Link to home
Start Free TrialLog in
Avatar of simplyamazing
simplyamazing

asked on

home directory inaccessible - unable to login FTP server on IIS 6.0

Hi all,

I have a Win2003, standalone, server with service pack 1 for windows server 2003 on it.
The problem is that, no matter what I do, I can't seem to get any FTP accounts to work. (I've done this dozens of times on W2K3 before and this one has got me completely stumped - the only difference now is that this is Service Pack 1 and the others were not - so it is probably a new "feature" from MS).

Here goes:
I set up a group called FTPUSERS, gave it "Log On Locally" rights in the local policy.
Then I created several user accounts.
Each account has a login name matching its virtual folder.
The permissions on the folder(s) are set for all the ftp users and groups.

When I try to FTP into the server, I get the "user fred cannot login, home directory inaccessible" error.  (no matter the  user)

After verifying the passwords, logins, turning off the firewall, giving full control permissions to the user(s) and to the FTPUSERS group and basically making the server completely open (to attack), I STILL CANNOT LOG IN!

I've done this so many times before, I am completely baffled as to why this is happening now. It's a completely brand new machine with no other services running except IIS 6.

I checked Microsoft's site for a patch or bugfix with no luck.
I'm certain it has to do with Service Pack 1 as I've never had problems with this before but I cannot uninstall the Service Pack.

Anyone?




Avatar of simplyamazing
simplyamazing

ASKER

I tried this:
http://support.microsoft.com/?id=200475

but none of their suggestions work.

I checked out dozens of posts like this, but "Log On Locally" is set for the group, so my situation must be unique.
Avatar of meverest
Hello,

take a look at the event viewer application log, and the ftp service log for further clues.

Cheers.
SOLUTION
Avatar of dnojcd
dnojcd
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"530 User fred cannot log in, home directory inaccessible."

fred is a member of Administrators (for testing)

fred has explicit "full control" rights to the folder "c:\SITES\fred"

the main site:  "ftpsites" points to "C:\SITES\null"
- this is wide open with read/write permissions
- the folder is set to EVERYONE with "full control" permissions
- the user "fred" is also set to "full control" permissions

the virtual folder "fred" points to "C:\SITES\fred", the name is "fred" matches the user name "fred" (if anyone has seen this before, the behavior of IIS is such that, if a user name matches a virtual folder name, then that FTP user goes to that virtual folder.
"C:\SITES\fred" gives fred "full control" as well as the administrators group of which fred is in (temporarily anyway), this is fred's home directory.  I can give EVERYONE "full control" and the error is the same as above.

 I have several Windows 2003 servers that have been set up in this fashion (though they were all set up before SP1, applying SP1 to these had no effect on the security settings, more interesting, is that, on 2 of the servers, none of the current FTP users have the "Log On Locally" permission set and they work just fine, go figure).

To eliminate the FTP client (WS FTP) as a suspect, I can go to the server via RDP, open IIS, and find the virtual FTP folder, right-click, select "Browse" and it asks for a login and password, all accounts are rejected including the Administrator's account.  This is actually the best test for FTP login problems.

So it looks like there is a policy somewhere that is preventing any user including administrators from accessing the folders via FTP.






SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Silly question - have you double-checked that the default home directory for the FTP service exists and is accessible to all? The error message does not specifically mention permission failure or login faults - it complains about the home directory itself.

Also worth checking - does the system "user" IWAM/IUSR... have access rights?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I've given everyone permission to the base FTP folder and the user folder as well as the user.
Even though the other servers do not have permissions set for IWAM and IUSER and work fine, I went ahead and added those accounts with full control.  Right now all accounts have full control (modify) on the folder in question.
It's still locked down tight.

There is no domain policies as this is not a domain controller nor is it on a domain.  It was originally set up as a DHCP server, but that role was removed.

Maybe a user account is missing?
Here's all the users on the machine:
Administrator, ASP.Net, Guest, Fred, IUSER_THETA, IWAM_THETA, and SQLDebugger

Here's all the groups/users in "Allow Log On Locally" (I deleted FTPUSERS group for now until I can figure this out)
Administrators, Backup Operators, IUSR_THETA, Power Users, THETA\Fred, Users

the "C:\SITES\NULL" and "C:SITES\Fred" folders permissions:  Administrators(full),Everyone(full),Fred(full),Internet Guest Account(full),Launch IIS Process ACcount(full), SYSTEM(full), Users(full)

There must be a hidden policy somewhere that is denying access.
 I've recreated the users, re-created the FTP site.
I've verified that the "effective" permissions showing full control for "Fred" (and all users mentioned above).

Is there any way to re-set the policies to defaults?

TIA



Try opening a local FTP session - does that work? If so, is Windows Firewall getting too clever?
I tried that with several accounts.  It disallows that as well.
I wasn't sure whether I had to type in the server name too, so I tried THETA\fred and fred by itself, but it won't even let the Administrator account in.

I'm uninstalling IIS (using the configure your server wizard) and then I'll be re-installing it to see if that helps.
no, that didn't work.  if only MS would come up with a "policy reset" so reinstalling the OS would not be necessary every time something like this gets messed up.
:(

Right now I'm removing SP1 and all the updates, then I will try again. It that fails, then I have to reinstall the OS.
warning to all: do not uninstall SP1 for Windows Server 2003.  
The server is now dead... DOH!

Thanks for everyone's help, I won't be able to get back to the machine for a week or so (in a datacenter I can't get to w/o paying them 100/hr to babysit).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OMG!
I did set it to "User Isolation".   I should have read closer - it said that the User Isolation requires a subdirectory under the root.
DAng! I baked a server over sheer stupidity.  I should be fired (oh wait, I'm the boss... maybe I should hang up developing for the web and just raise chickens or something :>)   or a person w/o "A.D.D.".

The other servers worked in that mode because all of the virtual directories were subdirectories of the root FTP.
 
The simple straight answer:  
If the FTP user account is on a Domain Controller AND User IIS 6 FTP Isolation Mode is enabled, then you just need to set up the directory structure:  
c:\inetpub\ftproot\<domain>\<username>  
If the IIS 6 FTP server is a standalone or member server AND the FTP user account is a local account on the server, then set up the home directory directory structure as:
c:\inetpub\ftproot\localuser\<username>
Check that ftp user in Users group.