Re: Problem with Authentication on IIS 7.5 & Scheduled Task
this is definitely possible because I do ittrhe other way round to lock down the administrator folder, so require authentication only on that sub directory. try using a virtual directory instead of a physical directory. On Mon, Aug 13, 2012 at 5:25 PM, Carl Von Stetten wrote: > > Dave, > > On my previous Win2K3 server, the only way I was able to get scheduled > tasks to run properly was to allow anonymous access to the subfolder in > the application which stored the scripts for scheduled tasks. This > worked fine for several years on the old server. > > I was trying to do the same thing on the new Win2K8R2 server (IIS 7.5). > The application requires NTLM authentication, but I haven't been able to > get the scheduled tasks to run. Even when I hit the scheduled task > pages directly in a browser (Firefox and Chrome), I am prompted to login > with Active Directory credentials. I also tried turning the subfolder > in question into a virtual application in IIS 7.5 but that didn't seem > to make any difference. > > Anyway, as you indicate, it appears that under IIS 7.5 you can't open a > "security hole" (my quotes) by allowing anonymous access to a subfolder > in a site requiring authentication. So my workaround is to create a new > site just for running scheduled tasks, and have that entire site allow > anonymous authentication (thanks also to Russ who kinda suggested > this). I am now able to get these scheduled tasks to run properly. > > Thank you Dave and Russ for your suggestions! > -Carl > > On 8/10/2012 4:19 PM, Dave Watts wrote: > >> OK. I created a local Windows user account named "SchedTasks". I gave > that account read permissions to the folder. I set > >> Anonymous Authentication to "Enabled" just for that folder, and set the > credentials to use the SchedTasks account. In the CF > >> Scheduled Task, I specified SchedTask for the username, and filled in > the correct password. I still get the 401.2 error when > >> running the scheduled task. > > If you're creating a user account for CF to use, why would you enable > > anonymous authentication? That's not going to help you any. > > > > First, I'd recommend that you don't even bother testing from CF yet. > > Test from Firefox or some other non-IE HTTP client (wget, etc). > > > > Second, I don't think you can set anonymous authentication for a > > folder, as such - it has to be a virtual server or a virtual > > application. I could be wrong about that, though. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352128 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Dave, On my previous Win2K3 server, the only way I was able to get scheduled tasks to run properly was to allow anonymous access to the subfolder in the application which stored the scripts for scheduled tasks. This worked fine for several years on the old server. I was trying to do the same thing on the new Win2K8R2 server (IIS 7.5). The application requires NTLM authentication, but I haven't been able to get the scheduled tasks to run. Even when I hit the scheduled task pages directly in a browser (Firefox and Chrome), I am prompted to login with Active Directory credentials. I also tried turning the subfolder in question into a virtual application in IIS 7.5 but that didn't seem to make any difference. Anyway, as you indicate, it appears that under IIS 7.5 you can't open a "security hole" (my quotes) by allowing anonymous access to a subfolder in a site requiring authentication. So my workaround is to create a new site just for running scheduled tasks, and have that entire site allow anonymous authentication (thanks also to Russ who kinda suggested this). I am now able to get these scheduled tasks to run properly. Thank you Dave and Russ for your suggestions! -Carl On 8/10/2012 4:19 PM, Dave Watts wrote: >> OK. I created a local Windows user account named "SchedTasks". I gave that >> account read permissions to the folder. I set >> Anonymous Authentication to "Enabled" just for that folder, and set the >> credentials to use the SchedTasks account. In the CF >> Scheduled Task, I specified SchedTask for the username, and filled in the >> correct password. I still get the 401.2 error when >> running the scheduled task. > If you're creating a user account for CF to use, why would you enable > anonymous authentication? That's not going to help you any. > > First, I'd recommend that you don't even bother testing from CF yet. > Test from Firefox or some other non-IE HTTP client (wget, etc). > > Second, I don't think you can set anonymous authentication for a > folder, as such - it has to be a virtual server or a virtual > application. I could be wrong about that, though. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
> OK. I created a local Windows user account named "SchedTasks". I gave that > account read permissions to the folder. I set > Anonymous Authentication to "Enabled" just for that folder, and set the > credentials to use the SchedTasks account. In the CF > Scheduled Task, I specified SchedTask for the username, and filled in the > correct password. I still get the 401.2 error when > running the scheduled task. If you're creating a user account for CF to use, why would you enable anonymous authentication? That's not going to help you any. First, I'd recommend that you don't even bother testing from CF yet. Test from Firefox or some other non-IE HTTP client (wget, etc). Second, I don't think you can set anonymous authentication for a folder, as such - it has to be a virtual server or a virtual application. I could be wrong about that, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352114 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
