| Groups | Blog | Home |
iis ftp : FTP problem with more than 2 users configured
I'm using AD User Isolation. The first two users that I create and configure (using the IISFTP /SetADProp script) works fine. But, I can't get more than two users to work. Any additional users that I create, I get a "503 ... home directory inaccessible" error message when they attempt to establish a FTP connection. The first two users still works fine. I have even done a complete reinstall in case something got screwed up the first time. I still getting the same issues. All that I have installed is SBS 2003 itself, the FTP add-on to IIS, and the patches/updates from WindowsUpdate. No third-party software has been installed. Has anyone else experienced this problem? Anyone know of any solutions, workarounds? TIA, Richard Rosenheim
I would try filemon (sysinternals.com) and trace 'where' IIS ftp is sending
the user. It will also show if there's permission related error msgs. -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Richard L Rosenheim" <richard@rlr.com> wrote in message news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... > I'm trying to configure the FTP portion of a SBS 2003 install. > > I'm using AD User Isolation. The first two users that I create and > configure (using the IISFTP /SetADProp script) works fine. But, I can't > get > more than two users to work. Any additional users that I create, I get a > "503 ... home directory inaccessible" error message when they attempt to > establish a FTP connection. The first two users still works fine. > > I have even done a complete reinstall in case something got screwed up the > first time. I still getting the same issues. > > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, and > the > patches/updates from WindowsUpdate. No third-party software has been > installed. > > Has anyone else experienced this problem? Anyone know of any solutions, > workarounds? > > TIA, > > Richard Rosenheim > >
We tried that. It didn't show anything helpful.
Richard Rosenheim [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... > I would try filemon (sysinternals.com) and trace 'where' IIS ftp is sending > the user. It will also show if there's permission related error msgs. > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... > > I'm trying to configure the FTP portion of a SBS 2003 install. > > > > I'm using AD User Isolation. The first two users that I create and > > configure (using the IISFTP /SetADProp script) works fine. But, I can't > > get > > more than two users to work. Any additional users that I create, I get a > > "503 ... home directory inaccessible" error message when they attempt to > > establish a FTP connection. The first two users still works fine. > > > > I have even done a complete reinstall in case something got screwed up the > > first time. I still getting the same issues. > > > > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, and > > the > > patches/updates from WindowsUpdate. No third-party software has been > > installed. > > > > Has anyone else experienced this problem? Anyone know of any solutions, > > workarounds? > > > > TIA, > > > > Richard Rosenheim > > > > > >
I ran filemon on the ftp server (SBS 2003). The home folder is on the local
machine. There's is nothing special about the user. That's what has made this problem so baffling. The user was created the same was as the first two users. Richard Rosenheim [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... > are you running filemon on the ftp server ? > what so special about this user ? is the home folder on local machine or > remote ? > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... > > We tried that. It didn't show anything helpful. > > > > Richard Rosenheim > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > > news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... > >> I would try filemon (sysinternals.com) and trace 'where' IIS ftp is > > sending > >> the user. It will also show if there's permission related error msgs. > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.tryiis.com/ > >> http://support.microsoft.com/ > >> http://www.msmvps.com/bernard/ > >> > >> > >> "Richard L Rosenheim" <richard@rlr.com> wrote in message > >> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... > >> > I'm trying to configure the FTP portion of a SBS 2003 install. > >> > > >> > I'm using AD User Isolation. The first two users that I create and > >> > configure (using the IISFTP /SetADProp script) works fine. But, I > >> > can't > >> > get > >> > more than two users to work. Any additional users that I create, I get > > a > >> > "503 ... home directory inaccessible" error message when they attempt > >> > to > >> > establish a FTP connection. The first two users still works fine. > >> > > >> > I have even done a complete reinstall in case something got screwed up > > the > >> > first time. I still getting the same issues. > >> > > >> > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, > >> > and > >> > the > >> > patches/updates from WindowsUpdate. No third-party software has been > >> > installed. > >> > > >> > Has anyone else experienced this problem? Anyone know of any > >> > solutions, > >> > workarounds? > >> > > >> > TIA, > >> > > >> > Richard Rosenheim > >> > > >> > > >> > >> > > > > > >
are you running filemon on the ftp server ?
