无法使用ColdFusion 10,IIS 7.5,LDAP对Windows域进行身份验证

时间:2013-06-04 17:10:19

标签: authentication iis coldfusion basic-authentication

我们一直在努力从使用ColdFusion 10从Windows 2003 Server(ColdFusion 8)升级到Windows 2008.我们最终设置正确,以处理和处理我们的所有ColdFusion代码,使用自定义错误处理程序,SSL作为预期。 但是,当我们开始让一些用户测试不同的应用程序时,我们发现没有域用户可以登录到该网站,除非他们是本地计算机管理员组的一部分。我们有另一台运行.NET的Windows 2008 Server并正确验证用户身份。我彻底比较了设置,它们是相同的。 这是它的设置方式:

  • ColdFusion服务:所有服务(5)都在本地系统下运行,但ColdFusion应用服务器除外,该服务器在域帐户下运行。
  • IIS :我们有一个活动网站(主网站)在其自己的应用程序池集成.NET 4.0上运行,作为LocalSystem运行。
  • 身份验证:匿名工作,匿名帐户必须是应用程序池标识,否则它不会显示任何内容。已配置基本身份验证,并配置了默认域。

任何和所有帮助都表示赞赏,因为我们已经开展了数月的工作,并认为迁移已经准备好了。我的团队中没有人是安装ColdFusion或IIS 7.5的专家。

2 个答案:

答案 0 :(得分:1)

经过多次努力,我在这里找到了答案:What are the proper permissions for ColdFusion 9 on IIS 7.5 with Windows Authentication

我需要为域用户(只是一个非常大的A / D组)提供对CF10安装位置下的config文件夹的只读访问权限。从那以后,它运作得很好!

答案 1 :(得分:0)

如果您对一个相当强大的解决方案感兴趣,这里有一个您可以调用的示例组件(CFC),它也可以清除可能的注入字符。多年来我们一直在进行身份验证,因此经过了相当严峻的考验。

<cfcomponent output="false">

<cffunction access="public" name="init" output="FALSE" returntype="any" hint="This is the pseudo constructor that allows us to play little object games." >

    <cfset variables.ldapserver = application.yoursiteLDAP.server />
    <cfset variables.ldapuser = application.yoursiteLDAP.user />
    <cfset variables.ldappassword = application.yoursiteLDAP.password />
    <cfset variables.ldaptimeout = application.yoursiteLDAP.timeout />
    <cfset variables.ldapsecuremode = application.yoursiteLDAP.securemode />
    <cfset variables.port = application.yoursiteLDAP.port />

    <cfreturn This />
</cffunction>

<cffunction name="authenticate" access="public" output="false" returntype="struct" hint="">
    <cfargument name="username" type="string">
    <cfargument name="password" type="string">

    <cfset var returnData = StructNew() />
    <cfset var queryResult = QueryNew('') />
    <cfset var userInfo = "" />

    <cfset arguments.username = scrubStringforLDAPQuery(arguments.username) />

    <cfset userInfo = retrieveUserInfo(arguments.username) />

    <cfset returnData["authenticated"] = false />
    <cfset returnData["detail"] = "" />
    <cfset returnData["user_info"] = QueryNew("") />

    <cftry>
            <cfldap
                    action="query"
                    server="#variables.ldapserver#"
                    username="#userInfo.DN#"
                    password="#arguments.password#"
                    filter="(&(uid=#arguments.username#)(objectClass=account))"
                    name="queryResult"
                    attributes="cn,dn,uid,displayName,objectClass,uidNumber"
                    start="dc=yoursite,dc=subdomain,dc=domain,dc=com"
                    maxrows="1"
                    port="#variables.port#"
                    timeout="#variables.ldaptimeout#"
                    secure="#variables.ldapsecuremode#" />

            <cfset returnData["authenticated"] = queryResult.RecordCount EQ 1 />
            <cfset returnData["user_info"] = queryResult />

            <cfcatch>
                    <cfif FindNoCase("Invalid Credentials",cfcatch.Message) LTE 0>
                            <cfrethrow />
                    </cfif>
                    <cfset returnData["detail"] = cfcatch.Message />
            </cfcatch>
    </cftry>

    <cfreturn returnData />

</cffunction>

<cffunction name="retrieveUserInfo" access="public" output="false" returntype="query" hint="">
    <cfargument name="username" type="string">

    <cfset var queryResult = QueryNew('') />

    <cfset arguments.username = scrubStringforLDAPQuery(arguments.username) />

    <cfldap
            action="query"
            server="#variables.ldapserver#"
            username="#variables.ldapuser#"
            password="#variables.ldappassword#"
            filter="(&(uid=#arguments.username#)(objectClass=account))"
            name="queryResult"
            attributes="cn,dn,uid,displayName,objectClass,uidNumber,shadowExpire,gecos,homeDirectory,loginShell"
            start="dc=yoursite,dc=subdomain,dc=domain,dc=com"
            maxrows="10"
            port="#variables.port#"
            timeout="#variables.ldaptimeout#"
            secure="#variables.ldapsecuremode#" />

    <cfif queryResult.RecordCount GT 1>
            <cfthrow message="More than 1 user found in LDAP" detail="More than 1 user matched uid=#arguments.username#" />
    </cfif>

    <cfreturn queryResult />
</cffunction>

<cffunction name="retrieveGroupInfo" access="public" output="false" returntype="query" hint="">
    <cfargument name="groupname" type="string">

    <cfset var queryResult = QueryNew('') />

    <cfset arguments.groupname = scrubStringforLDAPQuery(arguments.groupname) />

    <cfldap
            action="query"
            server="#variables.ldapserver#"
            username="#variables.ldapuser#"
            password="#variables.ldappassword#"
            filter="(&(cn=#arguments.groupname#)(objectClass=posixGroup))"
            name="queryResult"
            attributes="cn,dn,objectClass"
            start="dc=yoursite,dc=subdomain,dc=domain,dc=com"
            maxrows="10"
            port="#variables.port#"
            timeout="#variables.ldaptimeout#"
            secure="#variables.ldapsecuremode#" />

    <cfif queryResult.RecordCount GT 1>
            <cfthrow message="More than 1 group found in LDAP" detail="More than 1 group matched uid=#arguments.groupname#" />
    </cfif>

    <cfreturn queryResult />
</cffunction>

<cffunction name="scrubStringforLDAPQuery" access="public" output="false" returntype="string" hint="Removes offensive characters from string for use in an LDAP query">
    <cfargument name="stringToScrub" type="string">
    <cfargument name="blockWildcard" type="boolean" default="false">

    <cfset replaceCharacterList = ";=" />

    <cfif arguments.blockWildcard>
            <cfset replaceCharacterList &= "*" />
    </cfif>

    <cfset arguments.stringToScrub = REReplace(arguments.stringToScrub,"[#replaceCharacterList#]","","all") />

    <cfreturn arguments.stringToScrub />
</cffunction>

</cfcomponent>