September 14th, 2006, 10:45 AM
Scheduled tasks won't run when authentication turned on
Scheduled tasks have run fine for years. Now I need access to #cgi.auth_user# variable so I turned off anonymous login in IIS for the cf projects directory. Now my scheduled tasks won't run. Can I put something in the username/password fields in the schedule task form so they'll authenticate? The folder is set for "Integrated windows authentication".
Thanks for your help
September 14th, 2006, 11:50 AM
Not that I know of. If you've set it to integrated windows authentication (NTLM), not only will CF not be able to log in but no one not using Windows or IE will be able to log in. If you change the security to the "plain text" option then these problems should go away. Basically, NTLM authentication is a Windows-only protocol.
September 14th, 2006, 12:46 PM
Thanks for the info. Sorry I didn't mention this is on an Intranet where all users are in the same domain and all use IE. What's the danger in using "plain text" option in this type of environment?
Originally Posted by kiteless
September 14th, 2006, 03:16 PM
Nothing that I can see, and if you are worried about it you can use SSL, which encrypts everything (even the plain text uw/password).
September 15th, 2006, 09:59 AM
I'm thinking my best solution is to put the scheduled task scripts into a separate folder on the server. Then I can leave anonymous access ON for that folder so CF can execute them, but require authentication on the CF applications that users run.
September 15th, 2006, 02:26 PM
As an FYI. I find that i can't run any pages as a scheduled job if that file is secured with SSL. I did the same as you plan, i just made a generic folder for scheduled jobs only.
September 26th, 2006, 03:21 PM
September 27th, 2006, 12:11 PM
I'm just throwing this on top of my head here but anything the <cfntauthenticate> could do since you're using "Integrated Windows authentication"?
September 27th, 2006, 04:33 PM
No, that tag just checks the user name and password and returns group names, etc. It won't actually maintain an authenticated connection.
September 28th, 2006, 09:12 AM
Stating the port didn't help either, I tried to call a file 6 ways to sunday, and the only way i could get it to work was outside of an ssl dir.
September 28th, 2006, 11:58 AM
I haven't had to do this so I'm not sure how to make it work, but from my Google searches it appears that it is definitely possible. Anyway, if you're fine just using a non-SSL directory that's probably the easiest choice for now.
September 30th, 2006, 10:33 PM
To the original post, ColdFusion wont authenticate to IIS. I have a folder setup for my tasks that I leave unprotected. But if any user came across them somehow, it wouldn't be any risk that they ran them independently of CF. This may not be the case for all projects.
If you need a little more protection on these files before they're run, you could do something like look at the user agent to see who is running the task, ColdFusion runs them as CFSCHEDULE, so it's easy to test for (but not difficult to hack). If you want to authenticate for everyone but CFSCHEDULE, take peek at this post - you can force users with any other string to authenticate with IIS: http://www.coldfusionusers.com/cfblo...ous-access-on/
You might also do something like look at the URL params and pass some secret key in CFADMIN that only you know, and have them abort if the key isn't run (something like mytask.cfm?oktorun=wham, and have the task verify url.oktorun = 'wham').
You may want to try:
For IIS only:
I have an application that uses windows authentication, and faced the same problem. I think building on what most others here have posted - you have your answer (if acceptable by your network security requirements).
Try the following - works fine for me:
1) Store any scheduled task cfm files in a common directory on your server or within your application.
2) In IIS - navigate to the specific directory where your task cfm files are stored and enable basic authentication. (ONLY FOR THIS DIRECTORY)
3) When you create your scheduled tasks - specify a UN and PW in the arguments. (A good practice would be to create an account which only CF would use for this purpose. This is generally a local account on your web server with minimal access to anything but select areas of your webroot.) IIS basic authentication will accept the UN and PW and allow you access.
If you are using SSL when you (with basic authentication it's kind of a must) you have to be sure that you have installed the certificate for your web server in CF using 'keytool'. There are a number of threads out there that explain how to do this, so I won't go into it here, but that might be your ticket.
The ultimate goal here is to leverage automated tasks and still keep your attack surface small. If you enable basic authentication and use SSL to run your HTTPRequests to your tasks, you should be able to get what you want without being exposed.
Hope that helps!!