?
Solved

home directory inaccessible - unable to login FTP server on IIS 6.0

Posted on 2006-05-27
17
Medium Priority
?
50,604 Views
Last Modified: 2011-08-18
Hi all,

I have a Win2003, standalone, server with service pack 1 for windows server 2003 on it.
The problem is that, no matter what I do, I can't seem to get any FTP accounts to work. (I've done this dozens of times on W2K3 before and this one has got me completely stumped - the only difference now is that this is Service Pack 1 and the others were not - so it is probably a new "feature" from MS).

Here goes:
I set up a group called FTPUSERS, gave it "Log On Locally" rights in the local policy.
Then I created several user accounts.
Each account has a login name matching its virtual folder.
The permissions on the folder(s) are set for all the ftp users and groups.

When I try to FTP into the server, I get the "user fred cannot login, home directory inaccessible" error.  (no matter the  user)

After verifying the passwords, logins, turning off the firewall, giving full control permissions to the user(s) and to the FTPUSERS group and basically making the server completely open (to attack), I STILL CANNOT LOG IN!

I've done this so many times before, I am completely baffled as to why this is happening now. It's a completely brand new machine with no other services running except IIS 6.

I checked Microsoft's site for a patch or bugfix with no luck.
I'm certain it has to do with Service Pack 1 as I've never had problems with this before but I cannot uninstall the Service Pack.

Anyone?




0
Comment
Question by:simplyamazing
  • 7
  • 3
  • 2
  • +5
17 Comments
 

Author Comment

by:simplyamazing
ID: 16777669
I tried this:
http://support.microsoft.com/?id=200475

but none of their suggestions work.

I checked out dozens of posts like this, but "Log On Locally" is set for the group, so my situation must be unique.
0
 
LVL 37

Expert Comment

by:meverest
ID: 16778015
Hello,

take a look at the event viewer application log, and the ftp service log for further clues.

Cheers.
0
 
LVL 10

Assisted Solution

by:dnojcd
dnojcd earned 100 total points
ID: 16778591
make sure you have read permission on the default ftp site  ftp folders.mainly this error used to come in that situation

for testing try to login with the adminstrator credentials. are you using and third party ftp client ?
http://support.microsoft.com/?id=221934
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:simplyamazing
ID: 16779705
"530 User fred cannot log in, home directory inaccessible."

fred is a member of Administrators (for testing)

fred has explicit "full control" rights to the folder "c:\SITES\fred"

the main site:  "ftpsites" points to "C:\SITES\null"
- this is wide open with read/write permissions
- the folder is set to EVERYONE with "full control" permissions
- the user "fred" is also set to "full control" permissions

the virtual folder "fred" points to "C:\SITES\fred", the name is "fred" matches the user name "fred" (if anyone has seen this before, the behavior of IIS is such that, if a user name matches a virtual folder name, then that FTP user goes to that virtual folder.
"C:\SITES\fred" gives fred "full control" as well as the administrators group of which fred is in (temporarily anyway), this is fred's home directory.  I can give EVERYONE "full control" and the error is the same as above.

 I have several Windows 2003 servers that have been set up in this fashion (though they were all set up before SP1, applying SP1 to these had no effect on the security settings, more interesting, is that, on 2 of the servers, none of the current FTP users have the "Log On Locally" permission set and they work just fine, go figure).

To eliminate the FTP client (WS FTP) as a suspect, I can go to the server via RDP, open IIS, and find the virtual FTP folder, right-click, select "Browse" and it asks for a login and password, all accounts are rejected including the Administrator's account.  This is actually the best test for FTP login problems.

So it looks like there is a policy somewhere that is preventing any user including administrators from accessing the folders via FTP.






0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 100 total points
ID: 16781063
Hello,

Yes, I suspect you are right that there is a group policy issue preventing the log on locally right from being applied.  (This is usually only an issue when the server is a domain controller)

Check the relevant policy config - you will need to make sure that it is set for the domain as well as for the server (or whichever overrides the other)

Cheers,  Mike.
0
 
LVL 4

Expert Comment

by:kenpem
ID: 16781429
Silly question - have you double-checked that the default home directory for the FTP service exists and is accessible to all? The error message does not specifically mention permission failure or login faults - it complains about the home directory itself.

