Solved

Error 530 User Cannot Log In

Posted on 2013-11-01
29
1,268 Views
Last Modified: 2013-11-05
I am trying to create an FTP site with SSL.  I get the following message everytime I attempt to connect from within the network, there are no firewalls between me and the server and because I was having problems, I added my test user to the local Administrator Group on the server, but still can't get past the error:

Connect socket #5020 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.  
Connection Failed
0
Comment
Question by:commeng
  • 17
  • 12
29 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617548
Hi,

Does this 'user' have a home directory in FTP logical path?

If user is called  'ftpuser1' there should be a folder in e.g.  c:\inetpub\ftp\ftpuser1
Offcourse this user needs to have read/write/modify rights on this folder.
0
 

Author Comment

by:commeng
ID: 39617591
In the user setup I gave them a home directory d:\sftp\ftpuser1 will full rights.  But I created a ftpuser1 folder in the inetpub directory, with appropriate rights, but that did not resolve the problem either.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617598
Hi again,

In IIS click the FTP server once and click basic settings, where does this physical path lead to?
0
 

Author Comment

by:commeng
ID: 39617606
D:\SFTP
0
 

Author Comment

by:commeng
ID: 39617610
OK, what did I miss.  If I click test connection this is what I get:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617627
I believe your FTP is configured using default apppool which has networkservice rights and are automatically injected to that folder once you created the FTP server in IIS.

Can you tell or show us what "FTP Authorization Rules" (IIS->FTP server) looks like?
0
 

Author Comment

by:commeng
ID: 39617633
FTP Authorization Rules are

Mode:  Allow
Users:  All Users
Permissions:  Read,Write
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617649
Cool, is this test ftp user you created a member of all users on the ftp server?
0
 

Author Comment

by:commeng
ID: 39617650
Yes
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617666
ok, is the data range specified while creating FTP server freed in the firewall? (check FTP Firewall Support)

next:

In FTP SSL Settings-> what does it say? (should be allow certificate)
0
 

Author Comment

by:commeng
ID: 39617686
FTP Firewall Support is blank

FTP SSL Setting are

SSL Certiciation:  share.domain.com
SSL Policy:  Allow SSL Connections
Use 128-bit encryption for SSL connections is checked.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617698
No data channels? is this ftp server for a very small group of users?

what happens if you solely add that test user to FTP AUTHORIZATION RULES?
0
 

Author Comment

by:commeng
ID: 39617716
Yes it is very small.

OK if I add the user alone then the Test Connection completes!

but when I go to my FTP Client it displays the same error message

OK, let me change that statement, if I Connect As the user during the test it works, if I us Pass-through authentication it still fails, on the test
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617732
Ah then we are close to the solution!

In IIS click the FTP server and click Basic Settings. What application pool user is specified. remember it.

Go to application pool users-> click the application pool once and select advanced settings. What is specified in 'identity'? toggle between localservice/networkservice/others to find out which one works.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:commeng
ID: 39617742
It just says pass-through authenication and I cannot find application pool users, can you point me a direction?
0
 

Author Comment

by:commeng
ID: 39617749
I don't see an Application Pool for the FTP site, should there be one?
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617764
Which version server/IIS are you using? (i was assuming 2008/IIS7)
If that is the case then yes, there should be an application user.
0
 

Author Comment

by:commeng
ID: 39617769
Yes Windows 2008R2 IIS 7.5

Where would application user be?
0
 
LVL 19

Accepted Solution

by:
Patricksr1972 earned 500 total points
ID: 39617772
We could also choose for the quick fix.
Create a local user on the server, lets call it  FtpLocalClient give it a password which never expires, give this user read/write right in d:\sftp  and fill in that user in the 'Basic Settings User'
0
 

Author Comment

by:commeng
ID: 39617780
That is basically what I did with success with test user, but I still could not connect with an FTP client remotely.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617782
In IIS click your FTP server once, click Basic Settings and it should be in the right top corner

apppool
0
 

Author Comment

by:commeng
ID: 39617786
Yes I see the DefaultAppPool
0
 

Author Comment

by:commeng
ID: 39617794
The identity is ApplicationPoolIdentity
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617798
So go to application pools (left top corner), select the default apppool and click on advanced settings -> identity
0
 

Author Comment

by:commeng
ID: 39617804
OK if I change the ApplicationPoolIdentity to my test user the basic test setting work.  However, when I go to my FTP client I am still getting:

onnect socket #6188 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
AUTH SSL  
234 AUTH command ok. Expecting TLS Negotiation.  
USER LOC  
331 Password required for LOC.  
PASS **********  
530 User cannot log in.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39617813
Then it looks like your credentials are incorrect. What do you use as username?  testuser or domain\testuser or testuser@domain.xx ?

Check event viewer -> security what is the error.
0
 

Author Comment

by:commeng
ID: 39621319
I am using testuser to login both in the basic settings and when using the FTP Client.

When I use the Basic Settings, I see it in the Security in Event Viewer.  When I use the client from computer there is no entry in Security.
0
 

Author Comment

by:commeng
ID: 39621900
I feel like I may be making progress now.

I went to FTP User Isolation and I selected User name directory (disable global virtual directories).

Now when I log in I receive the follow error:

Connect socket #1848 to 172.16.0.65, port 21...
220 Microsoft FTP Service  
USER domain|LOC  
331 Password required for ceishare.commeng.com|LOC.  
PASS **********  
530 User cannot log in, home directory inaccessible.

So what am I missing
0
 

Author Comment

by:commeng
ID: 39624197
OK, so here is what I did to solve the problem.  Thank you Patrick for your help.

I had bind the domain name to the site and change the login name to domain|user and I turned of UAC on the server.  Everything started working.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now