IIS 7 and FTP 7.5 USer Isolation Issue

Hi Everyone,

Here is my sitauation, i've scoured the internet for a solution but found nothing, really hoping someone can help!

    * I have an SBS 2008 server behind an ISA 2006 firewall.
    * I have applied the IIS 7 FTP 7.5 Update on the system and my FTP site works perfectly when user isolation is not enabled.
    * My FTP root is currently set to D:\FTP Sites\ - This site allows annonymouse read access and full admin access, this works perfectly internally and externally.

My site bindings are on port 21 with the host name field left blank.

    * If I enable "Username Directory" isolation and setup a virtual directory to point to a folder with the same username as my login account, the login fails. I just keep getting represented with the password box. This is being tried locally on the server.
    * If I enable "Username Physical Directory" and login I get redirected correctly to the folder \%ftproot%\localdomain\username - this works fine internally and externally.

However the problem is that this setting only works for my adminstrator account (note: this is not the built in one it is the one we created some time ago for administering the system). If I set this up for other users and create the respective folders under \%ftproot%\localdomain\ for thier usernames I cannot login. I just keep getting represented with the password box.

To try and fix this I have cretaed a security group called "FTPusers" and give this group full rights to the FTProot this hasn't helped at all.

Any ideas? I'm totally stuck!

Thanks very much.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad HoweDevOps ManagerCommented:

Here is just an example from previous posts i have answerwed.

First, In FTP Authentication. Do you have Basic Authaurization enabled?

Secondly, In FTP Authorization Rules, Did you specify all the users as

Mode:Allow Users:administraotr  Permissions:Read,Write
Mode:Allow Users:clientA        Permissions:Read
Mode:Allow Users:clientB        Permissions:Read

Are these domain users or locally craeted users? See physical directory path below for this question :)

IIS user isolation required that the phyiscal root directories be setup like such matching the user ID.

D:\FTP Sites\LocalUser\administrator
D:\FTP Sites\LocalUser\ClientA
D:\FTP Sites\LocalUser\ClientB
D:\FTP Sites\LocalUser\ClientC

The KEY folder here is "LocalUser".

Don't forget to restrict permissions so that only administrators or the Machine\Client(A|B|C) can read/write to the specified folders.

Select the option "User name directory (disable global virtual directories) " in the FTP user isolation feature.

Now for the administrator. Here is the trick - Create a virtual Directory in IIS Manager under the D:\FTP Sites\LocalUser\administrator\<call it Root or --Toplevel--> and have it point to the D:\FTP Sites\.  Now your admin can login and go thorugh all folders with isolation setup.

User Account Types                    Physical Home Directory Syntax
  Anonymous users                        %FtpRoot%\LocalUser\Public
  Local Windows user accounts     %FtpRoot%\LocalUser\%UserName%
  Windows domain accounts          %FtpRoot%\%UserDomain%\%UserName%
  IIS Manager or ASP.NET custom  %FtpRoot%\LocalUser\%UserName%

Let me know if you have any issues,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TriumphLTDAuthor Commented:
Excellent solution and an excellent post. Thankyou!
TriumphLTDAuthor Commented:
Just so everyone knows the part that fixed this for me was adding each account that needs access into the "FTP Authorization Rules". What have actually done is create a security group called "FTPusers" and added this group into the authorisation rules. Cheers Hades!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.