RichardGoldstein
asked on
IIS4 is Locking out Coldfusion & ASP Files - Help!!
IIS4 has started locking out CFM (Coldfusion) files. In a given folder if there is a CFM file and an HTM file, IIS will server up the htm file but present an NT4 IIS login screen when trying to hit the CFM file. (logging into the screen with a valid NT account allows viewing of the file)
All the directory security permissions are set correctly.
Please, does anybody have a clue about this??
More detail:
- We have CF5 Professional running on an NT 4 (sp6a+) Server
- The root folder contains a custom tag folder (Siteobjects Soeditor)
- An update to the tag arrived today so I simply copied the files to the server via FTP.
- No other changes were made on the server
Our Web Folder structure resembles:
wwwroot
wwwroot - IIS Site One
wwwroot - IIS Site Two
wwwroot - IIS Site Three
wwwroot - CF Server Root
wwwroot - CF Server Root - Application folder One
wwwroot - CF Server Root - Application folder Two
wwwroot - CF Server Root - Application folder Three
wwwroot - CF Server Root - SiteObjects
Shortly after installing the 2.52 upgrade (by copying files into the SiteObjects folder), browsers started getting locked out of the applications off the CF Server Root folder by IIS security. As described above, a login screen is presented when hitting these URL's and if you don't log in with an NT account you get Access denied or login failed.
Trust me, I have checked permissions up & down the line, and web Directory Security permissions ARE set to 'Allow anonymous access' and 'Windows NT Challenge/response'. Both in the CF root folder and top level "*webhost"
I believe the tag installation and this problem are coincidental - the tag is nothing but Coldusion code with NO dll's or executables etc.
To make it even more interesting:
1. This is somewhat random. Not all CF folders are locked out. And for the life of me I cannot see ANY differences between the ones that can be accessed and the ones that can't. All non-CF IIS websites on our server work fine, except...
2. ASP files are not being served up from a site which has all the permissions and correct Document settings! We don't use ASP but I just tested this and discovered it. ASP did work in the site about a year ago when we were testing it. Now we get "HTTP 500 - Internal server error"
I really don't think we got hacked or that this custom tag install was responsible. We're behing a good firewall, patched, and I've checked all the system logs and web logs & ran antivirus software without finding anything. I think something just got corrupted.
Rebuilding the server is not an attractive option - we have approx. 20 sites and multiple applications running on this thing.
Somebody please help - this one is killing us!
All the directory security permissions are set correctly.
Please, does anybody have a clue about this??
More detail:
- We have CF5 Professional running on an NT 4 (sp6a+) Server
- The root folder contains a custom tag folder (Siteobjects Soeditor)
- An update to the tag arrived today so I simply copied the files to the server via FTP.
- No other changes were made on the server
Our Web Folder structure resembles:
wwwroot
wwwroot - IIS Site One
wwwroot - IIS Site Two
wwwroot - IIS Site Three
wwwroot - CF Server Root
wwwroot - CF Server Root - Application folder One
wwwroot - CF Server Root - Application folder Two
wwwroot - CF Server Root - Application folder Three
wwwroot - CF Server Root - SiteObjects
Shortly after installing the 2.52 upgrade (by copying files into the SiteObjects folder), browsers started getting locked out of the applications off the CF Server Root folder by IIS security. As described above, a login screen is presented when hitting these URL's and if you don't log in with an NT account you get Access denied or login failed.
Trust me, I have checked permissions up & down the line, and web Directory Security permissions ARE set to 'Allow anonymous access' and 'Windows NT Challenge/response'. Both in the CF root folder and top level "*webhost"
I believe the tag installation and this problem are coincidental - the tag is nothing but Coldusion code with NO dll's or executables etc.
To make it even more interesting:
1. This is somewhat random. Not all CF folders are locked out. And for the life of me I cannot see ANY differences between the ones that can be accessed and the ones that can't. All non-CF IIS websites on our server work fine, except...
2. ASP files are not being served up from a site which has all the permissions and correct Document settings! We don't use ASP but I just tested this and discovered it. ASP did work in the site about a year ago when we were testing it. Now we get "HTTP 500 - Internal server error"
I really don't think we got hacked or that this custom tag install was responsible. We're behing a good firewall, patched, and I've checked all the system logs and web logs & ran antivirus software without finding anything. I think something just got corrupted.
Rebuilding the server is not an attractive option - we have approx. 20 sites and multiple applications running on this thing.
Somebody please help - this one is killing us!
What is the NTFS file permissions on the directories in which the CFM files exist. Make sure the ID the cold fusions and IIS server are running under have access to those directories.
ASKER
File permissions are:
<ip address>Admins: Full Control (all)(all)
Administrators: Full Control (all)(all)
Everyone: Special Access (RW)(all)
SYSTEM: Full Control (all)(all)
Coldfusion was installed using the Admin account.