So just.create a new site. Regards Russ Michaels On Aug 10, 2012 11:35 PM, "Carl Von Stetten" wrote: > > Nope. One of the early steps in the ColdFusion lockdown guide has you > remove the Default web site for security. > > -Carl > > >Surely you have the default website still? > > > >Regards > >Russ Michaels > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352112 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
OK. I created a local Windows user account named "SchedTasks". I gave that account read permissions to the folder. I set Anonymous Authentication to "Enabled" just for that folder, and set the credentials to use the SchedTasks account. In the CF Scheduled Task, I specified SchedTask for the username, and filled in the correct password. I still get the 401.2 error when running the scheduled task. -Carl > > How would you create the USERNAME with PASSWORD? I'm not sure I > follow (I looked in IIS under Basic > > Authentication, and the only thing you can set there is "Default > Domain" and "Realm"). > > In Windows, you need to create whatever accounts you want to use for > authentication. > > In IIS, you need to configure the virtual server or virtual > application to use Basic Authentication. > > In CF, you need to explicitly provide the account's username and > password with the USERNAME and PASSWORD attributes of CFHTTP. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352111 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Nope. One of the early steps in the ColdFusion lockdown guide has you remove the Default web site for security. -Carl >Surely you have the default website still? > >Regards >Russ Michaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Surely you have the default website still? Regards Russ Michaels On Aug 10, 2012 11:26 PM, "Carl Von Stetten" wrote: > > Since this is a new server setup, I don't have another site to compare to. > I do have this working on an older Windows Server 2003/IIS 6, but things > have changed a lot in IIS 7.5. I've checked all the settings in the web > server config files (and they look correct), restarted IIS several times, > and even rebooted the server, all to no avail. > > -Carl > > >Looks like you haven't got that subdir set to anon access properly. Chech > >the authentication settings on another site for comparison to see what it > >should be. > >It needs to run under the iis_iusr account. > >Or you could just put login details in the scheduled task. > > > >Regards > >Russ Michaels > > > > >> > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Since this is a new server setup, I don't have another site to compare to. I do have this working on an older Windows Server 2003/IIS 6, but things have changed a lot in IIS 7.5. I've checked all the settings in the web server config files (and they look correct), restarted IIS several times, and even rebooted the server, all to no avail. -Carl >Looks like you haven't got that subdir set to anon access properly. Chech >the authentication settings on another site for comparison to see what it >should be. >It needs to run under the iis_iusr account. >Or you could just put login details in the scheduled task. > >Regards >Russ Michaels > >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
> How would you create the USERNAME with PASSWORD? I'm not sure I follow (I > looked in IIS under Basic > Authentication, and the only thing you can set there is "Default Domain" and > "Realm"). In Windows, you need to create whatever accounts you want to use for authentication. In IIS, you need to configure the virtual server or virtual application to use Basic Authentication. In CF, you need to explicitly provide the account's username and password with the USERNAME and PASSWORD attributes of CFHTTP. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352106 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Dave, How would you create the USERNAME with PASSWORD? I'm not sure I follow (I looked in IIS under Basic Authentication, and the only thing you can set there is "Default Domain" and "Realm"). -Carl > > And yes, CF is running under a custom Active Directory account that > has been granted rights to > > the entire directory structure, so it should be able to access the > file in question. > > That won't help with CFHTTP requests. CF doesn't use service account > credentials for HTTP authentication, and it doesn't support NTLM or > Kerberos authentication (Windows Integrated Authentication in IIS). > You can use Basic Authentication with the USERNAME and PASSWORD > attributes. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Looks like you haven't got that subdir set to anon access properly. Chech the authentication settings on another site for comparison to see what it should be. It needs to run under the iis_iusr account. Or you could just put login details in the scheduled task. Regards Russ Michaels On Aug 10, 2012 10:24 PM, "Carl Von Stetten" wrote: > > Russ, > > Cached login might be right. I just tried the URL in Firefox, and was > prompted to login. I think the security of the site is superseding the > security I am trying to set on the subdirectory. Maybe I'll create a > special site on this server just for scheduled tasks, with anonymous > authentication enabled. I'll post back with the results. > > And yes, CF is running under a custom Active Directory account that has > been granted rights to the entire directory structure, so it should be able > to access the file in question. > > Thanks, > Carl > > >Try different browser and see if it still works, you may be using cached > >login which is why it seems to work in browser. > > > >Do you have cf running under a custom user? > > > >Regards > >Russ Michaels > >On Aug 10, 2012 9:39 PM, "Carl Von Stetten" > wrote: > > > >> > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352101 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
