AuthenticationFailed Error from MongoDB using ColdFusion 2021

I found that after changing the password for a MongoDB NoSQL DSN using ColdFusion Administrator you need to restart the ColdFusion Application service in Windows. Even changing to the correct password will cause a MongoDB authentication error:

Exception authenticating MongoCredential{mechanism=SCRAM-SHA-256, userName='{Your Username}', source='{Your Auth Source}', password=, mechanismProperties=} null
Command failed with error 18 (AuthenticationFailed): 'Authentication failed.' on server XXXXXXXXXXXXX:27017. The full response is {"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}

This error may be logged in the MongoDB server log:

{"t":{"$date":"2021-11-08T14:39:07.067-06:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn122","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","speculative":false,"principalName":"{Your Username}","authenticationDatabase":"{Your Auth Source}","remote":"XXX.XXX.XXX.XXXX:51204","extraInfo":{},"error":"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch"}}

In ColdFusion 2021 I encountered a new wrinkle when using CFHTTP. The url attribute must contain no leading or trailing spaces:

<cfhttp url="#trim(someurlvariable)#">

In my case the value of someurlvariable was coming from a database.

Another potential bug found within ColdFusion 2021 with this error:

Could not initialize class cfApplication2ecfmXXXXXXXXX

Interestingly the TYPE of error was: java.lang.NoClassDefFoundError

The class name cfApplication2ecfmXXXXXXXXX indicated to me that it was an issue with the saved class files in {CFRoot}\cfusion\wwwroot\WEB-INF\cfclasses

The file cfApplication2ecfmXXXXXXXXX.class did exist in the \cfclasses folder

The only working solution I’ve found so far is to disable the “Save class files” option using the ColdFusion administrator console (Server Settings > Cache > Uncheck Save class files)

There seems to be conflicting recommendations about this settings, however the ColdFusion administrator console states that the option should be enabled for production servers.

My own testing has revealed the primary drawback to be an initial hit on the server CPU after rebooting or resetting the ColdFusion service.

After the initial startup hit the server seems to function normally.

DateFormat() in ColdFusion 2021 is now case-sensitive.

This no longer produces the desired result:

<cfoutput>#dateFormat("11/21/2020 2:38:16 PM","MM/DD/YYYY")#</cfoutput>

Pre-ColdFusion 2021:


ColdFusion 2021:


Note that ColdFusion 2021 displays the day of the year

To fix:

<cfoutput>#dateFormat("11/21/2020 2:38:16 PM","mm/dd/yyyy")#</cfoutput>


Adobe has added a JVM flag that can adjust this behavior:

-Dcoldfusion.datemask.useDasdayofmonth which defaults to FALSE

Since Adobe is defaulting to FALSE it's probably best to update your code accordingly.

I ran into an interesting change in ColdFusion 2018 with regard to <cfdump>

The output produced by <cfdump> suddenly lacked formatting and any ability to collapse the tree nodes.

This sample code:

	<cffunction name="test" access="public" returntype="any" output="false">
		<cfset var test = structNew()>
		<cfset test.var1 = "Var1Value">
		<cfset test.var2 = "Var2Value">
		<cfset test.var3 = "Var3Value">
		<cfdump var="#test#"><cfabort>

Produces this output:

CFDUMP Missing Formatting

The above is just an example, but dumping anything remotely complex such as a query or CFC resulted in near unreadable output.

As I do with any seemingly odd ColdFusion behavior I start searching for others experiencing the same behavior.

There’s not much out there.

What is available is very dated and not applicable to my problem.

With nothing much to go on I researched and tried many possibilities until I stumbled on the solution.

The problem seems to be with how ColdFusion 2018 is now using or interpreting the output attribute of <cffunction>.

I’ve always set it to FALSE by default as I typically want my functions to RETURN output rather than produce it.

In ColdFusion 2018 this appears to now prevent <cfdump> from inserting the necessary CSS and JavaScript to provide the formatted output.

Simply changing the value to TRUE (or omitting) shows the correctly formatted output:

CFDUMP Formatted

I guess just another odd quirk in ColdFusion 2018.

