Solved

Error 530 User Cannot Log In

Posted on 2013-11-01
29
1,235 Views
Last Modified: 2013-11-05
I am trying to create an FTP site with SSL.  I get the following message everytime I attempt to connect from within the network, there are no firewalls between me and the server and because I was having problems, I added my test user to the local Administrator Group on the server, but still can't get past the error:

Connect socket #5020 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.  
Connection Failed
0
Comment
Question by:commeng
  • 17
  • 12
29 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi,

Does this 'user' have a home directory in FTP logical path?

If user is called  'ftpuser1' there should be a folder in e.g.  c:\inetpub\ftp\ftpuser1
Offcourse this user needs to have read/write/modify rights on this folder.
0
 

Author Comment

by:commeng
Comment Utility
In the user setup I gave them a home directory d:\sftp\ftpuser1 will full rights.  But I created a ftpuser1 folder in the inetpub directory, with appropriate rights, but that did not resolve the problem either.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi again,

In IIS click the FTP server once and click basic settings, where does this physical path lead to?
0
 

Author Comment

by:commeng
Comment Utility
D:\SFTP
0
 

Author Comment

by:commeng
Comment Utility
OK, what did I miss.  If I click test connection this is what I get:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
I believe your FTP is configured using default apppool which has networkservice rights and are automatically injected to that folder once you created the FTP server in IIS.

Can you tell or show us what "FTP Authorization Rules" (IIS->FTP server) looks like?
0
 

Author Comment

by:commeng
Comment Utility
FTP Authorization Rules are

Mode:  Allow
Users:  All Users
Permissions:  Read,Write
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Cool, is this test ftp user you created a member of all users on the ftp server?
0
 

Author Comment

by:commeng
Comment Utility
Yes
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
ok, is the data range specified while creating FTP server freed in the firewall? (check FTP Firewall Support)

next:

In FTP SSL Settings-> what does it say? (should be allow certificate)
0
 

Author Comment

by:commeng
Comment Utility
FTP Firewall Support is blank

FTP SSL Setting are

SSL Certiciation:  share.domain.com
SSL Policy:  Allow SSL Connections
Use 128-bit encryption for SSL connections is checked.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
No data channels? is this ftp server for a very small group of users?

what happens if you solely add that test user to FTP AUTHORIZATION RULES?
0
 

Author Comment

by:commeng
Comment Utility
Yes it is very small.

OK if I add the user alone then the Test Connection completes!

but when I go to my FTP Client it displays the same error message

OK, let me change that statement, if I Connect As the user during the test it works, if I us Pass-through authentication it still fails, on the test
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Ah then we are close to the solution!

In IIS click the FTP server and click Basic Settings. What application pool user is specified. remember it.

Go to application pool users-> click the application pool once and select advanced settings. What is specified in 'identity'? toggle between localservice/networkservice/others to find out which one works.
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:commeng
Comment Utility
It just says pass-through authenication and I cannot find application pool users, can you point me a direction?
0
 

Author Comment

by:commeng
Comment Utility
I don't see an Application Pool for the FTP site, should there be one?
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Which version server/IIS are you using? (i was assuming 2008/IIS7)
If that is the case then yes, there should be an application user.
0
 

Author Comment

by:commeng
Comment Utility
Yes Windows 2008R2 IIS 7.5

Where would application user be?
0
 
LVL 19

Accepted Solution

by:
Patricksr1972 earned 500 total points
Comment Utility
We could also choose for the quick fix.
Create a local user on the server, lets call it  FtpLocalClient give it a password which never expires, give this user read/write right in d:\sftp  and fill in that user in the 'Basic Settings User'
0
 

Author Comment

by:commeng
Comment Utility
That is basically what I did with success with test user, but I still could not connect with an FTP client remotely.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
In IIS click your FTP server once, click Basic Settings and it should be in the right top corner

apppool
0
 

Author Comment

by:commeng
Comment Utility
Yes I see the DefaultAppPool
0
 

Author Comment

by:commeng
Comment Utility
The identity is ApplicationPoolIdentity
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
So go to application pools (left top corner), select the default apppool and click on advanced settings -> identity
0
 

Author Comment

by:commeng
Comment Utility
OK if I change the ApplicationPoolIdentity to my test user the basic test setting work.  However, when I go to my FTP client I am still getting:

onnect socket #6188 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Then it looks like your credentials are incorrect. What do you use as username?  testuser or domain\testuser or testuser@domain.xx ?

Check event viewer -> security what is the error.
0
 

Author Comment

by:commeng
Comment Utility
I am using testuser to login both in the basic settings and when using the FTP Client.

When I use the Basic Settings, I see it in the Security in Event Viewer.  When I use the client from computer there is no entry in Security.
0
 

Author Comment

by:commeng
Comment Utility
I feel like I may be making progress now.

I went to FTP User Isolation and I selected User name directory (disable global virtual directories).

Now when I log in I receive the follow error:

Connect socket #1848 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
USER domain|LOC  
331 Password required for ceishare.commeng.com|LOC.  
PASS **********  
530 User cannot log in, home directory inaccessible.

So what am I missing
0
 

Author Comment

by:commeng
Comment Utility
OK, so here is what I did to solve the problem.  Thank you Patrick for your help.

I had bind the domain name to the site and change the login name to domain|user and I turned of UAC on the server.  Everything started working.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now