Copy link to clipboard
Copied
Hi all!
We have a really strange problem on our newly installed W2K8 servers with CF9. A short overview of the set up:
Server: W2K8 64-bit, IIS 7.5
CF-server: CF 9,0,1,274733 Standard Edition
The problem is that while htm-files is secured by folder security, cfm-files in the same folder are accessible for all users. We've disabled "Anonymous Access" and enabled "Windows Authentication" (with NTLM as first enabled provider) in IIS.
When monitoring the http-requests made for both the htm- and cfm-files we can see that both files behave the same in the two first steps of NTLM Authentication (as described here) but when the htm-file responds with a login prompt in step three (if you're not authorized), the cfm-file responds with a 200 response and the security rules of the folder/file doesn't seem to matter at all.
We've searched around the net and can't really find anything like our problem. Does anyone have a clue about what's going on here? Please let me know if you need more information.
Thanks in advance!
Regards,
Johan
Copy link to clipboard
Copied
In IIS 6 you would need to configure IIS to check that the file exists before trying to serve it, else IIS will pass requests for *.cfm pages to the CF server and this can bypass IIS authentication. I suspect this is still the case in IIS 7.x
Copy link to clipboard
Copied
JR "Bob" Dobbs wrote:
In IIS 6 you would need to configure IIS to check that the file exists before trying to serve it
We have NEVER had to do that for any CFML file that we have applied Windows Integrated Security to in IIS.
Copy link to clipboard
Copied
I've never had to do that with IIS 6 either, but there are enough differences between 6 and 7 that I wouldn't be surprised if it's needed there. I haven't tested this, though.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Copy link to clipboard
Copied
Johan,
Did you solve your problem? I have the same issue. I was running Cold fusion 8 with IIS 6 and the ntfs permissions would not be checked unless you selected "check if file exists" under the application mappings for the wildcard mappings. In IIS 7 the interface has changed and there is no such box. Under handler mappings you find each handler mapping. I have read that you should choose "invoke handler only if request is mapped to" under edit and request restrictions for the handler mapping. The problem with that is that request restrictions is not available for the wildcard mapping. Any body know how to configure it correctly?
Copy link to clipboard
Copied
You have probably already solved your issue by now but in case someone else stumbles upon this post. There is a way to modify the settings for the wildcard mapping using the IIS management console. Just navigate to your web site as usual, same place where your handler mappings for ColdFusion are. You should see another option in the Features View called "Configuration Editor". Double-click that icon to fire it up. Next select the "system.webServer > handlers" option in the drop-down box at the top labled "Section:". You should now see a couple rows in the console; (Collection) and accessPolicy are what I see. Click in the cell to the right of (Collection) and you will get an ellipse button (...). Click that button to open up another window. This window shows you the handlers that are available to your site. You should see the wildcard handler in this window. Click it's row at the top and all of it's properties will be available to you in the bottom of that window. From there you can modify each properties settings. Once you are done editing, close that window. Now you should have the "Apply" and "Cancel" options available in the Actions pane on the right. Click "Apply" to save your settings. The settings are still saved to the web.config file so you can view that to see what it did. NOTE: I have tried setting 'script' access for the wildcard mapping and it does NOT like it. After doing so I would get 500 errors.
Hope this helps.
Copy link to clipboard
Copied
Miguel-F
Thank you for your suggestion and it worked as far as editing the handlers but did not make a difference as far as enforcing ntfs permissions. I was setting this all up on a virtual server and have discovered that I do not have the problem on a regular installation of a real server. I do not have to do any special configuration of cold fusion handler mappings then. So I just cant get it to work on a virtual setup. I have no idea why????
Copy link to clipboard
Copied
Did you ever find an answer to why cf ignores the ntfs perms and how to fix it? I have the same issue and have not found a solution. CF10, w2008R2.