ColdFusion RDS 和 NTLM 集成身份验证问题

发布于 2024-07-12 09:43:25 字数 2200 浏览 5 评论 0原文

我似乎无法实现启用 NTLM 身份验证并仍然使 RDS 工作的神奇组合。如果我只启用匿名身份验证，RDS 工作正常 - 一旦我在站点范围内启用它，RDS 就会失败（这是预期的）。这是我所做的：

这是Windows XP SP2和ColdFusion 8，Eclipse + Adobe插件
在IIS管理器中，右键单击默认网站并选择属性目录
安全选项卡，单击编辑按钮进行匿名访问和身份验证控制
身份验证方法弹出窗口，取消选中匿名访问，然后选中集成 Windows 身份验证（所有其他选中也为空白）。
单击“确定”，然后覆盖所有子站点的设置，以便使用 NTLM 身份验证“保护”整个站点。
返回IIS管理器，右键单击CFIDE虚拟目录，选择属性
目录安全选项卡，编辑身份验证方法。取消选中集成 Windows 身份验证并选中匿名访问。单击“确定”、“确定”并进行测试：

C:\>wget -S -O - http://localhost/CFIDE/administrator/
--2009-01-21 10:11:59--  http://localhost/CFIDE/administrator/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Server: Microsoft-IIS/5.1
  Date: Wed, 21 Jan 2009 17:12:00 GMT
  X-Powered-By: ASP.NET
  Set-Cookie: CFID=712;expires=Fri, 14-Jan-2039 17:12:00 GMT;path=/
  Set-Cookie: CFTOKEN=17139032;expires=Fri, 14-Jan-2039 17:12:00 GMT;path=/
  Set-Cookie: CFAUTHORIZATION_cfadmin=;expires=Mon, 21-Jan-2008 17:12:00 GMT;path=/
  Cache-Control: no-cache
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]
Saving to: `STDOUT'

    ... html output follows ...

到目前为止一切顺利，CFIDE 目录和至少一个子目录似乎无需 NTLM 身份验证即可工作。因此，我启动 Eclipse 并尝试建立 RDS 连接。不幸的是我刚刚收到一条拒绝访问的消息。进一步调查一下，Eclipse 似乎正在尝试与 /CFIDE/main/ide.cfm 进行通信 - 很公平，再次拉出可信的 wget 看看 IIS 正在做什么：

C:\>wget -S -O - http://localhost/CFIDE/main/ide.cfm
--2009-01-21 10:16:56--  http://localhost/CFIDE/main/ide.cfm
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 401 Access Denied
  Server: Microsoft-IIS/5.1
  Date: Wed, 21 Jan 2009 17:16:56 GMT
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  Content-Length: 4431
  Content-Type: text/html
Authorization failed.

其他地方已记录的一个潜在的挂起是主要的目录和 ide.cfm 页面实际上并不存在于磁盘上。 IIS 配置为将所有 .cfm 文件移交给 JRun，并且 JRun 配置为将 ide.cfm 映射到 RDS servlet。为了强制 IIS 变得更加明智，我在磁盘上删除了一个主目录和空的 ide.cfm 文件，希望它能解决身份验证问题，但它没有任何区别。

我可以做的解决方案是将整个站点保留为匿名访问，然后仅启用特定应用程序文件夹以使用 NTLM 集成身份验证，但实际上有数百个可能的 Web 应用程序我必须这样做。恶心。

请帮忙！！！

原文

I can't seem to get the magic combination of enabling NTLM authentication and still having RDS work. If I leave just anonymous authentication on, RDS works fine - as soon as I enabled it site wide, RDS fails (which is to be expected). Here is what I have done:

This is Windows XP SP2 and ColdFusion 8, Eclipse + Adobe plugins
In the IIS Manager, Right click on default web site and choose Properties
Directory Security tab, click the Edit button for anonymous access and authentication control
Authentication Methods popup window, uncheck anonymous access, and check Integrated Windows authentication (all other checks blank as well).
Click OK, OK, and override the settings for all child sites as well such that the entire site is "secured" using NTLM authentication.
Back in the IIS manager, right click on the CFIDE virtual directory, choose Properties
Directory security tab, edit the authentication methods. Uncheck Integrated Windows authentication and check anonymous access. Hit OK, OK and test:

C:\>wget -S -O - http://localhost/CFIDE/administrator/
--2009-01-21 10:11:59--  http://localhost/CFIDE/administrator/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Server: Microsoft-IIS/5.1
  Date: Wed, 21 Jan 2009 17:12:00 GMT
  X-Powered-By: ASP.NET
  Set-Cookie: CFID=712;expires=Fri, 14-Jan-2039 17:12:00 GMT;path=/
  Set-Cookie: CFTOKEN=17139032;expires=Fri, 14-Jan-2039 17:12:00 GMT;path=/
  Set-Cookie: CFAUTHORIZATION_cfadmin=;expires=Mon, 21-Jan-2008 17:12:00 GMT;path=/
  Cache-Control: no-cache
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text/html]
Saving to: `STDOUT'

    ... html output follows ...

And so far so good, the CFIDE directory and at least one child directory appear to be working without NTLM authentication. So I fire up Eclipse and try to establish an RDS connection. Unfortunately I just get an Access Denied message. Investigating a bit further it appears that Eclipse is trying to communicate with /CFIDE/main/ide.cfm - fair enough, pull out trusty wget once again see what IIS is doing:

C:\>wget -S -O - http://localhost/CFIDE/main/ide.cfm
--2009-01-21 10:16:56--  http://localhost/CFIDE/main/ide.cfm
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 401 Access Denied
  Server: Microsoft-IIS/5.1
  Date: Wed, 21 Jan 2009 17:16:56 GMT
  WWW-Authenticate: Negotiate
  WWW-Authenticate: NTLM
  Content-Length: 4431
  Content-Type: text/html
Authorization failed.

One potential hang up that has been documented elsewhere is that the main directory and ide.cfm page don't actually exist on disk. IIS is configured to hand off all .cfm files to JRun and JRun is configured to map ide.cfm to the RDS servlet. In an attempt to force IIS to be a bit more sensible, I dropped a main directory and empty ide.cfm file on disk hoping it would solve the authentication issue but it didn't make any difference.

What I can do as a work around is leave the entire site as anonymous access and then just enable the specific application folders to use NTLM integrated authentication, but there are quite literally hundreds of possible web applications I would have to do that for. Yuck.

Please Help!!!

分享到QQ

分享到微博