Avatar of Ben Conner
Ben Conner
Flag for United States of America asked on

Installing CF 11 in secure mode on Windows 2008 R2 server has problems with anonymous access

Hi,

I installed CF 11 on a Windows 2008 R2 (IIS 7.5) server following the CF 11 Lockdown Guide wirtten by Pete Freitag.  I've done this several times before at other installations and am hitting a snag now.

I'm able to bring up a test website on this server using standard html pages, as well as CF pages when I am logged in to that server.  On a different machine I can get to static pages, but CF pages come back with a '500 server error'.  So the difference is anonymous vs authenticated access.

I have CF 11 admin on a separate port using its internal web server.  I created a separate limited account for CF access as well as one for IIS.  

I don't see any additional entries in the CF logs in the admin panel, so I suspect this is something related to anonymous access in IIS and how it hands off requests to the CF server.  Anyone have any suggestions on tracking this down?

Thanks!

--Ben
ColdFusion LanguageWindows Server 2008

Avatar of undefined
Last Comment
Ben Conner

8/22/2022 - Mon
_agx_

EDIT:

I'm not an IIS guru, but a few thoughts ... is the 500 error from IIS - or CF and what is the error text?  If it's an IIS error, anything related in the IIS and/or o/s logs?

      >> I created a separate limited account for CF access as well as one for IIS.  

I'm wondering if it's due to the permissions on the IIS account. Did you use a custom account for IIS in your previous installs as well?  What happens when you temporarily run IIS under the default application pool user?
Ben Conner

ASKER
CF doesn't appear to see the request, so I suspect it is within IIS.  I'm away from the machine for a few hours but when i get back I will clear the log files for that domain and see what I get when I try it again.  And also check the permissions as well and the application pool.  Practically everything was tweaked during this process.  When done properly, it barely has enough authority to return pages and no more.

Thanks!

--Ben
_agx_

Sounds good.

>>  Practically everything was tweaked
Yes, I did it a while ago. Don't remember if I used a custom account for IIS last time around, but did run into a few problems with requests in IIS afterward. In my case, I hadn't set all of the folder permissions properly. Granting the app pool account the necessary permissions resolved it.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ben Conner

ASKER
Dang.  Let me look through that list again.  Could have tanked that part easily.
_agx_

In particular, double check the permissions for IUSR, which the CF11 guide says is the anonymous authentication account.  Likely something's off with its permissions or settings since anon requests seem to be the ones that aren't working.
Ben Conner

ASKER
Tried swapping out the account for the test domain in the application pool and used Administrator.  That had no effect, so I swapped it back.  

Bringing up my security properties, the {cf.root}/config/wsconfig/ folder has read&execute, list folder contents, and read set for IUSR(as well as the app pool account I created).  {cf.root}/config/wsproxy/ is identical.  {cf.instance.root}/wwwroot/CFIDE as well.

Ah.  May have found it.  Looks like I didn't add the cfuser account to all the CF services.  Doing that now...
And still no change after the mods.

Hm.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
_agx_

I've had the "pleasure" of encountering a few errors setting up IIS, and the exact codes and causes vary.  For example 500.19. Exactly what 500.x error are you getting and what is the full error message? I still suspect it is permissions related, but knowing the exact error should tell us if we're on the right track.
_agx_

>> Bringing up my security properties
In addition to the error message info, what about

- The web root permissions?
- Permissions for {cf.root}/config/wsconfig/n/isapi_redirect.log?

The ColdFusion IIS connector writes logs to a file called isapi_redirect.log - the IIS Application Pool
user (iisuser in our example) needs write permission to this file.
Ben Conner

ASKER
In the browser, all I see is:

500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

I'm not sure why, but I have 5 '/n/' folders, 1-5 under the wsconfig folder.  I gave all of them modify permission to the iisuser account.  There isn't an isapi_redirect.log file in any of them yet.  I -do- see the isapi_redirect.dll in 2-5, as well as isapi_redirect.properties in each of them.

The most recent entries from the IIS log file for this site are in the attached file.

The ip.cfm file just returns the ip address of the client connecting to it.

--Ben
iis.txt
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
_agx_

EDIT: Add link

From what I've read, the relevant error is these 3 values:

c-status | sc-substatus | sc-win32-status
500        |  0                     | 193

This doc says 193 means:

ERROR_BAD_EXE_FORMAT    - 193 (0xC1)
    %1 is not a valid Win32 application.

Wonder if it's related to bitness... did you install the 64bit version of CF? If not, did you enable 32bit in the app pool settings?

Also, check the event logs for any other errors.
Ben Conner

ASKER
I did install the 64 bit version.  The application pool advanced options also has the 'enable 32 bit applications' set to true.  Should it be?
_agx_

EDIT: No.  It should only be set to true if you are running CF 32bit - or if you had another web app using the same pool that needs 32 bit. Though in the latter case, you can't mix the two. You'd need to set up 2 separate app pools: one for the 32bit apps (enable 32 bit = true) and another for CF 64 bit (enable 32 bit = false).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ben Conner

ASKER
Well that's interesting; when I changed the 32 bit option to 'false', I now get a 404 when I try to access the test cfm page.
_agx_

Edit: Is the test page located in the web root or virtual directory? If the latter, could be a mapping/virtual directory issue.
Ben Conner

ASKER
It's in the document root.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
_agx_

Edit: Not sure what physical directory that is or if you it's in the IIS root or a virtual directory.  If it's in a virtual directory, it's likely the 404 is happening because the path isn't resolving properly. To confirm that's the problem, try it script that's in the webroot, so there are no mappings involved.
Ben Conner

ASKER
When you say 'webroot' are you talking about the CF Install wwwroot folder?  If so, IIS doesn't know about that.  And the page still gets returned properly when I'm logged in to the machine.
_agx_

Depends on how the CF app is configured, but I was thinking the IIS webroot of the Default Web App, ie c:\inetpub\wwwroot\yourTestPage.cfm.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
_agx_

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ben Conner

ASKER
Hi,

Yes, that is what is failing.  I sent you a screenshot of what I'm seeing.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ben Conner

ASKER
Good grief.  I found out why this wasn't working.  I don't even want to admit it....but hopefully it might help another knucklehead.  

I had set the test box up on one virtual machine and set up access to it but hadn't implemented the dns pointers to it yet.  So I added an entry via the hosts file in the windows\system32\drivers\etc\ folder.

Much later I set up dns for it but did not use the same IP address.  So my personal workstation has been barking up the wrong tree for who knows how long.  <banging head against the wall>

Sigh...
Ben Conner

ASKER
Thank you for the careful thought and even approach while running this to ground.  At times just having someone ask the 'obvious' questions can resolve an issue.  Much appreciated!
Your help has saved me hundreds of hours of internet surfing.
fblack61
_agx_

Heh.. happens to all of us once in a while.  Glad I could help and that everything is working now.
Ben Conner

ASKER
Ran into a post-install issue during testing: I am unable to delete a DSN.  It throws an error (There was an error accessing this page.  Check logs for more details.  Click here to login).  I'm not actually logged out as I can still navigate on the left side.

But there is nothing in the log files (under ..\cfusion\log\) regarding this.  Couldn't find an updated log file anywhere else in the CF file structure.

I did check the security permissions on the CF install folder structure; the cfuser has full authority over the cfusion\lib folder where neo-datasource.xml maintains the DSN entries.

?

--Ben