We have Windows 2008r2, IIS 7.5, ColdFusion 10 with all the latest patches.
The root allows anonymous access, but doesn't have any ColdFusion files.
We have subfolder, that do not allow anonymous access and has Windows authentication enabled only. Specific domain global groups have access to this ColdFusion folder via IIS (Authentication = windows authentication only) and Authorization rules have specific groups that should have access.
Non-ColdFusion files are correctly blocking anonymous and users not in our global groups.
ColdFuision is allowing user who aren't in our global group to access, when they should be blocked.
With previous versions of IIS (ie. v.6 and below), we had to set the "Verify that file exists" option in the appliation extension mappings like described here:
That "check that file exists" option is no longer available in IIS 7.x http://support.microsoft.com/kb/2725025
Anyone know how to configure windows authentication for CF10?
So far, everything I tried either blocks valid users or allows invalid users access. Tried adjusting nsfs access to \ColdFusion10\config\wsconfig, but if I remove authenicated users and just allow our global groups it blocks everyone.
Checked the ColdFusion 10 lockdown guide, but couldn't find anything that helped.
I found a way to fix this.
1st, I saw this http://forums.adobe.com/thread/1031711
Didn't fix my problem, but might be a factor. I'm not going to reverse this now that I have it working.
What I did is in IIS, restricted access to the jakarta folder that points to \ColdFusion10\config\wsconfig\1 to just my global groups and removed All Users allow access.
Our situation is a bit complex,we have CF pages in the root and there are subfolders that have diffrerent permissions, some are publically accessible. The workaround of restricting jakarta folder to the same security groups does not work well in our situation.
Any one has a solution or suggestion to make Coldfusion respect the permissions on the subfolders?