Installing CF 11 in secure mode on Windows 2008 R2 server has problems with anonymous access

Hi,

I installed CF 11 on a Windows 2008 R2 (IIS 7.5) server following the CF 11 Lockdown Guide wirtten by Pete Freitag.  I've done this several times before at other installations and am hitting a snag now.

I'm able to bring up a test website on this server using standard html pages, as well as CF pages when I am logged in to that server.  On a different machine I can get to static pages, but CF pages come back with a '500 server error'.  So the difference is anonymous vs authenticated access.

I have CF 11 admin on a separate port using its internal web server.  I created a separate limited account for CF access as well as one for IIS.  

I don't see any additional entries in the CF logs in the admin panel, so I suspect this is something related to anonymous access in IIS and how it hands off requests to the CF server.  Anyone have any suggestions on tracking this down?

Thanks!

--Ben
Ben ConnerCTO, SAS developerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_agx_Commented:
EDIT:

I'm not an IIS guru, but a few thoughts ... is the 500 error from IIS - or CF and what is the error text?  If it's an IIS error, anything related in the IIS and/or o/s logs?

      >> I created a separate limited account for CF access as well as one for IIS.  

I'm wondering if it's due to the permissions on the IIS account. Did you use a custom account for IIS in your previous installs as well?  What happens when you temporarily run IIS under the default application pool user?
0
Ben ConnerCTO, SAS developerAuthor Commented:
CF doesn't appear to see the request, so I suspect it is within IIS.  I'm away from the machine for a few hours but when i get back I will clear the log files for that domain and see what I get when I try it again.  And also check the permissions as well and the application pool.  Practically everything was tweaked during this process.  When done properly, it barely has enough authority to return pages and no more.

Thanks!

--Ben
0
_agx_Commented:
Sounds good.

>>  Practically everything was tweaked
Yes, I did it a while ago. Don't remember if I used a custom account for IIS last time around, but did run into a few problems with requests in IIS afterward. In my case, I hadn't set all of the folder permissions properly. Granting the app pool account the necessary permissions resolved it.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Ben ConnerCTO, SAS developerAuthor Commented:
Dang.  Let me look through that list again.  Could have tanked that part easily.
0
_agx_Commented:
In particular, double check the permissions for IUSR, which the CF11 guide says is the anonymous authentication account.  Likely something's off with its permissions or settings since anon requests seem to be the ones that aren't working.
0
Ben ConnerCTO, SAS developerAuthor Commented:
Tried swapping out the account for the test domain in the application pool and used Administrator.  That had no effect, so I swapped it back.  

Bringing up my security properties, the {cf.root}/config/wsconfig/ folder has read&execute, list folder contents, and read set for IUSR(as well as the app pool account I created).  {cf.root}/config/wsproxy/ is identical.  {cf.instance.root}/wwwroot/CFIDE as well.

Ah.  May have found it.  Looks like I didn't add the cfuser account to all the CF services.  Doing that now...
And still no change after the mods.

Hm.
0
_agx_Commented:
I've had the "pleasure" of encountering a few errors setting up IIS, and the exact codes and causes vary.  For example 500.19. Exactly what 500.x error are you getting and what is the full error message? I still suspect it is permissions related, but knowing the exact error should tell us if we're on the right track.
0
_agx_Commented:
>> Bringing up my security properties
In addition to the error message info, what about

- The web root permissions?
- Permissions for {cf.root}/config/wsconfig/n/isapi_redirect.log?

The ColdFusion IIS connector writes logs to a file called isapi_redirect.log - the IIS Application Pool
user (iisuser in our example) needs write permission to this file.
0
Ben ConnerCTO, SAS developerAuthor Commented:
In the browser, all I see is:

500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

I'm not sure why, but I have 5 '/n/' folders, 1-5 under the wsconfig folder.  I gave all of them modify permission to the iisuser account.  There isn't an isapi_redirect.log file in any of them yet.  I -do- see the isapi_redirect.dll in 2-5, as well as isapi_redirect.properties in each of them.

The most recent entries from the IIS log file for this site are in the attached file.

The ip.cfm file just returns the ip address of the client connecting to it.

