Solved

AD users can't log into FTP site hosted on Win 2003 Svr

Posted on 2008-06-10
4
658 Views
Last Modified: 2013-12-09
Have a Windows 2003 SP2 member server hosting a single FTP site on port 21 without anonymous access. The Home Directory is set to a local folder (i.e. C:\Folder\FTPSiteFolder\) with Read/Write permissions in IIS. The Users group, Administrators group, System account, and a specific user account for outside access to the FTP all have Modify or greater NTFS permissions. When browsing to the FTP site in IE 7 from inside the network or even locally on the server hosting the FTP site both produce the same results... the login prompt appears but no user account (even the adminsitrator) can login. There is no error message and the login prompt just reappears.

The Windows event log on the server shows a Warning with Event ID 100, Source: MSFTPSVC, Description: The server was unable to logon the Windows NT account 'administrator' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.

NOTE: If I configure Anonymous access the site works fine.
0
Comment
Question by:Biziteks
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:evanmcnally
ID: 21754622
Try submitting the usename as windows DOMAINNAME\USERNAME  or as username@windowsdomainname.com

This should force your member server to check in with a domain controller rather than looking at its local account database.
0
 

Author Comment

by:Biziteks
ID: 21754646
OK, that worked. Is there a way to get it to take just the username?
0
 
LVL 6

Accepted Solution

by:
evanmcnally earned 500 total points
ID: 21754681
You need to specify a default domain name in the IIS metabase.

Try the steps from this link (also pasted below) http://support.microsoft.com/kb/200475

Resolution 4
Try using the command line FTP utility and specify the FTP username in DOMAIN\Username format when you log into the FTP Site. If this works, then you can either instruct all users to log on by using DOMAIN\Username format, or you can specify the default authentication domain that the FTP Service should use when authenticating accounts that do not exist locally and that were not entered in the DOMAIN\Username format. To do this you must make changes to the Metabase.

To specify a default logon domain so users do not have to type DOMAIN\Username when logging on to the FTP Server, you can either use the Windows Script Host (if it was installed during the Windows NT Option Pack setup) or the NTOP utility Mdutil.exe.

Both methods are described below.

To use the Windows Script Host method, use one of the following methods depending on the version of IIS that you are running:

Note In IIS 6.0, you can resolve this issue by modifying the metabase only when the FTP isolation type is "Isolated (Active Directory)" or if the UserIsolationMode property is set to 2.
IIS 6.0
1. Change to the %Systemroot%\Inetpub\Adminscripts directory.
2. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type in the Domain Name that it is enclosed in quotation marks.
3. Stop and restart the FTP Service.

IIS 5.0
1. Change to the %Systemroot%\Inetpub\Adminscripts directory.
2. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type the Domain Name that it is enclosed in quotation marks.
3. Stop the FTP Service, and then restart the FTP Service.

IIS 4.0
1. Change to the %systemroot%\system32\inetsrv\adminsamples directory.
2. Type the following:
cscript //h:cscript
This sets Cscript as the default WSH interpreter.
3. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type in the Domain Name that it is enclosed in quotation marks.
4. Stop the FTP Service, and then restart the FTP Service.
If the Windows Script Host was not installed during the NTOP setup, use Mdutil.exe. as follows: 1. Copy Mdutil.exe. from the Windows NT Option Pack compact disc to the %WINDIR%\System32\ directory.

Make sure to copy Mdutil.exe. from the appropriate platform directory on the compact disc.
2. Open a command prompt, and change to the %WINDIR%\System32 directory.
3. Execute the command below replacing <DomainName> with the name of the accounts domain you want to authenticate your user against by default: mdutil set msftpsvc/DefaultLogonDomain -utype UT_Server -dtype String -value <DomainName>

mdutil set msftpsvc/DefaultLogonDomain -utype UT_Server -dtype String -value <DomainName>
                        
Make sure that <DomainName> is typed without quotes.
4. When the command completes successfully, stop and restart the FTP Service.
0
 

Author Closing Comment

by:Biziteks
ID: 31465910
Thanks! That worked perfectly.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best practice DHCP migration 7 69
Bizarre hard disk problem 15 132
AD Replications issues 12 114
Cannot take ownership of a folder 8 45
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
With the withdrawal of support for Windows Server 2003 this summer, many clients face the issue of moving away from their 2003 installs. There are a few options out there that many people/companies are selling. But the clients I have, haven't wanted…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question