cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

CF 9/IIS 7.5 - Windows folder security not used when viewing CF-files?

Jofi
New Here ,
May 05, 2011 May 05, 2011

Copy link to clipboard

Copied

Hi all!

We have a really strange problem on our newly installed W2K8 servers with CF9. A short overview of the set up:

Server: W2K8 64-bit, IIS 7.5
CF-server: CF 9,0,1,274733 Standard Edition

The problem is that while htm-files is secured by folder security, cfm-files in the same folder are accessible for all users. We've disabled "Anonymous Access" and enabled "Windows Authentication" (with NTLM as first enabled provider) in IIS.

When monitoring the http-requests made for both the htm- and cfm-files we can see that both files behave the same in the two first steps of NTLM Authentication (as described here) but when the htm-file responds with a login prompt in step three (if you're not authorized), the cfm-file responds with a 200 response and the security rules of the folder/file doesn't seem to matter at all.

We've searched around the net and can't really find anything like our problem. Does anyone have a clue about what's going on here? Please let me know if you need more information.

Thanks in advance!

Regards,
Johan

Views

3.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 7 Replies 7
latest latest Jump to latest reply
JR__Bob__Dobbs
Enthusiast ,
May 06, 2011 May 06, 2011

Copy link to clipboard

Copied

In IIS 6 you would need to configure IIS to check that the file exists before trying to serve it, else IIS will pass requests for *.cfm pages to the CF server and this can bypass IIS authentication.  I suspect this is still the case in IIS 7.x

See : http://kb2.adobe.com/cps/185/tn_18516.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ilssac
Valorous Hero ,
May 06, 2011 May 06, 2011

Copy link to clipboard

Copied

In Response To JR__Bob__Dobbs

JR "Bob" Dobbs wrote:

In IIS 6 you would need to configure IIS to check that the file exists before trying to serve it

We have NEVER had to do that for any CFML file that we have applied Windows Integrated Security to in IIS.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
May 06, 2011 May 06, 2011

Copy link to clipboard

Copied

In Response To ilssac

I've never had to do that with IIS 6 either, but there are enough differences between 6 and 7 that I wouldn't be surprised if it's needed there. I haven't tested this, though.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
__opo12
New Here ,
May 23, 2011 May 23, 2011

Copy link to clipboard

Copied

Johan,

Did you solve your problem? I have the same issue.  I was running Cold fusion 8 with IIS 6  and the ntfs permissions would not be checked unless you selected "check if file exists" under the application mappings for  the wildcard mappings. In IIS 7 the interface has changed and there is no such  box. Under handler mappings you find each handler mapping. I have read that you should choose  "invoke handler only if request is mapped to" under edit and request restrictions for the handler mapping.  The problem with that is that request restrictions is not available for the wildcard mapping. Any body know how to configure it correctly?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Miguel-F
Engaged ,
Jun 08, 2011 Jun 08, 2011

Copy link to clipboard

Copied

In Response To __opo12

You have probably already solved your issue by now but in case someone else stumbles upon this post.  There is a way to modify the settings for the wildcard mapping using the IIS management console.  Just navigate to your web site as usual, same place where your handler mappings for ColdFusion are.  You should see another option in the Features View called "Configuration Editor".  Double-click that icon to fire it up.  Next select the "system.webServer > handlers" option in the drop-down box at the top labled "Section:".  You should now see a couple rows in the console; (Collection) and accessPolicy are what I see.  Click in the cell to the right of (Collection) and you will get an ellipse button (...).  Click that button to open up another window.  This window shows you the handlers that are available to your site.  You should see the wildcard handler in this window.  Click it's row at the top and all of it's properties will be available to you in the bottom of that window.  From there you can modify each properties settings.  Once you are done editing, close that window.  Now you should have the "Apply" and "Cancel" options available in the Actions pane on the right.  Click "Apply" to save your settings.  The settings are still saved to the web.config file so you can view that to see what it did.  NOTE: I have tried setting 'script' access for the wildcard mapping and it does NOT like it.  After doing so I would get 500 errors.

Hope this helps.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
__opo12
New Here ,
Jun 08, 2011 Jun 08, 2011

Copy link to clipboard

Copied

In Response To Miguel-F

Miguel-F

Thank you for your suggestion and  it worked as far as editing the handlers but did not make a difference as far as  enforcing ntfs permissions.  I  was setting this  all up on a virtual server and have discovered that  I  do not have the problem on a regular installation of a real server. I do not have to do any special configuration of cold fusion handler mappings then. So I just cant get it to work on a virtual setup.  I have no idea why????

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
tishward
New Here ,
Mar 06, 2014 Mar 06, 2014

Copy link to clipboard

Copied

LATEST
In Response To __opo12

Did you ever find an answer to why cf ignores the ntfs perms and how to fix it? I have the same issue and have not found a solution.  CF10, w2008R2.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices