Solved

Strange FTP problem in WinNT server 4.0 IIS 2.0

Posted on 1997-07-16
8
318 Views
Last Modified: 2013-12-23
I am running a small office NT domain (in a huge network - MSU) and I'm
using Win NT 4.0 Server (SP3). The IIS installed fine the first time but
as soon as I cutomized the acessible directories the access for users was
lost, i.e. I can FTP to it as admin (all admin accounts) but when I try
to do that as a normal domain user it will not allow me! The message is
"user <username> cannot loing. login failed". The system log (MSFTPSVC)
gives the following error message:
.............................>
The server was unable to logon the Windows NT account 'guentche' due to
the following error: Logon failure: the user has not been granted the
requested logon type at this computer.  The data is the error code.

0000: 69 05 00 00               i...
.............................>

I have reinstalled IIS since but that didn't change anything. The machine
is running a bunch of other services (e.g. WINS) but I suspect it's some
bad entry in the registry.
Has anyone ran accross such a problem? Any ideas?
Thanks a lot!

Kamen
0
Comment
Question by:KamenG
  • 4
  • 3
8 Comments
 

Expert Comment

by:gaucig
ID: 1562065
Have a look at the User account manager and make sure that the IUSR account has not expired / been locked also look at the users account and check for the same thing ??

Thanks Geoff
0
 

Author Comment

by:KamenG
ID: 1562066
The IUSR_... account is very much alive and part of the domain
users group so it can login normally (if I knew the password for
it :-). Plus I'm not concerned with anonymous FTP - my domain
users that can log on normally using their MS CLients cannot be
logged on by FTP!

Kamen

0
 
LVL 5

Expert Comment

by:cer
ID: 1562067
Default setting is to allow ONLY anonymous user.
Sure you did change it in IIS manager ?
Is anonymous login possible for normal user?


0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:KamenG
ID: 1562068
To make this a little easier I'd like to mention that I'm a
little whacky sometimes but I'm a very experienced administrator.
So yes, of course I modified the default settings and it doesn't
seem to be anything obvious (well maybe obvious but not stupid).
Just for the test I just enabled anonymous loigns (which I don't
want normally enabled) and the anon user can logon but not a
domain user...
So to recap: domain admins and anons can log on, domain users -
can't. (I have no local users on any machine, except for the de-
fault Administartor account).
0
 
LVL 5

Accepted Solution

by:
cer earned 100 total points
ID: 1562069
See:  http://www.microsoft.com/kb/articles/q153/9/53.htm

When you configure a Microsoft Windows NT user account to be used by clients using HTTP basic
  authentication, Internet Information Server (IIS) requires that the account is granted the Log on
  Locally right.

Set this right in usermanager. If you do not want this you can switch to another right (see URL above).


0
 

Author Comment

by:KamenG
ID: 1562070
The strange part is I was able to logon as a domain admin, which
is not a local account but I guess admins can override all res-
trictions.
After looking at the above URL I was able to solve the problem,
thank you. The article, however, was misleading - its applica-
bility was indicated IIS ver 1.0 and I have IIS ver. 3.0 !
I'm still not fully aware of the possible security breaches bec-
ause of granting the users batch logon privilege but then again
Win NT is not very secure anyway. (I wasn't going to grant users
the logon locally right!)
So as far as I'm concerned my problem is solved and "cer" being
the decisive factor I'm granting him the points.
0
 
LVL 5

Expert Comment

by:cer
ID: 1562071
You don't have a local admin?

If you don't want to grant local login, you can grant "connect as batch job" and change the registry as stated in the URL, or does this not work anymore?

0
 

Author Comment

by:KamenG
ID: 1562072
I do have a local admin, of course (can't delete that one if you
wanted). I don't bother with any other local accounts. The strange part with the KB article is that according to it no local users should be able to login and the domain admin could but as I said - admins are privileged, obviously...
I did fix it by allowing domain users the privilege to login as batch jobs (that's what I tried to suggest in my last comment) but I'm still affraid that might be a security breach (but I tend to trust my users).
So to recap - the KB as usual gives you a good hint rather than a solution but that's OK for people who can read between the lines (if you can find the right article!).
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question