> And yes, CF is running under a custom Active Directory account that has been > granted rights to > the entire directory structure, so it should be able to access the file in > question. That won't help with CFHTTP requests. CF doesn't use service account credentials for HTTP authentication, and it doesn't support NTLM or Kerberos authentication (Windows Integrated Authentication in IIS). You can use Basic Authentication with the USERNAME and PASSWORD attributes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352100 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Russ, Cached login might be right. I just tried the URL in Firefox, and was prompted to login. I think the security of the site is superseding the security I am trying to set on the subdirectory. Maybe I'll create a special site on this server just for scheduled tasks, with anonymous authentication enabled. I'll post back with the results. And yes, CF is running under a custom Active Directory account that has been granted rights to the entire directory structure, so it should be able to access the file in question. Thanks, Carl >Try different browser and see if it still works, you may be using cached >login which is why it seems to work in browser. > >Do you have cf running under a custom user? > >Regards >Russ Michaels >On Aug 10, 2012 9:39 PM, "Carl Von Stetten" wrote: > >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352099 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Try different browser and see if it still works, you may be using cached login which is why it seems to work in browser. Do you have cf running under a custom user Regards Russ Michaels On Aug 10, 2012 9:39 PM, "Carl Von Stetten" wrote: > > I have ColdFusion 10 running on Windows Server 2008R2, using IIS7.5 as web > server. I have an intranet application configured to use Windows > Authentication with NTLM, which works very well. However, I have an issue > with executing scheduled tasks. The files are part of this same > application, but are located in a nested subdirectory under the webroot. > On this subdirectory, I have turned off Windows Authentication and turned > on Anonymous Authentication (using the built-in IUSR account). > > When I try to run any .cfm files in this subdirectory via a scheduled > task, I get a "401.2 - Unauthorized" error. However, if I run the files > from a web browser, even when logged in as a non-domain user, the .cfm > files run without issue. > > I've checked the permissions on the subdirectory in question, and all of > the relevant accounts (the Active Directory account CF runs under, the > local account created for the application pool, and the built-in IUSR > account) have permissions to read from that subdirectory. > > I can't for the life of me figure out what I'm doing wrong. Anyone have > any ideas? > > Thanks > -Carl > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352098 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Try different browser and see if it still works, you may be using cached login which is why it seems to work in browser. Do you have cf running under a custom user? Regards Russ Michaels On Aug 10, 2012 9:39 PM, "Carl Von Stetten" wrote: > > I have ColdFusion 10 running on Windows Server 2008R2, using IIS7.5 as web > server. I have an intranet application configured to use Windows > Authentication with NTLM, which works very well. However, I have an issue > with executing scheduled tasks. The files are part of this same > application, but are located in a nested subdirectory under the webroot. > On this subdirectory, I have turned off Windows Authentication and turned > on Anonymous Authentication (using the built-in IUSR account). > > When I try to run any .cfm files in this subdirectory via a scheduled > task, I get a "401.2 - Unauthorized" error. However, if I run the files > from a web browser, even when logged in as a non-domain user, the .cfm > files run without issue. > > I've checked the permissions on the subdirectory in question, and all of > the relevant accounts (the Active Directory account CF runs under, the > local account created for the application pool, and the built-in IUSR > account) have permissions to read from that subdirectory. > > I can't for the life of me figure out what I'm doing wrong. Anyone have > any ideas? > > Thanks > -Carl > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352097 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Authentication on IIS 7.5 & Scheduled Task
Digging a little more into IIS (by the way, I Googled IIS 7.5 stuff for a while before my initial post) - I checked the "Authorization Rules" for the subdirectory in question. I changed the Allow rule to include "All anonymous users" instead of "All users". Didn't help. -Carl ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352096 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Problem with Authentication on IIS 7.5 & Scheduled Task
I have ColdFusion 10 running on Windows Server 2008R2, using IIS7.5 as web server. I have an intranet application configured to use Windows Authentication with NTLM, which works very well. However, I have an issue with executing scheduled tasks. The files are part of this same application, but are located in a nested subdirectory under the webroot. On this subdirectory, I have turned off Windows Authentication and turned on Anonymous Authentication (using the built-in IUSR account). When I try to run any .cfm files in this subdirectory via a scheduled task, I get a "401.2 - Unauthorized" error. However, if I run the files from a web browser, even when logged in as a non-domain user, the .cfm files run without issue. I've checked the permissions on the subdirectory in question, and all of the relevant accounts (the Active Directory account CF runs under, the local account created for the application pool, and the built-in IUSR account) have permissions to read from that subdirectory. I can't for the life of me figure out what I'm doing wrong. Anyone have any ideas? Thanks -Carl ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352095 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm