home directory inaccessible - unable to login FTP server on IIS 6.0

Hi all,

I have a Win2003, standalone, server with service pack 1 for windows server 2003 on it.
The problem is that, no matter what I do, I can't seem to get any FTP accounts to work. (I've done this dozens of times on W2K3 before and this one has got me completely stumped - the only difference now is that this is Service Pack 1 and the others were not - so it is probably a new "feature" from MS).

Here goes:
I set up a group called FTPUSERS, gave it "Log On Locally" rights in the local policy.
Then I created several user accounts.
Each account has a login name matching its virtual folder.
The permissions on the folder(s) are set for all the ftp users and groups.

When I try to FTP into the server, I get the "user fred cannot login, home directory inaccessible" error.  (no matter the  user)

After verifying the passwords, logins, turning off the firewall, giving full control permissions to the user(s) and to the FTPUSERS group and basically making the server completely open (to attack), I STILL CANNOT LOG IN!

I've done this so many times before, I am completely baffled as to why this is happening now. It's a completely brand new machine with no other services running except IIS 6.

I checked Microsoft's site for a patch or bugfix with no luck.
I'm certain it has to do with Service Pack 1 as I've never had problems with this before but I cannot uninstall the Service Pack.

Anyone?




simplyamazingAsked:
Who is Participating?
 
Dave_DietzConnect With a Mentor Commented:
Did you by any chance configure the FTP site to use either AD or Non-AD User Isolation when you initally created it?

If so it would explain the problem you were experiencing.

Dave Dietz
0
 
simplyamazingAuthor Commented:
I tried this:
http://support.microsoft.com/?id=200475

but none of their suggestions work.

I checked out dozens of posts like this, but "Log On Locally" is set for the group, so my situation must be unique.
0
 
meverestCommented:
Hello,

take a look at the event viewer application log, and the ftp service log for further clues.

Cheers.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
dnojcdConnect With a Mentor Commented:
make sure you have read permission on the default ftp site  ftp folders.mainly this error used to come in that situation

for testing try to login with the adminstrator credentials. are you using and third party ftp client ?
http://support.microsoft.com/?id=221934
0
 
simplyamazingAuthor Commented:
"530 User fred cannot log in, home directory inaccessible."

fred is a member of Administrators (for testing)

fred has explicit "full control" rights to the folder "c:\SITES\fred"

the main site:  "ftpsites" points to "C:\SITES\null"
- this is wide open with read/write permissions
- the folder is set to EVERYONE with "full control" permissions
- the user "fred" is also set to "full control" permissions

the virtual folder "fred" points to "C:\SITES\fred", the name is "fred" matches the user name "fred" (if anyone has seen this before, the behavior of IIS is such that, if a user name matches a virtual folder name, then that FTP user goes to that virtual folder.
"C:\SITES\fred" gives fred "full control" as well as the administrators group of which fred is in (temporarily anyway), this is fred's home directory.  I can give EVERYONE "full control" and the error is the same as above.

 I have several Windows 2003 servers that have been set up in this fashion (though they were all set up before SP1, applying SP1 to these had no effect on the security settings, more interesting, is that, on 2 of the servers, none of the current FTP users have the "Log On Locally" permission set and they work just fine, go figure).

To eliminate the FTP client (WS FTP) as a suspect, I can go to the server via RDP, open IIS, and find the virtual FTP folder, right-click, select "Browse" and it asks for a login and password, all accounts are rejected including the Administrator's account.  This is actually the best test for FTP login problems.

So it looks like there is a policy somewhere that is preventing any user including administrators from accessing the folders via FTP.






0
 
meverestConnect With a Mentor Commented:
Hello,

Yes, I suspect you are right that there is a group policy issue preventing the log on locally right from being applied.  (This is usually only an issue when the server is a domain controller)

Check the relevant policy config - you will need to make sure that it is set for the domain as well as for the server (or whichever overrides the other)

Cheers,  Mike.
0
 
kenpemCommented:
Silly question - have you double-checked that the default home directory for the FTP service exists and is accessible to all? The error message does not specifically mention permission failure or login faults - it complains about the home directory itself.