what so special about this user ? is the home folder on local machine or remote ? -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Richard L Rosenheim" <richard@rlr.com> wrote in message news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... > We tried that. It didn't show anything helpful. > > Richard Rosenheim > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >> I would try filemon (sysinternals.com) and trace 'where' IIS ftp is > sending >> the user. It will also show if there's permission related error msgs. >> >> -- >> Regards, >> Bernard Cheah >> http://www.tryiis.com/ >> http://support.microsoft.com/ >> http://www.msmvps.com/bernard/ >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >> > I'm trying to configure the FTP portion of a SBS 2003 install. >> > >> > I'm using AD User Isolation. The first two users that I create and >> > configure (using the IISFTP /SetADProp script) works fine. But, I >> > can't >> > get >> > more than two users to work. Any additional users that I create, I get > a >> > "503 ... home directory inaccessible" error message when they attempt >> > to >> > establish a FTP connection. The first two users still works fine. >> > >> > I have even done a complete reinstall in case something got screwed up > the >> > first time. I still getting the same issues. >> > >> > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, >> > and >> > the >> > patches/updates from WindowsUpdate. No third-party software has been >> > installed. >> > >> > Has anyone else experienced this problem? Anyone know of any >> > solutions, >> > workarounds? >> > >> > TIA, >> > >> > Richard Rosenheim >> > >> > >> >> > >
Well, it just doesn't make sense right ? so for now, I will try to create a
new user and see if the same thing happen. And bottom line is I think it's related NTFS permissions and filemon should show you more detail as of why.... -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Richard L Rosenheim" <richard@rlr.com> wrote in message news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >I ran filemon on the ftp server (SBS 2003). The home folder is on the >local > machine. There's is nothing special about the user. That's what has made > this problem so baffling. The user was created the same was as the first > two users. > > Richard Rosenheim > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >> are you running filemon on the ftp server ? >> what so special about this user ? is the home folder on local machine or >> remote ? >> >> -- >> Regards, >> Bernard Cheah >> http://www.tryiis.com/ >> http://support.microsoft.com/ >> http://www.msmvps.com/bernard/ >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >> > We tried that. It didn't show anything helpful. >> > >> > Richard Rosenheim >> > >> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message >> > news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >> >> I would try filemon (sysinternals.com) and trace 'where' IIS ftp is >> > sending >> >> the user. It will also show if there's permission related error msgs. >> >> >> >> -- >> >> Regards, >> >> Bernard Cheah >> >> http://www.tryiis.com/ >> >> http://support.microsoft.com/ >> >> http://www.msmvps.com/bernard/ >> >> >> >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> >> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >> >> > I'm trying to configure the FTP portion of a SBS 2003 install. >> >> > >> >> > I'm using AD User Isolation. The first two users that I create and >> >> > configure (using the IISFTP /SetADProp script) works fine. But, I >> >> > can't >> >> > get >> >> > more than two users to work. Any additional users that I create, I > get >> > a >> >> > "503 ... home directory inaccessible" error message when they >> >> > attempt >> >> > to >> >> > establish a FTP connection. The first two users still works fine. >> >> > >> >> > I have even done a complete reinstall in case something got screwed > up >> > the >> >> > first time. I still getting the same issues. >> >> > >> >> > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, >> >> > and >> >> > the >> >> > patches/updates from WindowsUpdate. No third-party software has >> >> > been >> >> > installed. >> >> > >> >> > Has anyone else experienced this problem? Anyone know of any >> >> > solutions, >> >> > workarounds? >> >> > >> >> > TIA, >> >> > >> >> > Richard Rosenheim >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
Oh, it definitely doesn't make sense.
I have tried creating several different users, all with the same results. I'm also in contact with Microsoft attempting to resolve this issue. I was posting in this newsgroup in case someone else had encountered the same problem. Thanks for taking the time to reply, Richard Rosenheim [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... > Well, it just doesn't make sense right ? so for now, I will try to create a > new user and see if the same thing happen. And bottom line is I think it's > related NTFS permissions and filemon should show you more detail as of > why.... > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... > >I ran filemon on the ftp server (SBS 2003). The home folder is on the > >local > > machine. There's is nothing special about the user. That's what has made > > this problem so baffling. The user was created the same was as the first > > two users. > > > > Richard Rosenheim > > > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > > news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... > >> are you running filemon on the ftp server ? > >> what so special about this user ? is the home folder on local machine or > >> remote ? > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.tryiis.com/ > >> http://support.microsoft.com/ > >> http://www.msmvps.com/bernard/ > >> > >> > >> "Richard L Rosenheim" <richard@rlr.com> wrote in message > >> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... > >> > We tried that. It didn't show anything helpful. > >> > > >> > Richard Rosenheim > >> > > >> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > >> > news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... > >> >> I would try filemon (sysinternals.com) and trace 'where' IIS ftp is > >> > sending > >> >> the user. It will also show if there's permission related error msgs. > >> >> > >> >> -- > >> >> Regards, > >> >> Bernard Cheah > >> >> http://www.tryiis.com/ > >> >> http://support.microsoft.com/ > >> >> http://www.msmvps.com/bernard/ > >> >> > >> >> > >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message > >> >> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... > >> >> > I'm trying to configure the FTP portion of a SBS 2003 install. > >> >> > > >> >> > I'm using AD User Isolation. The first two users that I create and > >> >> > configure (using the IISFTP /SetADProp script) works fine. But, I > >> >> > can't > >> >> > get > >> >> > more than two users to work. Any additional users that I create, I > > get > >> > a > >> >> > "503 ... home directory inaccessible" error message when they > >> >> > attempt > >> >> > to > >> >> > establish a FTP connection. The first two users still works fine. > >> >> > > >> >> > I have even done a complete reinstall in case something got screwed > > up > >> > the > >> >> > first time. I still getting the same issues. > >> >> > > >> >> > All that I have installed is SBS 2003 itself, the FTP add-on to IIS, > >> >> > and > >> >> > the > >> >> > patches/updates from WindowsUpdate. No third-party software has > >> >> > been > >> >> > installed. > >> >> > > >> >> > Has anyone else experienced this problem? Anyone know of any > >> >> > solutions, > >> >> > workarounds? > >> >> > > >> >> > TIA, > >> >> > > >> >> > Richard Rosenheim > >> >> > > >> >> > > >> >> > >> >> > >> > > >> > > >> > >> > > > > > >
Thanks for the update - if you have the outcome, pls let me know.
Cheers. -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Richard L Rosenheim" <richard@rlr.com> wrote in message news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... > Oh, it definitely doesn't make sense. > > I have tried creating several different users, all with the same results. > I'm also in contact with Microsoft attempting to resolve this issue. I > was > posting in this newsgroup in case someone else had encountered the same > problem. > > Thanks for taking the time to reply, > > Richard Rosenheim > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... >> Well, it just doesn't make sense right ? so for now, I will try to create > a >> new user and see if the same thing happen. And bottom line is I think >> it's >> related NTFS permissions and filemon should show you more detail as of >> why.... >> >> -- >> Regards, >> Bernard Cheah >> http://www.tryiis.com/ >> http://support.microsoft.com/ >> http://www.msmvps.com/bernard/ >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >> >I ran filemon on the ftp server (SBS 2003). The home folder is on the >> >local >> > machine. There's is nothing special about the user. That's what has > made >> > this problem so baffling. The user was created the same was as the > first >> > two users. >> > >> > Richard Rosenheim >> > >> > >> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message >> > news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >> >> are you running filemon on the ftp server ? >> >> what so special about this user ? is the home folder on local machine > or >> >> remote ? >> >> >> >> -- >> >> Regards, >> >> Bernard Cheah >> >> http://www.tryiis.com/ >> >> http://support.microsoft.com/ >> >> http://www.msmvps.com/bernard/ >> >> >> >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> >> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >> >> > We tried that. It didn't show anything helpful. >> >> > >> >> > Richard Rosenheim >> >> > >> >> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message >> >> > news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >> >> >> I would try filemon (sysinternals.com) and trace 'where' IIS ftp is >> >> > sending >> >> >> the user. It will also show if there's permission related error > msgs. >> >> >> >> >> >> -- >> >> >> Regards, >> >> >> Bernard Cheah >> >> >> http://www.tryiis.com/ >> >> >> http://support.microsoft.com/ >> >> >> http://www.msmvps.com/bernard/ >> >> >> >> >> >> >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> >> >> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >> >> >> > I'm trying to configure the FTP portion of a SBS 2003 install. >> >> >> > >> >> >> > I'm using AD User Isolation. The first two users that I create > and >> >> >> > configure (using the IISFTP /SetADProp script) works fine. But, >> >> >> > I >> >> >> > can't >> >> >> > get >> >> >> > more than two users to work. Any additional users that I create, > I >> > get >> >> > a >> >> >> > "503 ... home directory inaccessible" error message when they >> >> >> > attempt >> >> >> > to >> >> >> > establish a FTP connection. The first two users still works >> >> >> > fine. >> >> >> > >> >> >> > I have even done a complete reinstall in case something got > screwed >> > up >> >> > the >> >> >> > first time. I still getting the same issues. >> >> >> > >> >> >> > All that I have installed is SBS 2003 itself, the FTP add-on to > IIS, >> >> >> > and >> >> >> > the >> >> >> > patches/updates from WindowsUpdate. No third-party software has >> >> >> > been >> >> >> > installed. >> >> >> > >> >> >> > Has anyone else experienced this problem? Anyone know of any >> >> >> > solutions, >> >> >> > workarounds? >> >> >> > >> >> >> > TIA, >> >> >> > >> >> >> > Richard Rosenheim >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
I'm having the exact same problem as the original poster. I'm using IIS
6 on Windows Server 2003. One user can log on. All the others get "530 User test1 cannot log in, home directory inaccessible." All permissions and AD attributes FTProot and FTPdir are set correctly as far as I can see. A second server in regular (non-AD) user isolation mode, mapped to the same physical root dir works without any problem; all users can log on to their respective homedirs. And there's another funny thing... in the past user isolation using Active Directory HAS worked perfectly for all users. The problem began after the installation of Exchange Server 2003. Exchange Server modifies the group policy to restrict local log on and network access rights. I suspect this is somehow the cause, altough it doesn't explain why one user can still log on. This user is not in Administrators, nor any other extended rights group. Also, I have manually enabled 'local log on' and 'access this computer from the network' for other users with the Group Policy Editor. This didn't change anything. These users still get the mentioned 530 error. Did anybody find the solution to this very strange problem? I'm ready to give up and settle for regular user isolation... -- Ynte Broekhuizen [quoted text, click to view] On Bernard wrote:
