#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2005
    Location
    Austin, Texas, USA
    Posts
    4
    Rep Power
    0

    Cool Scheduled tasks won't run when authentication turned on


    Scheduled tasks have run fine for years. Now I need access to #cgi.auth_user# variable so I turned off anonymous login in IIS for the cf projects directory. Now my scheduled tasks won't run. Can I put something in the username/password fields in the schedule task form so they'll authenticate? The folder is set for "Integrated windows authentication".

    Thanks for your help
  2. #2
  3. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,264
    Rep Power
    968
    Not that I know of. If you've set it to integrated windows authentication (NTLM), not only will CF not be able to log in but no one not using Windows or IE will be able to log in. If you change the security to the "plain text" option then these problems should go away. Basically, NTLM authentication is a Windows-only protocol.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2005
    Location
    Austin, Texas, USA
    Posts
    4
    Rep Power
    0
    Originally Posted by kiteless
    Not that I know of. If you've set it to integrated windows authentication (NTLM), not only will CF not be able to log in but no one not using Windows or IE will be able to log in. If you change the security to the "plain text" option then these problems should go away. Basically, NTLM authentication is a Windows-only protocol.
    Thanks for the info. Sorry I didn't mention this is on an Intranet where all users are in the same domain and all use IE. What's the danger in using "plain text" option in this type of environment?
  6. #4
  7. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,264
    Rep Power
    968
    Nothing that I can see, and if you are worried about it you can use SSL, which encrypts everything (even the plain text uw/password).
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2005
    Location
    Austin, Texas, USA
    Posts
    4
    Rep Power
    0
    I'm thinking my best solution is to put the scheduled task scripts into a separate folder on the server. Then I can leave anonymous access ON for that folder so CF can execute them, but require authentication on the CF applications that users run.
  10. #6
  11. Meatball Surgeon
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 2004
    Location
    Elbow deep in code
    Posts
    2,056
    Rep Power
    1321
    As an FYI. I find that i can't run any pages as a scheduled job if that file is secured with SSL. I did the same as you plan, i just made a generic folder for scheduled jobs only.
  12. #7
  13. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,264
    Rep Power
    968
    Did you try specifying port 443 as the port? I believe you should be able to use SSL (even if the certificate is not a pubic cert). Some more info here:

    http://www.adobe.com/cfusion/knowled...usion_9987e902
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2006
    Posts
    3
    Rep Power
    0
    I'm just throwing this on top of my head here but anything the <cfntauthenticate> could do since you're using "Integrated Windows authentication"?
  16. #9
  17. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,264
    Rep Power
    968
    No, that tag just checks the user name and password and returns group names, etc. It won't actually maintain an authenticated connection.
  18. #10
  19. Meatball Surgeon
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 2004
    Location
    Elbow deep in code
    Posts
    2,056
    Rep Power
    1321
    Stating the port didn't help either, I tried to call a file 6 ways to sunday, and the only way i could get it to work was outside of an ssl dir.
  20. #11
  21. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,264
    Rep Power
    968
    I haven't had to do this so I'm not sure how to make it work, but from my Google searches it appears that it is definitely possible. Anyway, if you're fine just using a non-SSL directory that's probably the easiest choice for now.
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2006
    Posts
    23
    Rep Power
    0
    To the original post, ColdFusion wont authenticate to IIS. I have a folder setup for my tasks that I leave unprotected. But if any user came across them somehow, it wouldn't be any risk that they ran them independently of CF. This may not be the case for all projects.

    If you need a little more protection on these files before they're run, you could do something like look at the user agent to see who is running the task, ColdFusion runs them as CFSCHEDULE, so it's easy to test for (but not difficult to hack). If you want to authenticate for everyone but CFSCHEDULE, take peek at this post - you can force users with any other string to authenticate with IIS: http://www.coldfusionusers.com/cfblo...ous-access-on/

    You might also do something like look at the URL params and pass some secret key in CFADMIN that only you know, and have them abort if the key isn't run (something like mytask.cfm?oktorun=wham, and have the task verify url.oktorun = 'wham').
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    1
    Rep Power
    0

    You may want to try:


    For IIS only:

    I have an application that uses windows authentication, and faced the same problem. I think building on what most others here have posted - you have your answer (if acceptable by your network security requirements).

    Try the following - works fine for me:

    1) Store any scheduled task cfm files in a common directory on your server or within your application.

    2) In IIS - navigate to the specific directory where your task cfm files are stored and enable basic authentication. (ONLY FOR THIS DIRECTORY)

    3) When you create your scheduled tasks - specify a UN and PW in the arguments. (A good practice would be to create an account which only CF would use for this purpose. This is generally a local account on your web server with minimal access to anything but select areas of your webroot.) IIS basic authentication will accept the UN and PW and allow you access.

    If you are using SSL when you (with basic authentication it's kind of a must) you have to be sure that you have installed the certificate for your web server in CF using 'keytool'. There are a number of threads out there that explain how to do this, so I won't go into it here, but that might be your ticket.

    The ultimate goal here is to leverage automated tasks and still keep your attack surface small. If you enable basic authentication and use SSL to run your HTTPRequests to your tasks, you should be able to get what you want without being exposed.

    Hope that helps!!

IMN logo majestic logo threadwatch logo seochat tools logo