Also worth checking - does the system "user" IWAM/IUSR... have access rights?
0
 
shambhusingh2004Connect With a Mentor Commented:
Pls make sure that you have defined Everyone/FTP group permission on Inetpub/ftproot(Read).

Warm Regards,

Vipin Gupta
0
 
simplyamazingAuthor Commented:
I've given everyone permission to the base FTP folder and the user folder as well as the user.
Even though the other servers do not have permissions set for IWAM and IUSER and work fine, I went ahead and added those accounts with full control.  Right now all accounts have full control (modify) on the folder in question.
It's still locked down tight.

There is no domain policies as this is not a domain controller nor is it on a domain.  It was originally set up as a DHCP server, but that role was removed.

Maybe a user account is missing?
Here's all the users on the machine:
Administrator, ASP.Net, Guest, Fred, IUSER_THETA, IWAM_THETA, and SQLDebugger

Here's all the groups/users in "Allow Log On Locally" (I deleted FTPUSERS group for now until I can figure this out)
Administrators, Backup Operators, IUSR_THETA, Power Users, THETA\Fred, Users

the "C:\SITES\NULL" and "C:SITES\Fred" folders permissions:  Administrators(full),Everyone(full),Fred(full),Internet Guest Account(full),Launch IIS Process ACcount(full), SYSTEM(full), Users(full)

There must be a hidden policy somewhere that is denying access.
 I've recreated the users, re-created the FTP site.
I've verified that the "effective" permissions showing full control for "Fred" (and all users mentioned above).

Is there any way to re-set the policies to defaults?

TIA



0
 
kenpemCommented:
Try opening a local FTP session - does that work? If so, is Windows Firewall getting too clever?
0
 
simplyamazingAuthor Commented:
I tried that with several accounts.  It disallows that as well.
I wasn't sure whether I had to type in the server name too, so I tried THETA\fred and fred by itself, but it won't even let the Administrator account in.

I'm uninstalling IIS (using the configure your server wizard) and then I'll be re-installing it to see if that helps.
0
 
simplyamazingAuthor Commented:
no, that didn't work.  if only MS would come up with a "policy reset" so reinstalling the OS would not be necessary every time something like this gets messed up.
:(

Right now I'm removing SP1 and all the updates, then I will try again. It that fails, then I have to reinstall the OS.
0
 
simplyamazingAuthor Commented:
warning to all: do not uninstall SP1 for Windows Server 2003.  
The server is now dead... DOH!

Thanks for everyone's help, I won't be able to get back to the machine for a week or so (in a datacenter I can't get to w/o paying them 100/hr to babysit).
0
 
kenpemConnect With a Mentor Commented:
ooooh dear!

Ah well, chances are when you re-configure everything will just work the way it usually does.
0
 
simplyamazingAuthor Commented:
OMG!
I did set it to "User Isolation".   I should have read closer - it said that the User Isolation requires a subdirectory under the root.
DAng! I baked a server over sheer stupidity.  I should be fired (oh wait, I'm the boss... maybe I should hang up developing for the web and just raise chickens or something :>)   or a person w/o "A.D.D.".

The other servers worked in that mode because all of the virtual directories were subdirectories of the root FTP.
 
0
 
Anthony MawSysstems AdministratorCommented:
The simple straight answer:  
If the FTP user account is on a Domain Controller AND User IIS 6 FTP Isolation Mode is enabled, then you just need to set up the directory structure:  
c:\inetpub\ftproot\<domain>\<username>  
If the IIS 6 FTP server is a standalone or member server AND the FTP user account is a local account on the server, then set up the home directory directory structure as:
c:\inetpub\ftproot\localuser\<username>
0
 
tuncayulusoy67Commented:
Check that ftp user in Users group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.