7 Replies Latest reply on Jun 17, 2009 11:49 AM by Blue Chrome

    CF login vs. SQL login

    Blue Chrome
      I have built a couple dozen pages in CF with a MS SQL back end. Everytime I check to see how the pages are working (F12), it asks me to sign in. The login box says it's for the coldfusion server, but the username and password that work are my Windows username and password (they are tied to the SQL security). I have had four other people try to login to see what they can get to and two of the four don't even see a login box (the other two get the same CF login and they use their Windows information). The girl that handles my server config tells me it has something to do with what usergroups we are in, whether they have to login or whether it just automatically pulls their Windows login data.

      I don't mind the Windows information being used for now, but when we go live on the web, I'm going to have to manage outside usernames and passwords. I originally had set up a CF login page, but then I had to login to the Application first and then another login for the SQL security. Is there any way to just have one login?
        • 1. Re: CF login vs. SQL login
          Level 7
          If you are getting the login it sounds to me like you are getting, this
          is purely between the web server and your browser and has nothing to do
          with ColdFusion.

          You are getting this login because the web server has been told to use
          some type of authentication. If some windows users are not getting the
          login, then the type of authentication chosen sounds like "Windows
          Integrated Security" on an IIS web server. With "Windows Integrated
          Security", if one is using a windows browser on a windows client to talk
          over a windows network to a windows server using a windows web server,
          then the login can be done behind the scenes without user interaction.

          Otherwise a login dialog box is presented to the user. If you do not
          want this to happen, then something about the above configuration would
          need to be changed.

          • 2. Re: CF login vs. SQL login
            Blue Chrome Level 1
            That sounds about right, because I think the people who are having to login each time are using Mozilla and those that don't are using IE. When we move the pages to the live server and everyone accesses the site via the web, then I presume everyone will have to sign in to the server authentication. So is there a way to "turn off" the web server authentication so I can set up a ColdFusion login? And when I do, can that ColdFusion login be used to grant permissions to tables/views/stored procedures?
            • 3. Re: CF login vs. SQL login
              Level 7
              > So is
              > there a way to "turn off" the web server authentication so I can set up a
              > ColdFusion login? And when I do, can that ColdFusion login be used to grant
              > permissions to tables/views/stored procedures?

              It could quite possibly be the case that the account that the web server or
              CF is using doesn't have permissions to the files you're requesting, so the
              best it can do is to ask for credentials.

              Make sure the service that the web server and CF is using has permissions
              to the files they're serving.

              --
              Adam
              • 4. Re: CF login vs. SQL login
                Level 7
                Replies inline

                Blue Chrome wrote:
                > That sounds about right, because I think the people who are having to login
                > each time are using Mozilla and those that don't are using IE. When we move
                > the pages to the live server and everyone accesses the site via the web, then I
                > presume everyone will have to sign in to the server authentication.

                They can't 'sign in to the server authentication'. Windows integrated
                security uses the Windows Active Directory network domain security. If
                you continue to use this security all the users would have to be members
                of the domain controller of your network.

                > So is
                > there a way to "turn off" the web server authentication so I can set up a
                > ColdFusion login?

                Sure, don't use "Windows integrated Security" in the web server. If you
                are planning on using ColdFusion security on a public web site, one
                would probably not use security at the web server level. On a corporate
                intranet network it is common to use web server security as all the
                users are usually on the same network.

                And when I do, can that ColdFusion login be used to grant
                > permissions to tables/views/stored procedures?

                That is a bit of a weird question. When a ColdFusion application access
                a database, it is not the client user that is accessing the database.
                It is the user defined in the ColdFusion Data Source Name (DSN) that
                accesses the database. When you build a web application all the users
                are seen by the database as that same DSN user. And that DSN user
                should only have the *MINIMUM* permissions required for the application.
                • 5. Re: CF login vs. SQL login
                  Blue Chrome Level 1
                  My hands are somewhat tied in that I need to maintain the internal security and have CF security for outside users (the powers that be do not want internal users to have to remember an additional username/password). I've been talking to the web guy in our sister department and he says the way they do it is to have two applications. One is set up for internal users and one is set up for external users.

                  For the internal version, everything would remain the way I have it now (permissions based on windows login information). For the external version, I would set up a generic SQL user with minimum permissions that anyone connecting from the outside would be logged in as. The specifics of what records they can access/change then would be controlled in the querying code based on their CF login.

                  I'm just wondering if there is a way I can do it with one application, but manipulate the SQL user depending on the #cgi.auth_user# value. In other words, when the application first opens, it reads the #cgi.auth_user# value and if it is one of our internal users, then it passes that value as the SQL login. Otherwise, it passes the generic SQL login. Does that make sense, or am I farting out of my mouth again?
                  • 6. Re: CF login vs. SQL login
                    Level 7
                    A couple of points.

                    Whether you use IIS Window's Integrated Security or not, the Database
                    user, and what database permissions it has, is defined by the user
                    assigned in the DSN (Data Source Name) definition or that is passed in
                    through the 'username' and 'password' parameters of the CFQUERY tag.
                    When a ColdFusion application accesses a database, as far as I know, the
                    database has no clue what client user initialized the request to which
                    ColdFusion server is responding.

                    Having an application run both with windows integrate security and
                    without could be done. You could probably have two initial access
                    pages, one that uses window's integrated security and one that does not,
                    but has a HTML login form. Each of these pages would then process the
                    login information into some type of 'USER' state. This state can then
                    be passed to the rest of the application which would not care how the
                    user state was initialized. It just knows that if the state exists, it
                    can do this or that.
                    1 person found this helpful
                    • 7. Re: CF login vs. SQL login
                      Blue Chrome Level 1

                      We wound up turning Integrated Windows authentication off (found a website showing how to do it http://www.hostmysite.com/support/dedicated/IIS/passwordprotect/).  Thanks for all the help!