Solved

Strange FTP problem in WinNT server 4.0 IIS 2.0

Posted on 1997-07-16
8
312 Views
Last Modified: 2013-12-23
I am running a small office NT domain (in a huge network - MSU) and I'm
using Win NT 4.0 Server (SP3). The IIS installed fine the first time but
as soon as I cutomized the acessible directories the access for users was
lost, i.e. I can FTP to it as admin (all admin accounts) but when I try
to do that as a normal domain user it will not allow me! The message is
"user <username> cannot loing. login failed". The system log (MSFTPSVC)
gives the following error message:
.............................>
The server was unable to logon the Windows NT account 'guentche' due to
the following error: Logon failure: the user has not been granted the
requested logon type at this computer.  The data is the error code.

0000: 69 05 00 00               i...
.............................>

I have reinstalled IIS since but that didn't change anything. The machine
is running a bunch of other services (e.g. WINS) but I suspect it's some
bad entry in the registry.
Has anyone ran accross such a problem? Any ideas?
Thanks a lot!

Kamen
0
Comment
Question by:KamenG
  • 4
  • 3
8 Comments
 

Expert Comment

by:gaucig
ID: 1562065
Have a look at the User account manager and make sure that the IUSR account has not expired / been locked also look at the users account and check for the same thing ??

Thanks Geoff
0
 

Author Comment

by:KamenG
ID: 1562066
The IUSR_... account is very much alive and part of the domain
users group so it can login normally (if I knew the password for
it :-). Plus I'm not concerned with anonymous FTP - my domain
users that can log on normally using their MS CLients cannot be
logged on by FTP!

Kamen

0
 
LVL 5

Expert Comment

by:cer
ID: 1562067
Default setting is to allow ONLY anonymous user.
Sure you did change it in IIS manager ?
Is anonymous login possible for normal user?


0
 

Author Comment

by:KamenG
ID: 1562068
To make this a little easier I'd like to mention that I'm a
little whacky sometimes but I'm a very experienced administrator.
So yes, of course I modified the default settings and it doesn't
seem to be anything obvious (well maybe obvious but not stupid).
Just for the test I just enabled anonymous loigns (which I don't
want normally enabled) and the anon user can logon but not a
domain user...
So to recap: domain admins and anons can log on, domain users -
can't. (I have no local users on any machine, except for the de-
fault Administartor account).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Accepted Solution

by:
cer earned 100 total points
ID: 1562069
See:  http://www.microsoft.com/kb/articles/q153/9/53.htm

When you configure a Microsoft Windows NT user account to be used by clients using HTTP basic
  authentication, Internet Information Server (IIS) requires that the account is granted the Log on
  Locally right.

Set this right in usermanager. If you do not want this you can switch to another right (see URL above).


0
 

Author Comment

by:KamenG
ID: 1562070
The strange part is I was able to logon as a domain admin, which
is not a local account but I guess admins can override all res-
trictions.
After looking at the above URL I was able to solve the problem,
thank you. The article, however, was misleading - its applica-
bility was indicated IIS ver 1.0 and I have IIS ver. 3.0 !
I'm still not fully aware of the possible security breaches bec-
ause of granting the users batch logon privilege but then again
Win NT is not very secure anyway. (I wasn't going to grant users
the logon locally right!)
So as far as I'm concerned my problem is solved and "cer" being
the decisive factor I'm granting him the points.
0
 
LVL 5

Expert Comment

by:cer
ID: 1562071
You don't have a local admin?

If you don't want to grant local login, you can grant "connect as batch job" and change the registry as stated in the URL, or does this not work anymore?

0
 

Author Comment

by:KamenG
ID: 1562072
I do have a local admin, of course (can't delete that one if you
wanted). I don't bother with any other local accounts. The strange part with the KB article is that according to it no local users should be able to login and the domain admin could but as I said - admins are privileged, obviously...
I did fix it by allowing domain users the privilege to login as batch jobs (that's what I tried to suggest in my last comment) but I'm still affraid that might be a security breach (but I tend to trust my users).
So to recap - the KB as usual gives you a good hint rather than a solution but that's OK for people who can read between the lines (if you can find the right article!).
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now