Troubleshooting ColdFusion Admin Login Issue

June 30, 2014
Followers: 0 people
12

Troubleshooting ColdFusion Admin Login Issue

Followers: 0 people
June 30, 2014

We have seen some cases where the user is trying to login to ColdFusion administrator console and CF keeps throwing login page again and again even though user has provided valid credentials. We heard users tried doing something like password reset, restarting the server which even didn’t helped solving the issue. So we were curious to find what causing this issue and will discuss some of the issues we came across that occur when attempting to log into the administrator console.

Before talking about some of these issues that we found we will see how ColdFusion admin login happens. During login the password entered in ColdFusion Administrator login console will be hashed using SHA-1 and then passed to the server for authentication. If the password entered is correct user will be able to successfully login to the admin console. The hashing related functions are present in sha1.js file which gets loaded when accessing CF admin console. Mostly the login issues occurs either the sha1.js file is not loaded or the browser is not executing any javascript. If either the SHA1.js file is not loaded or browser is not executing the javascript password will be transmitted in plain text (instead of hashed password) which results in login failure.

1) One instance where we have seen this issue because of IIS misconfiguration. IIS uses a default list of global MIME types to determine which types of content to serve. If a client requests a MIME type that is not defined on the Web server, IIS returns a 404 error. In this case IIS admin has created a specific web.config file for coldfusion site. If the coldfusion website specific IIS web.config file contains a duplicate mime type which is also present in the IIS global config mime type list it causes an error in IIS. There by IIS  blocks all the file extensions (Except cfm and cfc as they were mentioned in IIS handler mappings). Because of this issue sha1.js file didn’t get loaded which in turn caused login failure. Removing/Commenting out the duplicate mime type from website specific web.config file resolves the issue.

For example:

Assume your website web.config file added additional mime types for file extensions .less and .ttf. 

  • <staticContent>
  • <mimeMap fileExtension=”.less” mimeType=”text/plain” />
  •         <mimeMap fileExtension=”.ttf” mimeType=”text/plain” />
  • </staticContent>

The above config causes an error because .ttf is already present in the IIS global web.config file. Remove the mimemap for file extension .ttf to resolve the issue.

2) Another instance where user is unable to login to ColdFusion Admin console using Internet Explorer. If IE is running enhanced security mode javascript on the page won’t be executed unless the website is added to the trusted sites list. 

To add the ColdFusion website to the trusted list 

  • Navigate to Internet Options Menu
  • Select security Tab and select trusted sites icon
  • Click Sites button
  • Enter ColdFusion website URL (e.g: http://hostname/) and Click add button
  • Click Close button.
  • Click Ok button to save the changes.
  • Reload the webpage and provide your credentials you should be able to login to the admin console.
By default coldfusion administrator can only be accessed from the list of IP addresses as specified in the Security -> Allowed IP Addresses section.

We will be keep updating this blog if we come across any other issues which prevents user from logging in to the admin console. Also, let us know if you have come across any admin login issues other than which are mentioned above. 

Besides the login issue make sure to mandate that ColdFusion administrator runs only on https as specified in lockdown guide. 

Links for ColdFusion lockdown guide

ColdFusion 11 lockdown guide ColdFusion 10 lockdown guide ColdFusion 9 lockdown guide

 

Comments (12)
2014-12-31 08:30:07
2014-12-31 08:30:07

@Jer, yep, the need to add your site to IE’s “trusted sites” is listed as option 2 in the blog entry above. That said, I’ve never seen any need to run IE as admin. Did you try just adding the site to trusted sites?

Like
2014-12-30 13:48:10
2014-12-30 13:48:10

I had to run IE as administrator, add local host as a trusted site, then I was able to log in.

Like
2014-12-14 07:20:31
2014-12-14 07:20:31

A quick update.
After restated the system now when I go to CF11 Admin Configuration and Settings Migration Wizard, and click on the login button (with or without a password) I get to one of my websites, not to Admin.

Very disappointed in the whole process and I’m using CF for 14 years and never had problems installing (updating) CF.
We have 3 CF9 Enterprise servers and I was giving the green light to migrate to CF 11. I can’t have my servers down with no apparent errors or solution.