Also worth checking - does the system "user" IWAM/IUSR... have access rights?
0
 
LVL 6

Assisted Solution

by:shambhusingh2004
shambhusingh2004 earned 100 total points
ID: 16782175
Pls make sure that you have defined Everyone/FTP group permission on Inetpub/ftproot(Read).

Warm Regards,

Vipin Gupta
0
 

Author Comment

by:simplyamazing
ID: 16784241
I've given everyone permission to the base FTP folder and the user folder as well as the user.
Even though the other servers do not have permissions set for IWAM and IUSER and work fine, I went ahead and added those accounts with full control.  Right now all accounts have full control (modify) on the folder in question.
It's still locked down tight.

There is no domain policies as this is not a domain controller nor is it on a domain.  It was originally set up as a DHCP server, but that role was removed.

Maybe a user account is missing?
Here's all the users on the machine:
Administrator, ASP.Net, Guest, Fred, IUSER_THETA, IWAM_THETA, and SQLDebugger

Here's all the groups/users in "Allow Log On Locally" (I deleted FTPUSERS group for now until I can figure this out)
Administrators, Backup Operators, IUSR_THETA, Power Users, THETA\Fred, Users

the "C:\SITES\NULL" and "C:SITES\Fred" folders permissions:  Administrators(full),Everyone(full),Fred(full),Internet Guest Account(full),Launch IIS Process ACcount(full), SYSTEM(full), Users(full)

There must be a hidden policy somewhere that is denying access.
 I've recreated the users, re-created the FTP site.
I've verified that the "effective" permissions showing full control for "Fred" (and all users mentioned above).

Is there any way to re-set the policies to defaults?

TIA



0
 
LVL 4

Expert Comment

by:kenpem
ID: 16784908
Try opening a local FTP session - does that work? If so, is Windows Firewall getting too clever?
0
 

Author Comment

by:simplyamazing
ID: 16785054
I tried that with several accounts.  It disallows that as well.
I wasn't sure whether I had to type in the server name too, so I tried THETA\fred and fred by itself, but it won't even let the Administrator account in.

I'm uninstalling IIS (using the configure your server wizard) and then I'll be re-installing it to see if that helps.
0
 

Author Comment

by:simplyamazing
ID: 16785133
no, that didn't work.  if only MS would come up with a "policy reset" so reinstalling the OS would not be necessary every time something like this gets messed up.
:(

Right now I'm removing SP1 and all the updates, then I will try again. It that fails, then I have to reinstall the OS.
0
 

Author Comment

by:simplyamazing
ID: 16785217
warning to all: do not uninstall SP1 for Windows Server 2003.  
The server is now dead... DOH!

Thanks for everyone's help, I won't be able to get back to the machine for a week or so (in a datacenter I can't get to w/o paying them 100/hr to babysit).
0
 
LVL 4

Assisted Solution

by:kenpem
kenpem earned 100 total points
ID: 16785226
ooooh dear!

Ah well, chances are when you re-configure everything will just work the way it usually does.
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1600 total points
ID: 16790537
Did you by any chance configure the FTP site to use either AD or Non-AD User Isolation when you initally created it?

If so it would explain the problem you were experiencing.

Dave Dietz
0
 

Author Comment

by:simplyamazing
ID: 16794315
OMG!
I did set it to "User Isolation".   I should have read closer - it said that the User Isolation requires a subdirectory under the root.
DAng! I baked a server over sheer stupidity.  I should be fired (oh wait, I'm the boss... maybe I should hang up developing for the web and just raise chickens or something :>)   or a person w/o "A.D.D.".

The other servers worked in that mode because all of the virtual directories were subdirectories of the root FTP.
 
0
 

Expert Comment

by:Anthony Maw
ID: 23230483
The simple straight answer:  
If the FTP user account is on a Domain Controller AND User IIS 6 FTP Isolation Mode is enabled, then you just need to set up the directory structure:  
c:\inetpub\ftproot\<domain>\<username>  
If the IIS 6 FTP server is a standalone or member server AND the FTP user account is a local account on the server, then set up the home directory directory structure as:
c:\inetpub\ftproot\localuser\<username>
0
 

Expert Comment

by:tuncayulusoy67
ID: 26028732
Check that ftp user in Users group.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question