I wonder what would happen if you set index.cfm as a default page in IIS. To do that, you have to configure like this: IIS Manager => Your Server Name => Your site => Under HTTP features => Default document => Add index.cfm
Thanks for the suggestion. I checked and index.cfm is listed as the top default document.
Some additional info:
- I created a page, test.cfm, that also dumps the CGI variables. It also displays [empty string] for auth_type, auth_user, and remote_user.
- I created a page, test.asp, that dumps the environment variables. It correctly displays the values for auth_type (Cosign), auth_user, and remote_user (my username).
Since ASP is displaying the proper values but not CF, I'm guessing this is a ColdFusion configuration issue (although that doesn't explain why CF displays the proper values if the path does not include the filename).
The culprit just might be Cosign. In ColdFusion, if index.cfm exists, as in your case, then the URLs https://[servername]/test/ and https://[servername]/test/index.cfm will point to the same resource. So, if the one URL is authenticated and the other is not, this will likely be the result of insufficient configuration in Cosign. I suspect Cosign is failing to write cookies in the case /test/index.cfm.
I am unfamiliar with Cosign. However I had a look at the documentation. The Cosign overview suggests how you might resolve the problem. You should configure https://[servername]/test/ as well as https://[servername]/test/index.cfm as destinations. That will instruct Cosign to write the security cookies in either case.
Thanks! We consulted with a Cosign expert, and we did have a configuration issue. The fact that it was working in ASP was throwing me off.
In our case, Cosign protection was not enabled in the web.config file at the document root, but only enabled for the directory in question (/test) by the web.config file in that folder.
When we enabled protection at the document root (and removed the web.config file at the directory level), the server environment variables for auth_type, auth_user, and remote_user were passed on the ColdFusion.
I thought it would be something like that. Good luck.