TechNote

Implementing NT authentication for ColdFusion templates with IIS Web Server (ColdFusion MX and 8)

When Adobe ColdFusion (MX 6+ and 8) is used with Microsoft's Internet Information Server on Windows, if you want to restrict access to OS protected files, you need to make IIS check the file access permissions instead of relying on ColdFusion. To do this, you must configure IIS to check the file permissions before passing control of the request to ColdFusion. This is a change in behavior from ColdFusion 5.

To implement NT Authentication in ColdFusion MX (all versions) and ColdFusion 8, several settings need to be modified in IIS. This TechNote describes the changes required.

1. Configure IIS NTLM Authentication Support
   ColdFusion MX(all versions) and CF8 only supports NTLM Authentication. The following steps enable NTLM and Kerberos Authentication support for IIS.
   1. Click Start > Run, type cmd, and then press ENTER.
   2. Change directories to the folder that contains the adsutil.vbs file. By default, this is C:\Inetpub\Adminscripts.
   3. Type the following and press ENTER:
      
      cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"

Note: For Windows 2003 Server type the following and press enter:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

   4. If the command was successful, the following is returned:
      
      NTAuthenticationProviders : (STRING) "Negotiate,NTLM"

NOTE: For Windows 2003 Server the following is returned:
NTAuthenticationProviders : (STRING) "NTLM"
      
      Note: The command above configures NTLM Authentication support for the entire IIS server. You can set NTLM authentication for individual IIS web sites by replacingX with the site's number in the following command:
      
      cscript adsutil.vbs set w3svc/X/NTAuthenticationProviders "Negotiate,NTLM"

NOTE: For Windows 2003 Server use the following command:
cscript adsutil.vbs set w3svc/X/NTAuthenticationProviders "NTLM"

2. Access the Internet Services Manager (ISM)
   
   Windows 2000/XP/2003:
   Click Start > Programs > Administrative Tools > Internet Information Services (or Internet Services Manager on Windows 2000).
   
   Windows NT (only supported for ColdFusion MX 6.x+):
   Click Start > Programs > Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Services Manager.
   
3. Modify Application Mappings
   1. Right-click on the applicable web site.
   2. Select Properties.
   3. Navigate to Home Directory tab.
   4. Click the Configuration button.
   5. On the Mappings tab, double-click on the .cfm mapping.
   6. On the Add/Edit Application Extension Mapping tab, check the "Check that file exists" checkbox
      • For IIS 6 (Windows 2003), check the "Verify that file exists" checkbox.
   7. Click OK.
   8. Repeat this step for all other extensions that are subject to NT Authentication. For example, .cfc, .cfml, .cfr
      • For IIS 6 (Windows 2003), repeat step 6 for thecf_root\lib\wsconfig\#\jrun_iis6_wildcard.dll entry under Wildcard application maps.
   9. Once all necessary extensions have been adjusted, be sure to click Apply under the App Mappings tab.
   10. Click OK.
   11. Click OK on the Home Directory Tab. This is to ensure that all your changes will take effect.
   12. Repeat steps A-K for all web sites that need to use NT Authentication for ColdFusion pages.
       
4. Create zero-byte files for internal ColdFusion processes
   
   Some ColdFusion Administrator functions, as well as RDS andcfchart functionality, rely on two ColdFusion templates. However, these templates do not exist by default. You will need to create the following zero-byte files, since IIS will check for them during processing.
   
   1. Open Windows Explorer.
   2. Navigate to the web_root/CFIDE directory, typically located at \inetpub\wwwroot\CFIDE.
   3. Create a blank file named GraphData.cfm.
   4. Create a directory called main.
   5. Navigate to the new directory atweb_root/CFIDE/main.
   6. Create a blank file titled ide.cfm.
   7. Repeat steps B-F for any additional instances ofweb_root/CFIDE.
      
5. Modify IIS for Custom Errors
   
   If you have specified a Missing Template Handler in your ColdFusion Administrator (under Server Settings > Settings link) so that the generic 404 error will not display, you will need to take the following steps in order for that to continue to work correctly:
   1. Access the IIS Administrator once again via step 2.
   2. Right-click on the applicable web site.
   3. Select Properties.
   4. Select the Custom Errors tab.
   5. Double-click on HTTP Error 404.
   6. On the Error Mapping Properties page, select URL as the Message Type and enter URL path to the Missing Template Handler Specified in the ColdFusion Administrator.
   7. Click OK twice.

This will now direct all missing file requests to that URL, not just ColdFusion requests. In this example, the permissions on the file the URL is pointing to should allow all users to have read access.

Additional Information

---

• ColdFusion MX 7.0.1 and 7.0.2: Configuring IIS 6.0 with NTLM for Flash forms (TechNote ebd0cbe3)
• MPSB03-02 - Using Windows NT Authentication and Windows file permissions
• Error: "ColdFusion Server is unavailable" when Configuring IIS 6.0 with NTLM using the Verify That File Exists option when accessing the Coldfusion Administrator Server Monitor(ColdFusion 8) (TechNote kb407866)

Search Support

---