> Thanks for the update - if you have the outcome, pls let me know. > > Cheers. > > > "Richard L Rosenheim" <richard@rlr.com> wrote in message > news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... >> Oh, it definitely doesn't make sense. >> >> I have tried creating several different users, all with the same >> results. I'm also in contact with Microsoft attempting to resolve >> this issue. I was >> posting in this newsgroup in case someone else had encountered the >> same problem. >> >> Thanks for taking the time to reply, >> >> Richard Rosenheim >> >> >> >> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >> news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... >>> Well, it just doesn't make sense right ? so for now, I will try to >>> create a new user and see if the same thing happen. And bottom line >>> is I think it's >>> related NTFS permissions and filemon should show you more detail as >>> of why.... >>> >>> -- >>> Regards, >>> Bernard Cheah >>> http://www.tryiis.com/ >>> http://support.microsoft.com/ >>> http://www.msmvps.com/bernard/ >>> >>> >>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>> news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>> I ran filemon on the ftp server (SBS 2003). The home folder is on >>>> the local >>>> machine. There's is nothing special about the user. That's what >>>> has made this problem so baffling. The user was created the same >>>> was as the first two users. >>>> >>>> Richard Rosenheim >>>> >>>> >>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>> news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>> are you running filemon on the ftp server ? >>>>> what so special about this user ? is the home folder on local >>>>> machine or remote ? >>>>> >>>>> -- >>>>> Regards, >>>>> Bernard Cheah >>>>> http://www.tryiis.com/ >>>>> http://support.microsoft.com/ >>>>> http://www.msmvps.com/bernard/ >>>>> >>>>> >>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >>>>>> We tried that. It didn't show anything helpful. >>>>>> >>>>>> Richard Rosenheim >>>>>> >>>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>>> news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >>>>>>> I would try filemon (sysinternals.com) and trace 'where' IIS >>>>>>> ftp is sending the user. It will also show if there's >>>>>>> permission related error msgs. >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Bernard Cheah >>>>>>> http://www.tryiis.com/ >>>>>>> http://support.microsoft.com/ >>>>>>> http://www.msmvps.com/bernard/ >>>>>>> >>>>>>> >>>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>>> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >>>>>>>> I'm trying to configure the FTP portion of a SBS 2003 install. >>>>>>>> >>>>>>>> I'm using AD User Isolation. The first two users that I >>>>>>>> create and configure (using the IISFTP /SetADProp script) >>>>>>>> works fine. But, I >>>>>>>> can't >>>>>>>> get >>>>>>>> more than two users to work. Any additional users that I >>>>>>>> create, I get a >>>>>>>> "503 ... home directory inaccessible" error message when they >>>>>>>> attempt >>>>>>>> to >>>>>>>> establish a FTP connection. The first two users still works >>>>>>>> fine. >>>>>>>> >>>>>>>> I have even done a complete reinstall in case something got >>>>>>>> screwed up the >>>>>>>> first time. I still getting the same issues. >>>>>>>> >>>>>>>> All that I have installed is SBS 2003 itself, the FTP add-on >>>>>>>> to IIS, and >>>>>>>> the >>>>>>>> patches/updates from WindowsUpdate. No third-party software >>>>>>>> has been >>>>>>>> installed. >>>>>>>> >>>>>>>> Has anyone else experienced this problem? Anyone know of any >>>>>>>> solutions, >>>>>>>> workarounds? >>>>>>>> >>>>>>>> TIA, >>>>>>>> >>>>>>>> Richard Rosenheim
If you got 530, can't login. then it might be due to logon policy or account
disabled, locked up, etc. For home directory inaccessible, mostly is due to permissions... if you 'clone' that user to another account, you able to login? how about recreate the account ? have you try filemon (sysinternals.com) ? -- Regards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Ynte Broekhuizen" <ynte@ynte.net> wrote in message news:118ff8lhrl3770b@corp.supernews.com... > I'm having the exact same problem as the original poster. I'm using IIS > 6 on Windows Server 2003. > > One user can log on. All the others get "530 User test1 cannot log in, > home directory inaccessible." > > All permissions and AD attributes FTProot and FTPdir are set correctly > as far as I can see. A second server in regular (non-AD) user isolation > mode, mapped to the same physical root dir works without any problem; > all users can log on to their respective homedirs. > > And there's another funny thing... in the past user isolation using > Active Directory HAS worked perfectly for all users. The problem began > after the installation of Exchange Server 2003. > > Exchange Server modifies the group policy to restrict local log on and > network access rights. I suspect this is somehow the cause, altough it > doesn't explain why one user can still log on. This user is not in > Administrators, nor any other extended rights group. > > Also, I have manually enabled 'local log on' and 'access this computer > from the network' for other users with the Group Policy Editor. This > didn't change anything. These users still get the mentioned 530 error. > > Did anybody find the solution to this very strange