<ip address>Admins: Full Control (all)(all)
Administrators: Full Control (all)(all)
Everyone: Special Access (RW)(all)
SYSTEM: Full Control (all)(all)
Coldfusion was installed using the Admin account.
Hi!
Everyone need RWX.
If they haven't got eXecute they can't list files in that directory.
So you need X too, not jsut RW.
Regards
/Hans - Erik Skyttberg
If you allow anonymous access anyway I would remove NT challenge/response.
Also you have forgotten one user that also need RWX to the files and that is the IAUSR_ADMIN, or whatever it's called.
I mean the user that the webserver service is running as.
Regards
/Hans - Erik Skyttberg
Everyone need RWX.
If they haven't got eXecute they can't list files in that directory.
So you need X too, not jsut RW.
Regards
/Hans - Erik Skyttberg
If you allow anonymous access anyway I would remove NT challenge/response.
Also you have forgotten one user that also need RWX to the files and that is the IAUSR_ADMIN, or whatever it's called.
I mean the user that the webserver service is running as.
Regards
/Hans - Erik Skyttberg
ASKER
Hi Eric -
I made these changes but nothing changed. Also, it was working fine for over a year with the other settings so I don't think that was it.
I'm going to try replacing the metabase.bin file from a tape backup tomorrow & see if the problen was a corrupted metabase.bin file.
Any other ideas if that doesn't work?
Thanks!
Richard
I made these changes but nothing changed. Also, it was working fine for over a year with the other settings so I don't think that was it.
I'm going to try replacing the metabase.bin file from a tape backup tomorrow & see if the problen was a corrupted metabase.bin file.
Any other ideas if that doesn't work?
Thanks!
Richard
ASKER
Restoring the metabase did not work.
I found a support document on Macromedia's site that describes the problem & offers some steps but none of those worked
http://www.macromedia.com/v1/handlers/index.cfm?ID=10334&Method=Full
Help - anybody?
I found a support document on Macromedia's site that describes the problem & offers some steps but none of those worked
http://www.macromedia.com/v1/handlers/index.cfm?ID=10334&Method=Full
Help - anybody?
Hi!
Instead of letting ColdFusion use System/Account.
Create a user called ColdFusionServiceUSR or something, add him to local administrators group.
Let the Coldfusion server use this user as login credentials to start service instead of local system account.
This might fix you problme.
Regards
/Hans - Erik Skyttberg
Instead of letting ColdFusion use System/Account.
Create a user called ColdFusionServiceUSR or something, add him to local administrators group.
Let the Coldfusion server use this user as login credentials to start service instead of local system account.
This might fix you problme.
Regards
/Hans - Erik Skyttberg
Hi again!
Oh also give that user the right to logon as service.
Regards
/Hans - Erik Skyttberg
Oh also give that user the right to logon as service.
Regards
/Hans - Erik Skyttberg
ASKER
This is great - I created a new account, made it a member of the admin group, gave it rights to log on as a service, named it ColdfusionServer and when I tried to assign this as the account to the Coldfusion service I get error 1057 - The account name is invalid or does not exist (I picked it from the list).
Previously I had tried assigning the service to the Admin account but that made no difference.
thanks though!!!
any other ideas?
Previously I had tried assigning the service to the Admin account but that made no difference.
thanks though!!!
any other ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes - we're on SP6a.
I agree - I think the server is hosed in some odd way.
The rebuild is a daunting project regardless of the OS because we have web sites running in IIS, Coldfusion, AND Domino. The Domino site (our main one) it stable but reinstalling it and everything else is a nightmare.
Thanks very much for all your suggestions though!
I agree - I think the server is hosed in some odd way.
The rebuild is a daunting project regardless of the OS because we have web sites running in IIS, Coldfusion, AND Domino. The Domino site (our main one) it stable but reinstalling it and everything else is a nightmare.
Thanks very much for all your suggestions though!
This question has been classified as abandoned. I will make a recommendation to the moderators on its resolution in approximately one week. I would appreciate any comments by the experts that would help me in making a recommendation.
It is assumed that any participant not responding to this request is no longer interested in its final deposition.
If the asker does not know how to close the question, the options are here:
https://www.experts-exchange.com/help.jsp#hs5
zenlion420
EE Page Editor
It is assumed that any participant not responding to this request is no longer interested in its final deposition.
If the asker does not know how to close the question, the options are here:
https://www.experts-exchange.com/help.jsp#hs5
zenlion420
EE Page Editor
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: heskyttberg {http:#8034812}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
zenlion420
EE Page Editor
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: heskyttberg {http:#8034812}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
zenlion420
EE Page Editor