Skip navigation
Currently Being Moderated

Multiserver Monitor Permission Denied...

Jan 28, 2011 11:42 AM

So I've been dealing with this for years now, since version 8 and now with version 9 of

Coldfusion.  I can't ever get my multi-server monitor to monitor more than the local server from which I run the multiserfver monit

or.  I've edited the multiservermonitor-access-policy.xml to use the following line:

 

<allow-access-from domain="*" />

 

However, that doesn't work even after restarting Coldfusion.

 

Does anyone have this working?  I think I'm about to buy fusion-reactor so I can actually monitor my servers but it's always frustrating when something that should be pretty simple just doesn't work right.  Thanks in advance for any input.

 

...Brad

 
Replies
  • Currently Being Moderated
    Jan 28, 2011 2:49 PM   in reply to bmelendy

    Could do a real quick packet sniff to capture the status codes and content?

    I would confirm that the file is being requested, sent, and that it has the

    expected content.

     

    Try Wireshark.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 28, 2011 7:29 PM   in reply to bmelendy

    Since I was actually on the ColdFusion 8.0 engineering team at Adobe and personally tested the multiservermonitor back in 2006/7, I find it very surprising to learn that /crossdomain.xml is now required in the webroot INSTEAD of /CFIDE/multiservermonitor-access-policy.xml.

     

    I did some testing on a couple local ColdFusion 9.01 servers, and to force the requirement of the access file, I loaded the CF Admin Multiserver Monitor over localhost (127.0.0.1) and then tried to add a different CF instance to the monitor using the other interface for the same machine 192.168.1.104.  As expected, I got Permission Denied.  I then went to the target server that I was trying to add, and I enabled the multiservermonitor-access-policy.xml by uncommenting the appropriate line.  I was really stunned to find that the target server still showed a Permission Denied status (Figure 1).

     

    Upon examining the console (Figure 2) where I started the target server, I found a series of error messages for

    "error Requested resource '/crossdomain.xml' (%2fcrossdomain.xml) not found",

    logged every time the Server Monitor attempted to refresh the view (every 20 seconds).

     

    I went back to the Server Monitor console and switched to the Errors tab (Figure 3) where I found a very helpful message:

    "Ensure that you have allowed access to this server by changing the crossdomain.xml file."

     

    With that information in hand, I Googled "multiservermonitor-access-policy.xml" + "crossdomain.xml" and came across the following references:

     

    1. A blog comment by Adobe QA Engineer Jayesh Viradiya. "simply Ignore the multiserver-access-policy file and put the following  crossdomain.xml file, with appropriate client machine permissions where  you are running multiserver Monitor, and put this crossdomain under the  CF Server wwwroot, which you are trying to connect to"
    2. The ColdFusion 9 Documentation on Multiserver Monitor. "Note:  The cross domain details need to be mentioned in the crossdomain.xml file and this file must be placed directly under webroot. Previously, this file was placed under <webroot>/CFIDE/multiservermonitor-access-policy.xml. For more information, see www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html "
    3. ColdFusion bug 79603. "The workaround is: If multiservermonitor-access-policy.xml is renamed as crossdomain.xml and it is placed directly under webroot rather than CFIDE,then it works."

     

    This one went completely under my radar as this is the first time that I found out about this change.  When I made the change to my server test, I found it then worked with /crossdomain.xml on the target server.

     

    This should do it for you.  Let us know.

     

     

     

    Figure 1

    image002.jpg

     

    Figure 2

    image006.jpg

     

    Figure 3

    image004.jpg

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 31, 2011 12:25 PM   in reply to bmelendy

    A couple thoughts, Brad, first about your observation regarding the article, and then about your ongoing problem with CF 8.

     

    First, on the article, I'm the author and yep, it was written with respect to 8. Not much had changed in 9, so it was not updated. But I have been asked to update it for 9.0.1, since there were monitor-specific changes for that. Look for them in weeks/months to come.

     

    And I will certainly be updating this info about the xml files (in part 4, so will be the last article updated).