problem? > > I'm ready to give up and settle for regular user isolation... > > -- > Ynte Broekhuizen > > On Bernard wrote: >> Thanks for the update - if you have the outcome, pls let me know. >> >> Cheers. >> >> >> "Richard L Rosenheim" <richard@rlr.com> wrote in message >> news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... >>> Oh, it definitely doesn't make sense. >>> >>> I have tried creating several different users, all with the same >>> results. I'm also in contact with Microsoft attempting to resolve >>> this issue. I was >>> posting in this newsgroup in case someone else had encountered the >>> same problem. >>> >>> Thanks for taking the time to reply, >>> >>> Richard Rosenheim >>> >>> >>> >>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>> news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... >>>> Well, it just doesn't make sense right ? so for now, I will try to >>>> create a new user and see if the same thing happen. And bottom line >>>> is I think it's >>>> related NTFS permissions and filemon should show you more detail as >>>> of why.... >>>> >>>> -- >>>> Regards, >>>> Bernard Cheah >>>> http://www.tryiis.com/ >>>> http://support.microsoft.com/ >>>> http://www.msmvps.com/bernard/ >>>> >>>> >>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>> news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>> I ran filemon on the ftp server (SBS 2003). The home folder is on >>>>> the local >>>>> machine. There's is nothing special about the user. That's what >>>>> has made this problem so baffling. The user was created the same >>>>> was as the first two users. >>>>> >>>>> Richard Rosenheim >>>>> >>>>> >>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>> news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>>> are you running filemon on the ftp server ? >>>>>> what so special about this user ? is the home folder on local >>>>>> machine or remote ? >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Bernard Cheah >>>>>> http://www.tryiis.com/ >>>>>> http://support.microsoft.com/ >>>>>> http://www.msmvps.com/bernard/ >>>>>> >>>>>> >>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >>>>>>> We tried that. It didn't show anything helpful. >>>>>>> >>>>>>> Richard Rosenheim >>>>>>> >>>>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>>>> news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >>>>>>>> I would try filemon (sysinternals.com) and trace 'where' IIS >>>>>>>> ftp is sending the user. It will also show if there's >>>>>>>> permission related error msgs. >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Bernard Cheah >>>>>>>> http://www.tryiis.com/ >>>>>>>> http://support.microsoft.com/ >>>>>>>> http://www.msmvps.com/bernard/ >>>>>>>> >>>>>>>> >>>>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>>>> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >>>>>>>>> I'm trying to configure the FTP portion of a SBS 2003 install. >>>>>>>>> >>>>>>>>> I'm using AD User Isolation. The first two users that I >>>>>>>>> create and configure (using the IISFTP /SetADProp script) >>>>>>>>> works fine. But, I >>>>>>>>> can't >>>>>>>>> get >>>>>>>>> more than two users to work. Any additional users that I >>>>>>>>> create, I get a >>>>>>>>> "503 ... home directory inaccessible" error message when they >>>>>>>>> attempt >>>>>>>>> to >>>>>>>>> establish a FTP connection. The first two users still works >>>>>>>>> fine. >>>>>>>>> >>>>>>>>> I have even done a complete reinstall in case something got >>>>>>>>> screwed up the >>>>>>>>> first time. I still getting the same issues. >>>>>>>>> >>>>>>>>> All that I have installed is SBS 2003 itself, the FTP add-on >>>>>>>>> to IIS, and >>>>>>>>> the >>>>>>>>> patches/updates from WindowsUpdate. No third-party software >>>>>>>>> has been >>>>>>>>> installed. >>>>>>>>> >>>>>>>>> Has anyone else experienced this problem? Anyone know of any >>>>>>>>> solutions, >>>>>>>>> workarounds? >>>>>>>>> >>>>>>>>> TIA, >>>>>>>>> >>>>>>>>> Richard Rosenheim >
Thanks for your suggestions Bernard.
I did as you said. I created a copy of the user that can log in, and I also created a new user from scratch and set all attributes/groups/etc the same. I even gave them the same password. I also made sure their homedirs/permissions were similar to the first user. And lastly, I set their FTPRoot and FTPDir AD attribs to match these directories. Note: all users in my 'FTP Users' group have local log on and network access rights. The result: Neither of these 2 new users could log in. Both got 530 homedir inaccessable. After this I ran Filemon and set it to filter on "inetinfo". Logging on with the working user gave something like this: 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ SUCCESS Options: Open Access: All 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ SUCCESS Logging on with the two new users gave... nothing! Not a single event showed in Filemon. This indicated to me that the problem lies not in the file/folder permissions. To double check this I created a folder and set it to deny access to user1 (the one that can log in). I logged on thru ftp and tried to access this folder. Filemon gave me (as it should): 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED DOMAIN1\test1 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED DOMAIN1\test1 So, I think you'll agree that file permissions are not the issue here. Any thoughts? -- Ynte Broekhuizen In article <uLxzFLfWFHA.2796@TK2MSFTNGP09.phx.gbl>, Bernard [quoted text, click to view] <qbernard@hotmail.com.discuss> wrote:
