Copy link to clipboard
Copied
This is on a ColdFusion 10 install on Windows 2008 R2 with IIS 7.5. We have an additional authentication module, Cosign, installed for single sign-on.
If I make a request for https://[servername]/test/ and dump the CGI variables, cgi.auth_type is set to Cosign and cgi.auth_user and cgi.remote_user are both set to my username.
If I make a request for https://[servername]/test/index.cfm and dump the CGI variables, cgi.auth_type, cgi.auth_user, and cgi.remote_user are all set to [empty string].
Some of the things we've tried (largely based on the posts Coldfusion 10 with IIS 7 Windows authenticaiton and cgi.auth_user not staying set😞
It's strange because the cgi.script_name value is set to /test/index.cfm in both cases, but the credentials are passed for /test/ and not /test/index.cfm.
It's a longshot that anyone here is using Cosign, but just wondering if anyone has other ideas for what might be causing this.
Thanks! We consulted with a Cosign expert, and we did have a configuration issue. The fact that it was working in ASP was throwing me off.
In our case, Cosign protection was not enabled in the web.config file at the document root, but only enabled for the directory in question (/test) by the web.config file in that folder.
When we enabled protection at the document root (and removed the web.config file at the directory level), the server environment variables for auth_type, auth_user, and remote_u
...Copy link to clipboard
Copied
I wonder what would happen if you set index.cfm as a default page in IIS. To do that, you have to configure like this: IIS Manager => Your Server Name => Your site => Under HTTP features => Default document => Add index.cfm
Copy link to clipboard
Copied
Thanks for the suggestion. I checked and index.cfm is listed as the top default document.
Some additional info:
Since ASP is displaying the proper values but not CF, I'm guessing this is a ColdFusion configuration issue (although that doesn't explain why CF displays the proper values if the path does not include the filename).
Copy link to clipboard
Copied
The culprit just might be Cosign. In ColdFusion, if index.cfm exists, as in your case, then the URLs https://[servername]/test/ and https://[servername]/test/index.cfm will point to the same resource. So, if the one URL is authenticated and the other is not, this will likely be the result of insufficient configuration in Cosign. I suspect Cosign is failing to write cookies in the case /test/index.cfm.
I am unfamiliar with Cosign. However I had a look at the documentation. The Cosign overview suggests how you might resolve the problem. You should configure https://[servername]/test/ as well as https://[servername]/test/index.cfm as destinations. That will instruct Cosign to write the security cookies in either case.
Copy link to clipboard
Copied
Thanks! We consulted with a Cosign expert, and we did have a configuration issue. The fact that it was working in ASP was throwing me off.
In our case, Cosign protection was not enabled in the web.config file at the document root, but only enabled for the directory in question (/test) by the web.config file in that folder.
When we enabled protection at the document root (and removed the web.config file at the directory level), the server environment variables for auth_type, auth_user, and remote_user were passed on the ColdFusion.
Copy link to clipboard
Copied
I thought it would be something like that. Good luck.