We have Windows 2008r2, IIS 7.5, ColdFusion 10 with all the latest patches.
The root allows anonymous access, but doesn't have any ColdFusion files.
We have subfolder, that do not allow anonymous access and has Windows authentication enabled only. Specific domain global groups have access to this ColdFusion folder via IIS (Authentication = windows authentication only) and Authorization rules have specific groups that should have access.
Non-ColdFusion files are correctly blocking anonymous and users not in our global groups.
ColdFuision is allowing user who aren't in our global group to access, when they should be blocked.
With previous versions of IIS (ie. v.6 and below), we had to set the "Verify that file exists" option in the appliation extension mappings like described here:
http://helpx.adobe.com/coldfusion/kb/implementing-nt-authentication-co ldfusion-templates.html
That "check that file exists" option is no longer available in IIS 7.x http://support.microsoft.com/kb/2725025
Anyone know how to configure windows authentication for CF10?
So far, everything I tried either blocks valid users or allows invalid users access. Tried adjusting nsfs access to \ColdFusion10\config\wsconfig, but if I remove authenicated users and just allow our global groups it blocks everyone.
Checked the ColdFusion 10 lockdown guide, but couldn't find anything that helped.