> If you got 530, can't login. then it might be due to logon policy or > account disabled, locked up, etc. > For home directory inaccessible, mostly is due to permissions... > > if you 'clone' that user to another account, you able to login? > how about recreate the account ? > > have you try filemon (sysinternals.com) ? > > > "Ynte Broekhuizen" <ynte@ynte.net> wrote in message > news:118ff8lhrl3770b@corp.supernews.com... >> I'm having the exact same problem as the original poster. I'm using >> IIS 6 on Windows Server 2003. >> >> One user can log on. All the others get "530 User test1 cannot log >> in, home directory inaccessible." >> >> All permissions and AD attributes FTProot and FTPdir are set >> correctly as far as I can see. A second server in regular (non-AD) >> user isolation mode, mapped to the same physical root dir works >> without any problem; all users can log on to their respective >> homedirs. >> >> And there's another funny thing... in the past user isolation using >> Active Directory HAS worked perfectly for all users. The problem >> began after the installation of Exchange Server 2003. >> >> Exchange Server modifies the group policy to restrict local log on >> and network access rights. I suspect this is somehow the cause, >> altough it doesn't explain why one user can still log on. This user >> is not in Administrators, nor any other extended rights group. >> >> Also, I have manually enabled 'local log on' and 'access this >> computer from the network' for other users with the Group Policy >> Editor. This didn't change anything. These users still get the >> mentioned 530 error. >> >> Did anybody find the solution to this very strange problem? >> >> I'm ready to give up and settle for regular user isolation... >> >> -- >> Ynte Broekhuizen >> >> On Bernard wrote: >>> Thanks for the update - if you have the outcome, pls let me know. >>> >>> Cheers. >>> >>> >>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>> news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... >>>> Oh, it definitely doesn't make sense. >>>> >>>> I have tried creating several different users, all with the same >>>> results. I'm also in contact with Microsoft attempting to resolve >>>> this issue. I was >>>> posting in this newsgroup in case someone else had encountered the >>>> same problem. >>>> >>>> Thanks for taking the time to reply, >>>> >>>> Richard Rosenheim >>>> >>>> >>>> >>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>> news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... >>>>> Well, it just doesn't make sense right ? so for now, I will try to >>>>> create a new user and see if the same thing happen. And bottom >>>>> line is I think it's >>>>> related NTFS permissions and filemon should show you more detail >>>>> as of why.... >>>>> >>>>> -- >>>>> Regards, >>>>> Bernard Cheah >>>>> http://www.tryiis.com/ >>>>> http://support.microsoft.com/ >>>>> http://www.msmvps.com/bernard/ >>>>> >>>>> >>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>> news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>>> I ran filemon on the ftp server (SBS 2003). The home folder is >>>>>> on the local >>>>>> machine. There's is nothing special about the user. That's what >>>>>> has made this problem so baffling. The user was created the same >>>>>> was as the first two users. >>>>>> >>>>>> Richard Rosenheim >>>>>> >>>>>> >>>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>>> news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>>>> are you running filemon on the ftp server ? >>>>>>> what so special about this user ? is the home folder on local >>>>>>> machine or remote ? >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Bernard Cheah >>>>>>> http://www.tryiis.com/ >>>>>>> http://support.microsoft.com/ >>>>>>> http://www.msmvps.com/bernard/ >>>>>>> >>>>>>> >>>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>>> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >>>>>>>> We tried that. It didn't show anything helpful. >>>>>>>> >>>>>>>> Richard Rosenheim >>>>>>>> >>>>>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>>>>> news:%23bbECn0MFHA.580@TK2MSFTNGP15.phx.gbl... >>>>>>>>> I would try filemon (sysinternals.com) and trace 'where' IIS >>>>>>>>> ftp is sending the user. It will also show if there's >>>>>>>>> permission related error msgs. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Regards, >>>>>>>>> Bernard Cheah >>>>>>>>> http://www.tryiis.com/ >>>>>>>>> http://support.microsoft.com/ >>>>>>>>> http://www.msmvps.com/bernard/ >>>>>>>>> >>>>>>>>> >>>>>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>>>>> news:%23d3hVnpMFHA.4028@tk2msftngp13.phx.gbl... >>>>>>>>>> I'm trying to configure the FTP portion of a SBS 2003 >>>>>>>>>> install. >>>>>>>>>> >>>>>>>>>> I'm using AD User Isolation. The first two users that I >>>>>>>>>> create and configure (using the IISFTP /SetADProp script) >>>>>>>>>> works fine. But, I >>>>>>>>>> can't >>>>>>>>>> get
I finally got it to work again!
