IIS4 has started locking out CFM (Coldfusion) files. In a given folder if there is a CFM file and an HTM file, IIS will server up the htm file but present an NT4 IIS login screen when trying to hit the CFM file. (logging into the screen with a valid NT account allows viewing of the file)
All the directory security permissions are set correctly.
Please, does anybody have a clue about this??
- We have CF5 Professional running on an NT 4 (sp6a+) Server
- The root folder contains a custom tag folder (Siteobjects Soeditor)
- An update to the tag arrived today so I simply copied the files to the server via FTP.
- No other changes were made on the server
Our Web Folder structure resembles:
wwwroot - IIS Site One
wwwroot - IIS Site Two
wwwroot - IIS Site Three
wwwroot - CF Server Root
wwwroot - CF Server Root - Application folder One
wwwroot - CF Server Root - Application folder Two
wwwroot - CF Server Root - Application folder Three
wwwroot - CF Server Root - SiteObjects
Shortly after installing the 2.52 upgrade (by copying files into the SiteObjects folder), browsers started getting locked out of the applications off the CF Server Root folder by IIS security. As described above, a login screen is presented when hitting these URL's and if you don't log in with an NT account you get Access denied or login failed.
Trust me, I have checked permissions up & down the line, and web Directory Security permissions ARE set to 'Allow anonymous access' and 'Windows NT Challenge/response'. Both in the CF root folder and top level "*webhost"
I believe the tag installation and this problem are coincidental - the tag is nothing but Coldusion code with NO dll's or executables etc.
To make it even more interesting:
1. This is somewhat random. Not all CF folders are locked out. And for the life of me I cannot see ANY differences between the ones that can be accessed and the ones that can't. All non-CF IIS websites on our server work fine, except...
2. ASP files are not being served up from a site which has all the permissions and correct Document settings! We don't use ASP but I just tested this and discovered it. ASP did work in the site about a year ago when we were testing it. Now we get "HTTP 500 - Internal server error"
I really don't think we got hacked or that this custom tag install was responsible. We're behing a good firewall, patched, and I've checked all the system logs and web logs & ran antivirus software without finding anything. I think something just got corrupted.
Rebuilding the server is not an attractive option - we have approx. 20 sites and multiple applications running on this thing.
Somebody please help - this one is killing us!