IIS 5 and Coldfusion MX - security issue with cfm pages

From: Todd (bacile99@yahoo.com)
Date: 01/06/03


From: bacile99@yahoo.com (Todd)
Date: 5 Jan 2003 19:56:11 -0800

I noticed a problem a couple of weeks ago and can't seem to find an
answer to. I am running Coldfusion MX with IIS 5 / Windows 2000. I
have a default site, plus a few other virtual sites. I have specifeid
for pages existing in a secure area that Windows authentication be
used. To take things a step further, I also have specified in IIS
that certain restricted areas on my site only be accessed from a
specific IP range. This works at the directory level fine. Example:
www.mysite.com/secured/ will prompt for a password login. But if I
type an exact URL path to a CFM page within a secured area, then IIS
security is ignored and the page gets served up. Example:
www.mysite.com/secured/page.cfm. It ignores the Windows authentication
rule and the IP restriction rule. CFM pages seem to bypass IIS for
these security measures. Any ideas???

I have read through many of the online forums for similar issues at
Macromedia and Google groups. I have tried everything I have seen and
can't resolve the issue 100%. If I get the pages to prompt for
security login, then after a correct login the page displays an HTTP
500 internal server error. If I get the HTTP 500 error to go away,
then all IIS security stops - no more login prompts. It seems I can't
have my cake and eat it too!

My troubleshooting: I have adjusted the application settings from
medium to low. I have removed and then re-added the ISAPI filters. I
have stopped and re-started one or several services - I also tried
this in a specific order as one poster suggested, but still no luck.
I have rebooted the server a few times with no luck. I have tried a
few other things too but my mind is blank right now so I can't list
the rest. If anyone has any suggestions I would be willing to listen.
 Hope to hear from you soon, thanks for the help.