We have a Cold Fusion application running on Windows 2016/ using IIS , this application uses database users to login to the front-end. Roles are then granted directly through code to these database users. Its an old legacy application, we would like to change the method of logging in to use Windows Authentication and not a database users, how can this be done ? If we do this do we need to change a lot of code and how to grant roles once the users logins. Actually the system should directly let a user in since they are on the Intranet using Windows authentication.
Any suggestions ?
I've never tried anything like that, myself; not a legacy app, nor a brand spanking new one. But I believe that CFLDAP would be in play, as that will access the Active Directory that the users exist in. As far as code changes, the only thing that would change, just off the top of my head, would be setting the variables that grant the roles, etc. Instead of being set by the result of a query, they would be set by whatever is returned in the CFLDAP results.
But, then I'm not at all familiar with your legacy app.. this is an assumption.
^ _ ^
PS. Personally, just from a security standpoint, I would be using CFLDAP on every page load; that way, if a user is online using this app, and (for whatever reason) said user has a role taken away, then the change will be reflected in real time, not upon the next time the user logs on. Just my two cents.
Copy link to clipboard
Depending on how things are set up in your environment, the easiest way to do this might be to just let your web server authenticate users instead of CF. If you're using IIS, and your web server is configured to use Windows Authentication, you'll have a CGI variable with the user's name in it that you can look up. You could then use this name to look up application-specific roles that are already in your database.
There are a lot of "ifs" to this, though. You might not be using Windows Authentication, or you might not be using IIS, or you might need to do authorization (the roles thing) somewhere other than in your web app. But this is what I'd try first, because it's very easy to try and see what you're getting - just set up a new web site or a test web site with Windows Authentication enabled, go to a CF page, and dump the entire CGI scope (I think the variable name is CGI.AUTH_USER but am not sure). You might need to talk to your network people about what exact form of Windows Authentication you need to use, because you have Kerberos, NTLM, forms-based authentication, and so on.
Dave Watts, Eidolon LLC
Thanks for your suggestions Dave, I will try it out and let you know the easiest way s u suggested would be to use the IIS authentication , I do not want to break the existing legacy prod application though,as we eventually plan on using a newer application.
Just want to make sure if IIS can authenticate for intranet users who are internal to the organization.
Yes, IIS can definitely do that if you set it up to do that.
Dave Watts, Eidolon LLC