     

    Until then, I'll note that anyone can add comments to update them, and I have just now for this, pointing to Steven's blog entry on the matter (http://www.talkingtree.com/blog/index.cfm/2011/1/28/Multiserver-Monito r-Permission-Denied-and-crossdomainxml).

     

    As for your problem on CF8, just note (as I discuss in the article) that it's critical that you get the XML entry just right--www.domain.com is not the same as domain.com (and localhost is not the same as 127.0.0.1), when it comes to configuring that. Hope that helps.

     

    I'll note there could be (at least) one other problem: have you confirmed you can in fact visit the Server Monitor itself? If not, there may be a config problem that would then also preclude the Multiserver Monitor working also. Though it may not be your issue, I'll point out a blog entry I did that addressed one problem:

     

    http://www.carehart.org/blog/client/index.cfm/2008/11/7/cf911_cf8mon_c f_unavailable

     

    /charlie

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 1, 2011 1:20 PM   in reply to bmelendy

    Brad, it's indeed easy for this stuff to get confusing. There's precious little docs beyond what I have in those articles.

     

    First, in terms of debugging things, you say you asked for the /flex2gateway URL, but really, you need to be checking for the /CFIDE/multiservermonitor-access-policy.xml URL instead. What do you get back then? Do a view source. Does it show what you think it should show? And to be sure you're not seeing a cached version (cached in your browser). Again, I discuss this in the article. A quick trick (not mentioned there) is to add a random query string to the end of the URL.

     

    Beyond that, and important to your testing, there is something I noted in the article which may be key to your debugging and solving this.

     

    Despite what we may reasonably think, the communication between the multiserver monitor (msmon) and the server being monitored is not between the client where we have the msmon running. Instead, it's between the server being monitored (let's call that server "watched") and that where the msmon itself was loaded from (let's call that Server "watcher").

     

    So when you say you tested calling the gateway url (on "watched"), I assume you tested it from your workstation, but is that where the implementation of CF is installed, from which you launched the msmon ("watcher")? If not, you need to try it from on the box running the "watcher" instance.

     

    There could be some security implementation such that communications from between the "watched" and "watcher" servers does not allow even that simply /flex2gateway url to work. But do try it. I mean, get on the "watcher" box itself and from a browser there, test your calls to the "watched" server.

     

    More important, what happens when you ask (from "watcher" server) for the URL http://["watched"]/CFIDE/multiservermonitor-access-policy.xml?

     

    Note that you may well see that it does not show what you expect, from what you say you know the xml contents to be. How could that be? Well, you may be looking at the xml file on the server in the CFIDE directory that you think (and reasonably assume) is that which serves up the CF Admin for the site you're trying to monitor. But there are all kinds of reasons that can get confused. Sometimes people modify their CFIDE mapping in their web server to point to an alternative location. Sometimes they are pointing at a real location, but the CF server was configured (at install) to point to one in another location (like the Re: Multiserver Monitor Permission Denied...\wwwroot\CFIDE). You can look in the CF Admin "mappings" page to see what CF thinks is where its Admin is located. Is that where you were putting this xml file? And is it what you think it should be, in that location?

     

    I'll note as well one could also install CF in such a way as to accept the offer to have the CF admin on a built-in web server, such as via port 8500 (http://[server]:8500/CFIDE/...). In that case, note that that WOULD by default be looking at the Re: Multiserver Monitor Permission Denied...\wwwroot\CFIDE, not any in your webroot, so if you launch it that way, you must put the XML file in that appropriate directory.  So you may find that when things worked before, you told the msmon to monitor the "watched" server via its built-in web server, or vice versa.

     

    Hope some of that may help. Let us know.

     

    Finally, given this whole thread, is it also possible that there is a /crossdomain.xml file in the site root (again, whatever is the site root for the web site in question) which may be overriding this lower-level file. I don't know enough about these to know for sure, but I do (in the article) point to resources from Adobe with more, as they are a fundamental Flash security feature.

     

    /charlie arehart

    charlie@carehart.org

    Providing CF and CFBuilder troubleshooting services

    at http://www.carehart.org/consulting

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points