Scheduled tasks won't run when authentication turned on

Scheduled tasks have run fine for years. Now I need access to #cgi.auth_user# variable so I turned off anonymous login in IIS for the cf projects directory. Now my scheduled tasks won't run. Can I put something in the username/password fields in the schedule task form so they'll authenticate? The folder is set for "Integrated windows authentication".

Thanks for your help

Not that I know of. If you've set it to integrated windows authentication (NTLM), not only will CF not be able to log in but no one not using Windows or IE will be able to log in. If you change the security to the "plain text" option then these problems should go away. Basically, NTLM authentication is a Windows-only protocol.

Thanks for the info. Sorry I didn't mention this is on an Intranet where all users are in the same domain and all use IE. What's the danger in using "plain text" option in this type of environment?

Nothing that I can see, and if you are worried about it you can use SSL, which encrypts everything (even the plain text uw/password).

I'm thinking my best solution is to put the scheduled task scripts into a separate folder on the server. Then I can leave anonymous access ON for that folder so CF can execute them, but require authentication on the CF applications that users run.

As an FYI. I find that i can't run any pages as a scheduled job if that file is secured with SSL. I did the same as you plan, i just made a generic folder for scheduled jobs only.

Did you try specifying port 443 as the port? I believe you should be able to use SSL (even if the certificate is not a pubic cert). Some more info here:

http://www.adobe.com/cfusion/knowle...fusion_9987e902

I'm just throwing this on top of my head here but anything the <cfntauthenticate> could do since you're using "Integrated Windows authentication"?

No, that tag just checks the user name and password and returns group names, etc. It won't actually maintain an authenticated connection.

Stating the port didn't help either, I tried to call a file 6 ways to sunday, and the only way i could get it to work was outside of an ssl dir.

I haven't had to do this so I'm not sure how to make it work, but from my Google searches it appears that it is definitely possible. Anyway, if you're fine just using a non-SSL directory that's probably the easiest choice for now.

To the original post, ColdFusion wont authenticate to IIS. I have a folder setup for my tasks that I leave unprotected. But if any user came across them somehow, it wouldn't be any risk that they ran them independently of CF. This may not be the case for all projects.

If you need a little more protection on these files before they're run, you could do something like look at the user agent to see who is running the task, ColdFusion runs them as CFSCHEDULE, so it's easy to test for (but not difficult to hack). If you want to authenticate for everyone but CFSCHEDULE, take peek at this post - you can force users with any other string to authenticate with IIS: http://www.coldfusionusers.com/cfbl...mous-access-on/

You might also do something like look at the URL params and pass some secret key in CFADMIN that only you know, and have them abort if the key isn't run (something like mytask.cfm?oktorun=wham, and have the task verify url.oktorun = 'wham').

For IIS only:

I have an application that uses windows authentication, and faced the same problem. I think building on what most others here have posted - you have your answer (if acceptable by your network security requirements).

Try the following - works fine for me:

1) Store any scheduled task cfm files in a common directory on your server or within your application.

2) In IIS - navigate to the specific directory where your task cfm files are stored and enable basic authentication. (ONLY FOR THIS DIRECTORY)

3) When you create your scheduled tasks - specify a UN and PW in the arguments. (A good practice would be to create an account which only CF would use for this purpose. This is generally a local account on your web server with minimal access to anything but select areas of your webroot.) IIS basic authentication will accept the UN and PW and allow you access.

If you are using SSL when you (with basic authentication it's kind of a must) you have to be sure that you have installed the certificate for your web server in CF using 'keytool'. There are a number of threads out there that explain how to do this, so I won't go into it here, but that might be your ticket.

The ultimate goal here is to leverage automated tasks and still keep your attack surface small. If you enable basic authentication and use SSL to run your HTTPRequests to your tasks, you should be able to get what you want without being exposed.

Hope that helps!!