1 Reply Latest reply on Dec 31, 2007 11:20 AM by Newsgroup_User

    CF 7 & IIS 6.0 Setup - No Anon access

      Hi Folks -

      I am looking for anybody who may have set up their web server like this:

      I need to have Anonymous Authentication turned off - reason being - we user the User_id in the CGI variable to show their name and for security. This part is already working fine.

      Now I am adding Scheduled Tasks into the mix, but whenever I try it I get the following error:
      HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.<br>Internet Information Services (IIS)

      I am investigating all web sites possible for an answer, but hopefully someone here might have an idea.

      Now then, the CF service is using the local system account, and it doesn't have access to the web site.
      When I try to add Everyone, it still doesn't work.

      I am looking for any ideas.


        • 1. Re: CF 7 &amp; IIS 6.0 Setup - No Anon access
          Level 7
          IIS security is very fine grained. You can apply security setting as
          global as the entire website or as granular as an individual file or

          When I have been presented with the exact issue you are experiencing;
          having anonymous access for scheduled tasks, I would set up a file or
          directory for the scheduled tasks and allow anonymous access for just
          that file or directory, while leaving the rest of the site secured.

          You can use other filters to prevent unlimited access to these files if
          that is necessary. Such as restricting the IP address for these files
          to just the CF server, or similar restrictions.

          You can not set any user for ColdFusion that will pass IIS integrated
          security. The reason for this is that for IIS integrated security, the
          browser must understand the protocol and respond correctly. The only
          browser that does this is IE. Any other browser, including the very
          basic browser CF uses to make a scheduled task request, do not
          understand this protocol. They will either present a dialog box for a
          user name and password or just fail completely upon making the request.

          If you can accept IIS basic security, you can use the user name and
          password fields on the scheduled task form to provide these. Just be
          aware that these creditionals are passed between client and server in
          open, plain text and can be snooped. The usual mitigation for this is
          using HTTPS or another security protocol to encrypt data in transition.