm is listed as the top default document.

Some additional info:

I created a page, test.cfm, that also dumps the CGI variables. It also displays [empty string] for auth_type, auth_user, and remote_user.
I created a page, test.asp, that dumps the environment variables. It correctly displays the values for auth_type (Cosign), auth_user, and remote_user (my username).

Since ASP is displaying the proper values but not CF, I'm guessing this is a ColdFusion configuration issue (although that doesn't explain why CF displays the proper values if the path does not include the filename).

In Response To cherdt · May 19, 2013

The culprit just might be Cosign. In ColdFusion, if index.cfm exists, as in your case, then the URLs https://[servername]/test/ and https://[servername]/test/index.cfm will point to the same resource. So, if the one URL is authenticated and the other is not, this will likely be the result of insufficient configuration in Cosign. I suspect Cosign is failing to write cookies in the case /test/index.cfm.

I am unfamiliar with Cosign. However I had a look at the documentation. The Cosign overview suggests how you might resolve the problem. You should configure https://[servername]/test/ as well as https://[servername]/test/index.cfm as destinations. That will instruct Cosign to write the security cookies in either case.

In Response To BKBK · May 22, 2013

Thanks! We consulted with a Cosign expert, and we did have a configuration issue. The fact that it was working in ASP was throwing me off.

In our case, Cosign protection was not enabled in the web.config file at the document root, but only enabled for the directory in question (/test) by the web.config file in that folder.

When we enabled protection at the document root (and removed the web.config file at the directory level), the server environment variables for auth_type, auth_user, and remote_user were passed on the ColdFusion.

In Response To cherdt · May 23, 2013

I thought it would be something like that. Good luck.

cgi.remote_user set for / but not for /index.cfm

1 Correct answer

Photos