Thanks
Mike

Like
2014-12-13 16:49:56
2014-12-13 16:49:56

Hi,

I have installed CF11 developer edition on a Windows 7 Professional 64 bit machine. I had CF 9.02 on it.
The first time I have tried, at the end of the installation it said the installation was successful with errors. In the log file it mentioned a non critical error but could not find what the error was.

I have un-installed CF 11, restarted the machine and re-install it. This time it went without errors. It asked me to configure it and went to CF admin. I have logged in and then got an empty page.

No errors, nothing, just a blank page.

What’s the deal? any help greatly appreciated.

Thanks
Mike

Like
2014-07-17 19:16:06
2014-07-17 19:16:06

How about an article on how to fix/hack CF11 back to CF10 app initialization times. CF10 took 3 seconds to run an application for the first time. CF11 takes 8 seconds. THAT IS WAY TOO LONG. I got customers complaining “our servers are loading websites too slow” and this is the cause. I expect apps to have to take longer on load, but it shouldn’t be so long its close to timing out. Something changed in CF11 must have taken it this high.

Like
2014-07-16 22:10:50
2014-07-16 22:10:50

@Pete, that really should not affect CF Admin login. As for your trying to make admin pw changes and it “won’t allow you”, do you mean that you get forced to login again on each attempt to submit a change in the admin? If so, that may be due to the problem I discuss here:

http://www.carehart.org/blog/client/index.cfm/2014/4/10/CF_Admin_error_about_error_accessing_this_page

As for the sched tasks not running, are you saying they are working now? If so, and really the only change was this one, the only connection of sched tasks to DB would be if you were using the clustered sched tasks feature, with that DB being where the cluster info is stored. I could then see that causing probs. But I realize you may be happy just to move on for now. HTH.

Like
2014-07-16 13:15:41
2014-07-16 13:15:41

Found the issue to be a JBDC connection string. How that affected everything else is a mystery. I used the configuration direct from an Oracle ORA file and perhaps it didn’t like the parens or ‘=’ sign. The connect tested OK. How does that affect admin login and tasks?

Like
2014-07-16 10:19:01
2014-07-16 10:19:01

After having issues with logging in to CF Admin, Per other items I’ve found, I changed the admin.security.enabled in neo.security to ‘false’. Now my tasks aren’t running. I can get in admin, but it seems it won’t allow me to re-enter a new admin user/pass and I’m thinking that is why the tasks are not running. Any thoughts on getting the admin user/pass back?

Like
2014-07-07 06:32:39
2014-07-07 06:32:39

@Peter, can you confirm which outstanding issue (among those discussed in the blog and in the comments) you’re referring to? You may want to share as well a link to whatever bug report you’re referring to, in case readers may want to go add votes/comments. As always, just trying to help.

Like
2014-07-06 21:43:25
2014-07-06 21:43:25

Strewth! I raised this issue during the beta and nothing was done about it!

Like
2014-07-01 06:16:01
2014-07-01 06:16:01

It’s great to see you address this problem of some of the reasons that people may find that they can’t log into the CF Admin. That second one (about IE) is one I see folks hit by quite often and had meant to blog it myself, so thanks.

And indeed, as folks may find this and use it to help solve or report various CF Admin challenged, I’ll note that there are a couple more not mentioned here which I have blogged about in the past.

The first is related to logins, but instead is about how some find that while they’re working they’re suddenly logged out. That’s addressed here:

“Have you noticed the #ColdFusion 10 admin allows only one login at a time? It’s by design”

http://www.carehart.org/blog/client/index.cfm/2012/6/13/cf10_admin_allows_one_logon_at_a_time

And thankfully CF11 has finally addressed that with an option to control that behavior.

Second is a problem where people may be using the Admin and find they get an error and THEN have to login again. I address that here:

“CF911: Solving problem in #ColdFusion Admin getting “error accessing this page” on certain actions”

http://www.carehart.org/blog/client/index.cfm/2014/4/10/CF_Admin_error_about_error_accessing_this_page

Hope that helps someone.

Like
2014-06-30 07:38:19
2014-06-30 07:38:19

Does the lockdown guide take account of this, from memory it advises excluding all mime types you possibly can and I wonder if this sometimes causes the issue described.

Like
Add your comment