I took a look at the security event log, as you suggested. This showed the exact same events for all users. There was no difference between the user that could log on to FTP and all the rest that could not. The log showed how the IIS process offered the credentials, and how the system verified them. From this point of view everything was ok. What also showed, though, was the 'special user' used by IIS to 'gain access to the AD'. As instructed by the setup wizard I gave this special user minimal rights. Meaning no rights at all :) Just to see what would happen, I added this special user to Administrators, restarted the FTP service and.. everything suddenly works! I tried to figure out exactly what part of being an Administrator is required for this. I removed the special user from Administrators again. Then, using policy editor, I went to Default DC Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and put the special user on every right that already said Administrators. This, however, did NOT solve the problem. So it must be something else that is unique to being an Admin. I haven't been able to figure out what yet. I would like to know though. I don't like the idea of having this special user with admin rights, especially with the password stored in the metabase (thanks to Bernard's pages for info on this). What I still can't understand is how one user has always been able to log on to FTP while the special user was no admin. I would like more info on what this special user is used for by IIS. And any suggestions on narrowing down this issue to a certain Admin property are also welcome. -- Ynte Broekhuizen In article <Ov83neqWFHA.1152@TK2MSFTNGP09.phx.gbl>, Bernard [quoted text, click to view] <qbernard@hotmail.com.discuss> wrote:
> Great analysis.... you can say that this is not permission related in > a way :) > On the otherhand, what we know from this test is that.. inetinfo is > not doing anything at all.... meaning the request somehow somewhere > 'block' IIS FTP from further processing the login request. but what > is it? > > I can' t think of any other process. as inetinfo is the host process > for IIS FTP. The next I would try is to enable logon auditing... to > see if security event log capture more useful data. > > > "Ynte Broekhuizen" <ynte@ynte.net> wrote in message > news:118iavdnsjmpk9b@corp.supernews.com... >> Thanks for your suggestions Bernard. >> >> I did as you said. I created a copy of the user that can log in, and >> I also created a new user from scratch and set all >> attributes/groups/etc the same. I even gave them the same password. >> I also made sure their homedirs/permissions were similar to the >> first user. And lastly, I set their FTPRoot and FTPDir AD attribs to >> match these directories. >> >> Note: all users in my 'FTP Users' group have local log on and network >> access rights. >> >> The result: Neither of these 2 new users could log in. Both got 530 >> homedir inaccessable. >> >> After this I ran Filemon and set it to filter on "inetinfo". >> >> Logging on with the working user gave something like this: >> >> 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ >> SUCCESS Options: Open Access: All >> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation >> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation >> 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ >> SUCCESS >> >> Logging on with the two new users gave... nothing! Not a single event >> showed in Filemon. >> >> This indicated to me that the problem lies not in the file/folder >> permissions. To double check this I created a folder and set it to >> deny access to user1 (the one that can log in). >> I logged on thru ftp and tried to access this folder. Filemon gave me >> (as it should): >> >> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >> DOMAIN1\test1 >> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >> DOMAIN1\test1 >> >> So, I think you'll agree that file permissions are not the issue >> here. >> >> Any thoughts? >> >> -- >> Ynte Broekhuizen >> >> In article <uLxzFLfWFHA.2796@TK2MSFTNGP09.phx.gbl>, Bernard >> <qbernard@hotmail.com.discuss> wrote: >>> If you got 530, can't login. then it might be due to logon policy or >>> account disabled, locked up, etc. >>> For home directory inaccessible, mostly is due to permissions... >>> >>> if you 'clone' that user to another account, you able to login? >>> how about recreate the account ? >>> >>> have you try filemon (sysinternals.com) ? >>> >>> >>> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >>> news:118ff8lhrl3770b@corp.supernews.com... >>>> I'm having the exact same problem as the original poster. I'm using >>>> IIS 6 on Windows Server 2003. >>>> >>>> One user can log on. All the others get "530 User test1 cannot log >>>> in, home directory inaccessible." >>>> >>>> All permissions and AD attributes FTProot and FTPdir are set >>>> correctly as far as I can see. A second server in regular (non-AD) >>>> user isolation mode, mapped to the same physical root dir works >>>> without any problem; all users can log on to their respective >>>> homedirs. >>>> >>>> And there's another funny thing... in the past user isolation using >>>> Active Directory HAS worked perfectly for all users. The problem >>>> began after the installation of Exchange Server 2003. >>>> >>>> Exchange Server modifies the group policy to restrict local log on >>>> and network access rights. I suspect this is somehow the cause, >>>> altough it doesn't explain why one user can still log on. This user >>>> is not in Administrators, nor any other extended rights group. >>>> >>>> Also, I have manually enabled 'local log on' and 'access this >>>> computer from the network' for other users with the Group Policy >>>> Editor. This didn't change anything. These users still get the >>>> mentioned 530 error. >>>> >>>> Did anybody find the solution to this very strange problem? >>>> >>>> I'm ready to give up and settle for regular user isolation... >>>> >>>> -- >>>> Ynte Broekhuizen >>>> >>>> On Bernard wrote: >>>>> Thanks for the update - if you have the outcome, pls let me know. >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>> news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... >>>>>> Oh, it definitely doesn't make sense. >>>>>> >>>>>> I have tried creating several different users, all with the same >>>>>> results. I'm also in contact with Microsoft attempting to resolve >>>>>> this issue. I was >>>>>> posting in this newsgroup in case someone else had encountered >>>>>> the same problem. >>>>>>
Wow! do you mean this blog ?