--Ben
iis.txt
0
_agx_Commented:
EDIT: Add link

From what I've read, the relevant error is these 3 values:

c-status | sc-substatus | sc-win32-status
500        |  0                     | 193

This doc says 193 means:

ERROR_BAD_EXE_FORMAT    - 193 (0xC1)
    %1 is not a valid Win32 application.

Wonder if it's related to bitness... did you install the 64bit version of CF? If not, did you enable 32bit in the app pool settings?

Also, check the event logs for any other errors.
0
Ben ConnerCTO, SAS developerAuthor Commented:
I did install the 64 bit version.  The application pool advanced options also has the 'enable 32 bit applications' set to true.  Should it be?
0
_agx_Commented:
EDIT: No.  It should only be set to true if you are running CF 32bit - or if you had another web app using the same pool that needs 32 bit. Though in the latter case, you can't mix the two. You'd need to set up 2 separate app pools: one for the 32bit apps (enable 32 bit = true) and another for CF 64 bit (enable 32 bit = false).
0
Ben ConnerCTO, SAS developerAuthor Commented:
Well that's interesting; when I changed the 32 bit option to 'false', I now get a 404 when I try to access the test cfm page.
0
_agx_Commented:
Edit: Is the test page located in the web root or virtual directory? If the latter, could be a mapping/virtual directory issue.
0
Ben ConnerCTO, SAS developerAuthor Commented:
It's in the document root.
0
_agx_Commented:
Edit: Not sure what physical directory that is or if you it's in the IIS root or a virtual directory.  If it's in a virtual directory, it's likely the 404 is happening because the path isn't resolving properly. To confirm that's the problem, try it script that's in the webroot, so there are no mappings involved.
0
Ben ConnerCTO, SAS developerAuthor Commented:
When you say 'webroot' are you talking about the CF Install wwwroot folder?  If so, IIS doesn't know about that.  And the page still gets returned properly when I'm logged in to the machine.
0
_agx_Commented:
Depends on how the CF app is configured, but I was thinking the IIS webroot of the Default Web App, ie c:\inetpub\wwwroot\yourTestPage.cfm.
0
_agx_Commented:
Let's say the server is "yourdomain.com", this URL worked fine for me externally:

              http://yourdomain.com/ip.cfm 

Is that the URL that's throwing a 404 error on your side?
0
Ben ConnerCTO, SAS developerAuthor Commented:
Hi,

Yes, that is what is failing.  I sent you a screenshot of what I'm seeing.
0
_agx_Commented:
EDIT:

Very strange ... that page displays "Your IP address is: ..." in FF for me.  Can you try it from another machine?

Also, try temporarily enabling detailed errors.  The details might provide clues about why it can't resolve the path. This is for IIS7, but shouldn't be too different.
https://blogs.msdn.microsoft.com/rakkimk/2007/05/25/iis7-how-to-enable-the-detailed-error-messages-for-the-website-while-browsed-from-for-the-client-browsers/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben ConnerCTO, SAS developerAuthor Commented:
Good grief.  I found out why this wasn't working.  I don't even want to admit it....but hopefully it might help another knucklehead.  

I had set the test box up on one virtual machine and set up access to it but hadn't implemented the dns pointers to it yet.  So I added an entry via the hosts file in the windows\system32\drivers\etc\ folder.

Much later I set up dns for it but did not use the same IP address.  So my personal workstation has been barking up the wrong tree for who knows how long.  <banging head against the wall>

Sigh...
0
Ben ConnerCTO, SAS developerAuthor Commented:
Thank you for the careful thought and even approach while running this to ground.  At times just having someone ask the 'obvious' questions can resolve an issue.  Much appreciated!
0
_agx_Commented:
Heh.. happens to all of us once in a while.  Glad I could help and that everything is working now.
0
Ben ConnerCTO, SAS developerAuthor Commented:
Ran into a post-install issue during testing: I am unable to delete a DSN.  It throws an error (There was an error accessing this page.  Check logs for more details.  Click here to login).  I'm not actually logged out as I can still navigate on the left side.

But there is nothing in the log files (under ..\cfusion\log\) regarding this.  Couldn't find an updated log file anywhere else in the CF file structure.

I did check the security permissions on the CF install folder structure; the cfuser has full authority over the cfusion\lib folder where neo-datasource.xml maintains the DSN entries.

?

--Ben
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.