Start Free Trial

asked on

Error 530 User Cannot Log In

I am trying to create an FTP site with SSL. I get the following message everytime I attempt to connect from within the network, there are no firewalls between me and the server and because I was having problems, I added my test user to the local Administrator Group on the server, but still can't get past the error:

Connect socket #5020 to 172.16.0.65, port 21...
220 Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
USER LOC
331 Password required for LOC.
PASS **********
530 User cannot log in.
Connection Failed

Hi,

Does this 'user' have a home directory in FTP logical path?

If user is called 'ftpuser1' there should be a folder in e.g. c:\inetpub\ftp\ftpuser1
Offcourse this user needs to have read/write/modify rights on this folder.

ASKER

In the user setup I gave them a home directory d:\sftp\ftpuser1 will full rights. But I created a ftpuser1 folder in the inetpub directory, with appropriate rights, but that did not resolve the problem either.

Hi again,

In IIS click the FTP server once and click basic settings, where does this physical path lead to?

ASKER

D:\SFTP

ASKER

OK, what did I miss. If I click test connection this is what I get:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.

I believe your FTP is configured using default apppool which has networkservice rights and are automatically injected to that folder once you created the FTP server in IIS.

Can you tell or show us what "FTP Authorization Rules" (IIS->FTP server) looks like?

ASKER

FTP Authorization Rules are

Mode: Allow
Users: All Users
Permissions: Read,Write

Cool, is this test ftp user you created a member of all users on the ftp server?

ASKER

Yes

ok, is the data range specified while creating FTP server freed in the firewall? (check FTP Firewall Support)

next:

In FTP SSL Settings-> what does it say? (should be allow certificate)

ASKER

FTP Firewall Support is blank

FTP SSL Setting are

SSL Certiciation: share.domain.com
SSL Policy: Allow SSL Connections
Use 128-bit encryption for SSL connections is checked.

No data channels? is this ftp server for a very small group of users?

what happens if you solely add that test user to FTP AUTHORIZATION RULES?

ASKER

Yes it is very small.

OK if I add the user alone then the Test Connection completes!

but when I go to my FTP Client it displays the same error message

OK, let me change that statement, if I Connect As the user during the test it works, if I us Pass-through authentication it still fails, on the test

Ah then we are close to the solution!

In IIS click the FTP server and click Basic Settings. What application pool user is specified. remember it.

Go to application pool users-> click the application pool once and select advanced settings. What is specified in 'identity'? toggle between localservice/networkservice/others to find out which one works.

ASKER

It just says pass-through authenication and I cannot find application pool users, can you point me a direction?

ASKER

I don't see an Application Pool for the FTP site, should there be one?

Which version server/IIS are you using? (i was assuming 2008/IIS7)
If that is the case then yes, there should be an application user.

ASKER

Yes Windows 2008R2 IIS 7.5

Where would application user be?

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

That is basically what I did with success with test user, but I still could not connect with an FTP client remotely.

In IIS click your FTP server once, click Basic Settings and it should be in the right top corner

User generated image

ASKER

Yes I see the DefaultAppPool

ASKER

The identity is ApplicationPoolIdentity

So go to application pools (left top corner), select the default apppool and click on advanced settings -> identity

ASKER

OK if I change the ApplicationPoolIdentity to my test user the basic test setting work. However, when I go to my FTP client I am still getting:

onnect socket #6188 to 172.16.0.65, port 21...
220 Microsoft FTP Service
AUTH SSL
234 AUTH command ok. Expecting TLS Negotiation.
USER LOC
331 Password required for LOC.
PASS **********
530 User cannot log in.

Then it looks like your credentials are incorrect. What do you use as username? testuser or domain\testuser or testuser@domain.xx ?

Check event viewer -> security what is the error.

ASKER

I am using testuser to login both in the basic settings and when using the FTP Client.

When I use the Basic Settings, I see it in the Security in Event Viewer. When I use the client from computer there is no entry in Security.

ASKER

I feel like I may be making progress now.

I went to FTP User Isolation and I selected User name directory (disable global virtual directories).

Now when I log in I receive the follow error:

Connect socket #1848 to 172.16.0.65, port 21...
220 Microsoft FTP Service
USER domain|LOC
331 Password required for ceishare.commeng.com|LOC.
PASS **********
530 User cannot log in, home directory inaccessible.

So what am I missing

ASKER

OK, so here is what I did to solve the problem. Thank you Patrick for your help.

I had bind the domain name to the site and change the login name to domain|user and I turned of UAC on the server. Everything started working.