Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1520
  • Last Modified:

Error 530 User Cannot Log In

I am trying to create an FTP site with SSL.  I get the following message everytime I attempt to connect from within the network, there are no firewalls between me and the server and because I was having problems, I added my test user to the local Administrator Group on the server, but still can't get past the error:

Connect socket #5020 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.  
Connection Failed
0
commeng
Asked:
commeng
  • 17
  • 12
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

Does this 'user' have a home directory in FTP logical path?

If user is called  'ftpuser1' there should be a folder in e.g.  c:\inetpub\ftp\ftpuser1
Offcourse this user needs to have read/write/modify rights on this folder.
0
 
commengAuthor Commented:
In the user setup I gave them a home directory d:\sftp\ftpuser1 will full rights.  But I created a ftpuser1 folder in the inetpub directory, with appropriate rights, but that did not resolve the problem either.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi again,

In IIS click the FTP server once and click basic settings, where does this physical path lead to?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
commengAuthor Commented:
D:\SFTP
0
 
commengAuthor Commented:
OK, what did I miss.  If I click test connection this is what I get:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
I believe your FTP is configured using default apppool which has networkservice rights and are automatically injected to that folder once you created the FTP server in IIS.

Can you tell or show us what "FTP Authorization Rules" (IIS->FTP server) looks like?
0
 
commengAuthor Commented:
FTP Authorization Rules are

Mode:  Allow
Users:  All Users
Permissions:  Read,Write
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Cool, is this test ftp user you created a member of all users on the ftp server?
0
 
commengAuthor Commented:
Yes
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
ok, is the data range specified while creating FTP server freed in the firewall? (check FTP Firewall Support)

next:

In FTP SSL Settings-> what does it say? (should be allow certificate)
0
 
commengAuthor Commented:
FTP Firewall Support is blank

FTP SSL Setting are

SSL Certiciation:  share.domain.com
SSL Policy:  Allow SSL Connections
Use 128-bit encryption for SSL connections is checked.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
No data channels? is this ftp server for a very small group of users?

what happens if you solely add that test user to FTP AUTHORIZATION RULES?
0
 
commengAuthor Commented:
Yes it is very small.

OK if I add the user alone then the Test Connection completes!

but when I go to my FTP Client it displays the same error message

OK, let me change that statement, if I Connect As the user during the test it works, if I us Pass-through authentication it still fails, on the test
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Ah then we are close to the solution!

In IIS click the FTP server and click Basic Settings. What application pool user is specified. remember it.

Go to application pool users-> click the application pool once and select advanced settings. What is specified in 'identity'? toggle between localservice/networkservice/others to find out which one works.
0
 
commengAuthor Commented:
It just says pass-through authenication and I cannot find application pool users, can you point me a direction?
0
 
commengAuthor Commented:
I don't see an Application Pool for the FTP site, should there be one?
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Which version server/IIS are you using? (i was assuming 2008/IIS7)
If that is the case then yes, there should be an application user.
0
 
commengAuthor Commented:
Yes Windows 2008R2 IIS 7.5

Where would application user be?
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
We could also choose for the quick fix.
Create a local user on the server, lets call it  FtpLocalClient give it a password which never expires, give this user read/write right in d:\sftp  and fill in that user in the 'Basic Settings User'
0
 
commengAuthor Commented:
That is basically what I did with success with test user, but I still could not connect with an FTP client remotely.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
In IIS click your FTP server once, click Basic Settings and it should be in the right top corner

apppool
0
 
commengAuthor Commented:
Yes I see the DefaultAppPool
0
 
commengAuthor Commented:
The identity is ApplicationPoolIdentity
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
So go to application pools (left top corner), select the default apppool and click on advanced settings -> identity
0
 
commengAuthor Commented:
OK if I change the ApplicationPoolIdentity to my test user the basic test setting work.  However, when I go to my FTP client I am still getting:

onnect socket #6188 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Then it looks like your credentials are incorrect. What do you use as username?  testuser or domain\testuser or testuser@domain.xx ?

Check event viewer -> security what is the error.
0
 
commengAuthor Commented:
I am using testuser to login both in the basic settings and when using the FTP Client.

When I use the Basic Settings, I see it in the Security in Event Viewer.  When I use the client from computer there is no entry in Security.
0
 
commengAuthor Commented:
I feel like I may be making progress now.

I went to FTP User Isolation and I selected User name directory (disable global virtual directories).

Now when I log in I receive the follow error:

Connect socket #1848 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
USER domain|LOC  
331 Password required for ceishare.commeng.com|LOC.  
PASS **********  
530 User cannot log in, home directory inaccessible.

So what am I missing
0
 
commengAuthor Commented:
OK, so here is what I did to solve the problem.  Thank you Patrick for your help.

I had bind the domain name to the site and change the login name to domain|user and I turned of UAC on the server.  Everything started working.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 17
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now