Solved

Strange FTP problem in WinNT server 4.0 IIS 2.0

Posted on 1997-07-16
8
317 Views
Last Modified: 2013-12-23
I am running a small office NT domain (in a huge network - MSU) and I'm
using Win NT 4.0 Server (SP3). The IIS installed fine the first time but
as soon as I cutomized the acessible directories the access for users was
lost, i.e. I can FTP to it as admin (all admin accounts) but when I try
to do that as a normal domain user it will not allow me! The message is
"user <username> cannot loing. login failed". The system log (MSFTPSVC)
gives the following error message:
.............................>
The server was unable to logon the Windows NT account 'guentche' due to
the following error: Logon failure: the user has not been granted the
requested logon type at this computer.  The data is the error code.

0000: 69 05 00 00               i...
.............................>

I have reinstalled IIS since but that didn't change anything. The machine
is running a bunch of other services (e.g. WINS) but I suspect it's some
bad entry in the registry.
Has anyone ran accross such a problem? Any ideas?
Thanks a lot!

Kamen
0
Comment
Question by:KamenG
  • 4
  • 3
8 Comments
 

Expert Comment

by:gaucig
ID: 1562065
Have a look at the User account manager and make sure that the IUSR account has not expired / been locked also look at the users account and check for the same thing ??

Thanks Geoff
0
 

Author Comment

by:KamenG
ID: 1562066
The IUSR_... account is very much alive and part of the domain
users group so it can login normally (if I knew the password for
it :-). Plus I'm not concerned with anonymous FTP - my domain
users that can log on normally using their MS CLients cannot be
logged on by FTP!

Kamen

0
 
LVL 5

Expert Comment

by:cer
ID: 1562067
Default setting is to allow ONLY anonymous user.
Sure you did change it in IIS manager ?
Is anonymous login possible for normal user?


0
 

Author Comment

by:KamenG
ID: 1562068
To make this a little easier I'd like to mention that I'm a
little whacky sometimes but I'm a very experienced administrator.
So yes, of course I modified the default settings and it doesn't
seem to be anything obvious (well maybe obvious but not stupid).
Just for the test I just enabled anonymous loigns (which I don't
want normally enabled) and the anon user can logon but not a
domain user...
So to recap: domain admins and anons can log on, domain users -
can't. (I have no local users on any machine, except for the de-
fault Administartor account).
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 5

Accepted Solution

by:
cer earned 100 total points
ID: 1562069
See:  http://www.microsoft.com/kb/articles/q153/9/53.htm

When you configure a Microsoft Windows NT user account to be used by clients using HTTP basic
  authentication, Internet Information Server (IIS) requires that the account is granted the Log on
  Locally right.

Set this right in usermanager. If you do not want this you can switch to another right (see URL above).


0
 

Author Comment

by:KamenG
ID: 1562070
The strange part is I was able to logon as a domain admin, which
is not a local account but I guess admins can override all res-
trictions.
After looking at the above URL I was able to solve the problem,
thank you. The article, however, was misleading - its applica-
bility was indicated IIS ver 1.0 and I have IIS ver. 3.0 !
I'm still not fully aware of the possible security breaches bec-
ause of granting the users batch logon privilege but then again
Win NT is not very secure anyway. (I wasn't going to grant users
the logon locally right!)
So as far as I'm concerned my problem is solved and "cer" being
the decisive factor I'm granting him the points.
0
 
LVL 5

Expert Comment

by:cer
ID: 1562071
You don't have a local admin?

If you don't want to grant local login, you can grant "connect as batch job" and change the registry as stated in the URL, or does this not work anymore?

0
 

Author Comment

by:KamenG
ID: 1562072
I do have a local admin, of course (can't delete that one if you
wanted). I don't bother with any other local accounts. The strange part with the KB article is that according to it no local users should be able to login and the domain admin could but as I said - admins are privileged, obviously...
I did fix it by allowing domain users the privilege to login as batch jobs (that's what I tried to suggest in my last comment) but I'm still affraid that might be a security breach (but I tend to trust my users).
So to recap - the KB as usual gives you a good hint rather than a solution but that's OK for people who can read between the lines (if you can find the right article!).
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now