Update 09/15/2022

A side effect of output="true" or not setting the attribute is that calling the function inside a <cfoutput> tag will produce proceeding spaces.

Add output="false" after debugging or switch to cfscript.

Today I began migrating some of our applications to ColdFusion 2018 (from ColdFusion 2016).

Things went pretty smoothly until I ran into this error:

Could not find the ColdFusion component or interface XXX.XXX.mycfc"

Where “XXX.XXX.mycfc” is a ColdFusion component.

In my case the component definitely exists and was in the path where it was being instantiated.

After a little troubleshooting and head scratching I decided to simply try adding a mapping in Application.cfc.

Magically the component could be instantiated and the application runs as it always has.

I have no idea why a mapping is now required in the latest version of ColdFusion.

In the course of uploading large files to a ColdFusion server you may encounter this error:

coldfusion.util.MemorySemaphore$MemoryUnavailableException:Memory required (XXXXXXXXX bytes) exceeds the maximum allowed memory.

The solutions I was able to find; suggest only increasing the “Maximum Size of Post Data” setting within the ColdFusion Administrator. However, you also need to increase the “Request Throttle Memory” settings. The limits must be greater than the size of the file being uploaded.

One of the ColdFusion 2016 servers that I’m responsible for managing suddenly stopped working after a simple reboot.

The hosting environment is Windows based and I found that the ColdFusion Application Server service would not start.

There were several Windows Event Log exceptions:

The ColdFusion 2016 Application Server service terminated with the following service-specific error: 
The system cannot find the file specified.
The ColdFusion 2016 Application Server service could not be started.
Check the server "cfusion" log files for more information.
Faulting application name: coldfusion.exe, version: 2016.0.0.0, time stamp: 0x56c57b78
Faulting module name: coldfusion.exe, version: 2016.0.0.0, time stamp: 0x56c57b78
Exception code: 0xc0000005
Fault offset: 0x0000000000003770
Faulting process id: 0x15b8
Faulting application start time: 0x01d39b7e57454b68
Faulting application path: L:\ColdFusion2016\cfusion\bin\coldfusion.exe
Faulting module path: L:\ColdFusion2016\cfusion\bin\coldfusion.exe
Report Id: bc57f2d2-201b-4249-976c-9d21dd338af8
Faulting package full name: 
Faulting package-relative application ID:

Since the ColdFusion files were still in the same location and the permissions had not changed I was a bit puzzled.

The CFUSION logs did not have any useful information.The service startup was failing before getting to a point that the error could be logged by ColdFusion.

This was my first clue that the issue was related to the JVM.

I found the path that ColdFusion is configured to use in

{CFUSION Install}\cfusion\bin\jvm.config

The configured JRE had been removed at some point.

It was likely removed by someone running the Java upgrade tool.

Resolved the problem by changing the configured JVM path to an installed/updated JVM

While using ColdFusion’s Encrypt() function I received this error:

The key specified is not a valid key for this encryption: Illegal key size or default parameters. If encryption key size is greater than 128 bits make sure to insall JCE Unlimited Strength Policy Files. Use the generateSecretKey method to generate a valid key for this operation.

The solution is pretty straight forward, but not well documented.

First download the the APPROPRIATE version of the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can review your Java version inside the ColdFusion Administrator > Java and JVM tab. You’ll also need to note the path to the JVM used by ColdFusion from the same tab.

The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files will come as two JAR files:


Use these files to replace the existing files in:

{Coldfusion JVM Path}\lib\security\

NOTE: You should create backups of the existing files before replacing them.

ColdFusion 11+ will by default send caching headers on every request (i.e cache-control, Pragama: no-cache, etc.)

The solution is buried in this Adobe Tracker thread:

I’m documenting it here because I continually run into the problem when installing new instances of ColdFusion and I continually find myself searching for hours for the solution.

Simply comment out the entire MobileDeviceDomInspectionFilter section in the web.xml file:


about me

An information technology professional with twenty three years experience in systems administration, computer programming, requirements gathering, customer service, and technical support.