IIS7 is losing the authenticated user for cffileupload (CF10)

Question

On one of our intranet pages, I'm using cffileupload to upload multiple photos:

<cffileupload extensionfilter=".jpg,.jpeg,.png,.gif"
              url="/submissions/photo_gallery.cfm"
              onerror="errorissue" 
              width="600" 
              addbuttonlabel="Browse..." 
              maxuploadsize="100">

The url for this tag points back to the same page where I process the images:

<!--- Define the upload path --->
<cfset upload_path = "C:\websites\images\photo_gallery\">

<!--- Upload all the files --->
<cffile action="upload" 
        destination="#upload_path#" 
        nameconflict="makeunique" 
        result="uploaded_file">

In IE and Chrome, this works. In Firefox, I get a 401 error. It appears to be related to how the browsers authenticate. IE and Chrome use Windows authentication while Firefox prompts when entering the site for username/password. Nothing shows up in the Coldfusion logs, but the IIS logs show this (with the IP x'd out):

2013-05-09 19:16:07 xxx.xxx.xxx.xxx POST /submissions/photo_gallery.cfm CFID=5546&CFTOKEN=75080018 80 - 172.28.30.99 Shockwave+Flash 401 2 5 0

The previous line in the log is from loading the page. As you can see, my username is showing up in this line (edited for security):

2013-05-09 19:16:07 xxx.xxx.xxx.xxx GET /includes/js/shared.js - 80 DOMAIN\username xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:20.0)+Gecko/20100101+Firefox/20.0 304 0 0 218

So, cffileupload seems to be losing my username. However, the session.urltoken in the cffileupload url is the same as it is in on the page with the multiple file uploader (the calling page). So, you'd think the authentication would stick.

Also, I can get it to work in Firefox when I go into IIS7 and enable Anonymous Authentication on the Jakarta virtual directory (and disable Windows Authentication on the same). But, this is not a usable solution.

Can anyone suggest another solution?

Answer 1

Have you tried enabling "Anonymous Authentication" just for the /submissions folder?

See here

Answer 2

You can tell Firefox to work with Windows Authentication as well. It is not turned on by default (reference).

1. Open Firefox
2. In the address bar type: "about:config"
3. Firefox3.x and later requires you to agree that you will proceed with caution.
4. After the config page loads, in the filter box type: "network.automatic"
5. Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com or http://your-intranet-server-name
   Multiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com

To specify all subdomains use .replacewithyoursite.com instead of www.replacewithyoursite.com, help.replacewithyoursite.com, pictures.replacewithyoursite.com

If your intranet does not use a fully qualified domain name you can set the following in Firefox to avoid the prompting (reference)

1. Go to "about:config"
2. Filter the keys down to "network.automatic"
3. Edit network.automatic-ntlm-auth.allow-non-fqdn value to true