HELP

BUGS or FEATURES?

Is it a bug or is it a feature? You tell us.

If you think you've discovered a blatant bug, or if the configuration of your servers is such that the tag is incorrectly handling your system, feel free to send copies of the html results for any of the confidence tests or any page you have written for your site using this tag which you think will give us a full picture of the configuration of your system and the problem that is occuring.

Send results to ihtk@intrafoundation.com. Please include mention of your operating system and service pack level.

Updates to the tag will be made ASAP.

BTW, I'm also quite interested in seeing the results of some of the confidence tests using this tag on large networks (access to such things tends to be limited and thus can impact how the software works in such situations).

Additionally, if you've developed your own confidence tests, feel free to send them in.

As far as being able to handle situations yourself (which I prefer since I'm practically giving the software away) you should either become friends with a security expert or buy a few books on the subject. I'd suggest buying at least one of the dummies-level books to bring you up to speed and make sure you've gotten a wide exposure to the subject at hand. (Sneak the dummies book in with a couple hardcore NT books if buying it alone just ain't for you that day.)

The tags have fairly verbose error messages which are returned in the variables UserManagerError, NFSError, IISError, etc. If these variables are blank, ie CFIF UserManagerError IS "", then the function worked (as far as it can tell). Otherwise you get a long string which details every single reason the function failed using standard NT error codes. Additionally, it will tell you the specific line in the c/c++ source code of the tag that this problem occured on which is extremely useful if you have to talk to the programmer about the situation.

If Basic authentication is being used, you will find the username in CGI.AUTH_USER, and the password in CGI.AUTH_PASSWORD. If NT Challenge/Response authentication is being used, the username will still be in CGI.AUTH_USER, and the password will be unavailable. The username will also be in DOMAIN\UserName format, so if you want just a username, you'll need to strip off the DOMAIN\ prefix (ListGetAt(CGI.AUTH_USER,2,"\") works fine in this case).

There are essentially three accounts you can run the Cold Fusion service under: SYSTEM, Administrator, and it's own, which is traditionally called ColdFusion. SYSTEM is the account it uses by default, but if you use these tags you'll probably want to (if you haven't already) set up an account just for Cold Fusion. It must be a member of Administrators. And it will need the "Log On As Service" right setup, as well as a few other depending on what you specifically want to do. You also might need to add a dummy account to the domain controller in w2k under some circumstances.

Although it will solve most problems, you never want to use the Administrator account except briefly for debugging the occasional permissions problems. And only on your development server.

In general if you're getting access errors with NT numbers like 5 or 1314, you should consider adding a CF-only account that is a member of the groups: Domain Admins Administrators and/or Account Operators and/or with rights such as: Act as Part of Operating System Increase Quotas. Exactly what you do depends on which of the tags you are using and how you are using them.

In short, it can be complicated to set up a domain with just the right permissions -- but not too many.

These tags should work on the following platforms:

• NT 4 Workstation (ADSI required for CFX_IIS)
• NT 4 Server (ADSI required for CFX_IIS)
• Windows 2000 Professional
• Windows 2000 Advanced Server

They will not work on Windows 95, Windows 98, Solaris or Linux.

There is however now no further active support for the legacy NT 4 operating system.

Local tests and development can be make using the private network addresses. There are three available, one in each network class. Typically tests here use Class C ip's starting at 192.168.36.1 simply because they're easy to remember. (0 and 255 aren't valid, btw. Don't use them. 0 represents self, and 255 is for broadcasting.)

And that's about it for the general help. See the tags' documentation for more specific help or hang around for a few user-asked questions.