?
Solved

IIS4 is Locking out Coldfusion & ASP Files - Help!!

Posted on 2003-02-20
13
Medium Priority
?
259 Views
Last Modified: 2013-12-16
IIS4 has started locking out CFM (Coldfusion) files. In a given folder if there is a CFM file and an HTM file, IIS will server up the htm file but present an NT4 IIS login screen when trying to hit the CFM file.  (logging into the screen with a valid NT account allows viewing of the file)

All the directory security permissions are set correctly.

Please, does anybody have a clue about this??

More detail:
- We have CF5 Professional running on an NT 4 (sp6a+) Server
- The root folder contains a custom tag folder (Siteobjects Soeditor)
- An update to the tag arrived today so I simply copied the files to the server via FTP.
- No other changes were made on the server

Our Web Folder structure resembles:

wwwroot
wwwroot - IIS Site One
wwwroot - IIS Site Two
wwwroot - IIS Site Three
wwwroot - CF Server Root
wwwroot - CF Server Root - Application folder One
wwwroot - CF Server Root - Application folder Two
wwwroot - CF Server Root - Application folder Three
wwwroot - CF Server Root - SiteObjects

Shortly after installing the 2.52 upgrade (by copying files into the SiteObjects folder), browsers started getting locked out of the applications off the CF Server Root folder by IIS security. As described above, a login screen is presented when hitting these URL's and if you don't log in with an NT account you get Access denied or login failed.

Trust me, I have checked permissions up & down the line, and web Directory Security permissions ARE set to 'Allow anonymous access' and 'Windows NT Challenge/response'. Both in the CF root folder and top level "*webhost"

I believe the tag installation and this problem are coincidental - the tag is nothing but Coldusion code with NO dll's or executables etc.

To make it even more interesting:
1. This is somewhat random. Not all CF folders are locked out. And for the life of me I cannot see ANY differences between the ones that can be accessed and the ones that can't. All non-CF IIS websites on our server work fine, except...
2. ASP files are not being served up from a site which has all the permissions and correct Document settings!  We don't use ASP but I just tested this and discovered it.  ASP did work in the site about a year ago when we were testing it.  Now we get "HTTP 500 - Internal server error"

I really don't think we got hacked or that this custom tag install was responsible. We're behing a good firewall, patched, and I've checked all the system logs and web logs & ran antivirus software without finding anything.  I think something just got corrupted.  

Rebuilding the server is not an attractive option - we have approx. 20 sites and multiple applications running on this thing.  

Somebody please help - this one is killing us!
0
Comment
Question by:RichardGoldstein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 1

Expert Comment

by:nkathman
ID: 7993829
What is the NTFS file permissions on the directories in which the CFM files exist.  Make sure the ID the cold fusions and IIS server are running under have access to those directories.
0
 

Author Comment

by:RichardGoldstein
ID: 7993978
File permissions are:

<ip address>Admins: Full Control (all)(all)
Administrators: Full Control (all)(all)
Everyone: Special Access (RW)(all)
SYSTEM: Full Control (all)(all)

Coldfusion was installed using the Admin account.
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 7998590
Hi!

Everyone need RWX.

If they haven't got eXecute they can't list files in that directory.

So you need X too, not jsut RW.

Regards
/Hans - Erik Skyttberg

If you allow anonymous access anyway I would remove NT challenge/response.

Also you have forgotten one user that also need RWX to the files and that is the IAUSR_ADMIN, or whatever it's called.

I mean the user that the webserver service is running as.

Regards
/Hans - Erik Skyttberg
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:RichardGoldstein
ID: 8012262
Hi Eric -

I made these changes but nothing changed.  Also, it was working fine for over a year with the other settings so I don't think that was it.

I'm going to try replacing the metabase.bin file from a tape backup tomorrow & see if the problen was a corrupted metabase.bin file.

Any other ideas if that doesn't work?

Thanks!
Richard
0
 

Author Comment

by:RichardGoldstein
ID: 8033089
Restoring the metabase did not work.  

I found a support document on Macromedia's site that describes the problem & offers some steps but none of those worked

http://www.macromedia.com/v1/handlers/index.cfm?ID=10334&Method=Full

Help - anybody?
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8033502
Hi!

Instead of letting ColdFusion use System/Account.

Create a user called ColdFusionServiceUSR or something, add him to local administrators group.

Let the Coldfusion server use this user as login credentials to start service instead of local system account.

This might fix you problme.

Regards
/Hans - Erik Skyttberg
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8033508
Hi again!

Oh also give that user the right to logon as service.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:RichardGoldstein
ID: 8034428
This is great - I created a new account, made it a member of the admin group, gave it rights to log on as a service, named it ColdfusionServer and when I tried to assign this as the account to the Coldfusion service I get error 1057 - The account name is invalid or does not exist (I picked it from the list).

Previously I had tried assigning the service to the Admin account but that made no difference.

thanks though!!!

any other ideas?
0
 
LVL 8

Accepted Solution

by:
heskyttberg earned 2000 total points
ID: 8034812
Hmm...

Are you running SP6a ?
If not upgrade.

This sounds like something is broken in you NT installation.

Is there anything holding you back from running w2k server and IIS5 ?

If not I'd recommend you do this, w2k will be able to handle much more load and more users.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:RichardGoldstein
ID: 8035075
Yes - we're on SP6a.  

I agree - I think the server is hosed in some odd way.

The rebuild is a daunting project regardless of the OS because we have web sites running in IIS, Coldfusion, AND Domino.  The Domino site (our main one) it stable but reinstalling it and everything else is a nightmare.

Thanks very much for all your suggestions though!
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9816067
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9872290
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: heskyttberg {http:#8034812}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

zenlion420
EE Page Editor
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Make the most of your online learning experience.
The purpose of this video is to demonstrate how to exclude a particular blog category from the main blog page. This is can be used when a category already has its own tab, or you simply want certain types of posts not to show up on the main blog. …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question