Solved

Administrator can't login to FTP site root folder

Posted on 2007-12-05
5
2,602 Views
Last Modified: 2013-11-29
We're using Windows Server 2003 Web Edition.

I've setup an FTP site with the "Isolate Users" option (non-AD)
I've setup the ftproot folder as below
ftproot
      LocalUser
                Customer1
                Customer2
                Public

When I try to access the FTP site using Customer1's credentials, I am able to login fine and see files in ftproot/LocalUser/Customer1

When I try to access the FTP site using Administrator's credentials, I can't login and I get the message
530 User Administrator cannot login, home directory inaccessible.

If I add a folder for Administrator... as in the example below.... Administrator can login fine but can only see ftproot/LocalUser/Administrator

ftproot
      LocalUser
                Administrator
                Customer1
                Customer2
                Public

The webserver not in a domain... it's in it's own workgroup.
User Administrator has full security permission to the root of the drive and the ftproot folder shows inherited permissions.

What I would like to do is this...
I have an internal account called Upload
1.  I would like Upload to be able to connect to the FTP server and see ftproot and all it's subfolders.
2.  I would like the anonymous account to connect to the FTP server and only see ftproot/LocalUser/Public
3.  Any customer accounts would be able to connect to the FTP server and only see
      ftproot/LocalUser/CustomerName  folder

Item 3 seems to work fine now...
Item 2 also seems to work fine now...

Item 1 is the problem....  I can't even do this as the Administrator...
I think once we can figure out why the Administrator account can't connect via FTP and see the root, I'll be able to get it to work on the "Upload" user account.

Any ideas?

0
Comment
Question by:Die-Tech
  • 3
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Well, an ftp error code of 530 states that the user is not logged in.  Is it possible to see what the IIS ftp logs say?  I would recommend blacking out the fields that contain sensitive info...

As a test, I suggest the following:
- create a new virtual directory on the ftp server
- make the path "ftproot/LocalUser/"
- name it "Administrator"
- enable read and write permissions in the ftp virtual directory
- login as administrator and see if you can traverse the ftp structure

If you can not traverse the structure, I tend to think is it an NTFS ACL issue.

Also, playing with ACLs can get ugly, I usually recommend setting up FTP using predominately Virtual Directories.  This helps ease the isolation customer data from one another.  You would setup a read only ftproot that is an empty directory and the customer directories should be in another location outside of the empty ftproot.  The Virtual Directories are then named according to the user logging, this will automatically be their home directory.  Since the structures under ftp are mostly virtuals, there is no directory structure to be browsed off the root.

For example:

D:\FtpService (just a structure to isolate ftp from other services)
--- ftproot (contains read-only permissions)
--- --- public (if necessary... apply the necessary ACLs for access)
--- customer1
--- customer2
--- customer3

In this example, the customer directories would outside the browseable ftp root and then need to be set up as virtuals off the root of the ftp server.  This will also help prevent unintended ACL inheritance when modifying ACLs on new customer structure.  In this exampe, I would also set up the Administrator virtual as having the path of D:\FtpService.

Hope this helps.

0
 
LVL 4

Author Comment

by:Die-Tech
Comment Utility
I had CuteFTP retry logging in as Administrator...

Here is an exerpt from the IIS ftp log...

19:00:38 10.10.10.248 [1405]USER Administrator 331 0
19:00:38 10.10.10.248 [1405]PASS - 530 5
19:00:39 10.10.10.248 [1406]QUIT - 220 0
19:00:39 10.10.10.248 [1407]USER Administrator 331 0
19:00:39 10.10.10.248 [1407]PASS - 530 5
19:00:42 10.10.10.248 [1408]USER Administrator 331 0
19:00:42 10.10.10.248 [1408]PASS - 530 5

After 3 tries, I closed CuteFTP
Each try gave me the 530 error.... but like I mentioned earlier, if you make an Administrator folder under ftproot\LocalUser   it works fine... so it's definitely not a password problem.

I'm going to try making the virtual directory as see what that does.

0
 
LVL 4

Author Comment

by:Die-Tech
Comment Utility
Ok.... I did the following...
- created a new virtual directory on the ftp server
- made the path "ftproot/LocalUser/"
- named it "Administrator"
- enabled read and write permissions in the ftp virtual directory
- Tried to login as administrator and got the 530 errors
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Based on the log snippet and your last comment, I believe there is an issue with your administrator accoutn and password.

An ftp error code of 331 is user name ok, bu tpassword needed
An ftp error code of 530 means the user is not properly logged in.

The password being used for the admin account is incorrect.  I would verify the admin password.
0
 
LVL 4

Accepted Solution

by:
Die-Tech earned 0 total points
Comment Utility
The password is definitely correct.... I'm also connect to the same FTP server via Remote Desktop Connection using Administrator and the same password.

I think the problem has to do with this "Isolate Users" option... when you create the FTP site.

I'm new to IIS6.0, in the old 4.0 and 5.0 days, I would make an FTP site, make a group that had only List permission to ftproot    put all FTP users in the group.... then manually manage the permissions for the folders under ftproot   Administrator would connect and be able to transverse the whole folder structure... any other users would only be able to see the subfolders, if they tried to change to one they didn't have access to, they would be denied.

I just tried making the following...
D:\FtpService (just a structure to isolate ftp from other services)
--- ftproot (contains read-only permissions)
--- --- public (if necessary... apply the necessary ACLs for access)
--- customer1
--- customer2
--- customer3

I can't get logged in using Administrator or customer1... or anonymous

I'm going to try and do the same folder structure but without making the site isolate users.
I think using the virtual folders will do all the isolation I need...  I'll let you know how that goes.

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
Learn about cloud computing and its benefits for small business owners.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now