http://msmvps.com/bernard/archive/2004/12/24/27276.aspx ha! I totally forget about it. but your case is different. why one is able to read, while one can't. why ??? For those able to login, do they belong to any user group? Need to find out what rights are missing...... How? do you have any GPO or domain policy that restrict new users? password, etc ? Can you use the newly created account (but can't access ftp) to do a windows domain logon on any workstation? If you know which DC that IIS ftp service try to validate in the AD. if you config logon audit again. any differences for the account that able to login and those that can't login? -- Regards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Ynte Broekhuizen" <ynte@ynte.net> wrote in message
news:118kss05haqqi24@corp.supernews.com... >I finally got it to work again! > > I took a look at the security event log, as you suggested. This showed > the exact same events for all users. There was no difference between the > user that could log on to FTP and all the rest that could not. The log > showed how the IIS process offered the credentials, and how the system > verified them. From this point of view everything was ok. > > What also showed, though, was the 'special user' used by IIS to 'gain > access to the AD'. As instructed by the setup wizard I gave this special > user minimal rights. Meaning no rights at all :) > > Just to see what would happen, I added this special user to > Administrators, restarted the FTP service and.. everything suddenly > works! > > I tried to figure out exactly what part of being an Administrator is > required for this. I removed the special user from Administrators again. > Then, using policy editor, I went to Default DC Policy\Computer > Configuration\Windows Settings\Security Settings\Local Policies\User > Rights Assignment and put the special user on every right that already > said Administrators. This, however, did NOT solve the problem. So it > must be something else that is unique to being an Admin. I haven't been > able to figure out what yet. > > I would like to know though. I don't like the idea of having this > special user with admin rights, especially with the password stored in > the metabase (thanks to Bernard's pages for info on this). > > What I still can't understand is how one user has always been able to > log on to FTP while the special user was no admin. I would like more > info on what this special user is used for by IIS. > > And any suggestions on narrowing down this issue to a certain Admin > property are also welcome. > > -- > Ynte Broekhuizen > > In article <Ov83neqWFHA.1152@TK2MSFTNGP09.phx.gbl>, Bernard > <qbernard@hotmail.com.discuss> wrote: >> Great analysis.... you can say that this is not permission related in >> a way :) >> On the otherhand, what we know from this test is that.. inetinfo is >> not doing anything at all.... meaning the request somehow somewhere >> 'block' IIS FTP from further processing the login request. but what >> is it? >> >> I can' t think of any other process. as inetinfo is the host process >> for IIS FTP. The next I would try is to enable logon auditing... to >> see if security event log capture more useful data. >> >> >> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >> news:118iavdnsjmpk9b@corp.supernews.com... >>> Thanks for your suggestions Bernard. >>> >>> I did as you said. I created a copy of the user that can log in, and >>> I also created a new user from scratch and set all >>> attributes/groups/etc the same. I even gave them the same password. >>> I also made sure their homedirs/permissions were similar to the >>> first user. And lastly, I set their FTPRoot and FTPDir AD attribs to >>> match these directories. >>> >>> Note: all users in my 'FTP Users' group have local log on and network >>> access rights. >>> >>> The result: Neither of these 2 new users could log in. Both got 530 >>> homedir inaccessable. >>> >>> After this I ran Filemon and set it to filter on "inetinfo". >>> >>> Logging on with the working user gave something like this: >>> >>> 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ >>> SUCCESS Options: Open Access: All >>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation >>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation >>> 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ >>> SUCCESS >>> >>> Logging on with the two new users gave... nothing! Not a single event >>> showed in Filemon. >>> >>> This indicated to me that the problem lies not in the file/folder >>> permissions. To double check this I created a folder and set it to >>> deny access to user1 (the one that can log in). >>> I logged on thru ftp and tried to access this folder. Filemon gave me >>> (as it should): >>> >>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>> DOMAIN1\test1 >>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>> DOMAIN1\test1 >>> >>> So, I think you'll agree that file permissions are not the issue >>> here. >>> >>> Any thoughts? >>> >>> -- >>> Ynte Broekhuizen >>> >>> In article <uLxzFLfWFHA.2796@TK2MSFTNGP09.phx.gbl>, Bernard >>> <qbernard@hotmail.com.discuss> wrote: >>>> If you got 530, can't login. then it might be due to logon policy or >>>> account disabled, locked up, etc. >>>> For home directory inaccessible, mostly is due to permissions... >>>> >>>> if you 'clone' that user to another account, you able to login? >>>> how about recreate the account ? >>>> >>>> have you try filemon (sysinternals.com) ? >>>> >>>> >>>> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >>>> news:118ff8lhrl3770b@corp.supernews.com... >>>>> I'm having the exact same problem as the original poster. I'm using >>>>> IIS 6 on Windows Server 2003. >>>>> >>>>> One user can log on. All the others get "530 User test1 cannot log >>>>> in, home directory inaccessible." >>>>> >>>>> All permissions and AD attributes FTProot and FTPdir are set >>>>> correctly as far as I can see. A second server in regular (non-AD) >>>>> user isolation mode, mapped to the same physical root dir works >>>>> without any problem; all users can log on to their respective >>>>> homedirs. >>>>> >>>>> And there's another funny thing... in the past user isolation using >>>>> Active Directory HAS worked perfectly for all users. The problem >>>>> began after the installation of Exchange Server 2003. >>>>> >>>>> Exchange Server modifies the group policy to restrict local log on >>>>> and network access rights. I suspect this is somehow the cause,
Great analysis.... you can say that this is not permission related in a way
:) On the otherhand, what we know from this test is that.. inetinfo is not doing anything at all.... meaning the request somehow somewhere 'block' IIS FTP from further processing the login request. but what is it? I can' t think of any other process. as inetinfo is the host process for IIS FTP. The next I would try is to enable logon auditing... to see if security event log capture more useful data. -- Regards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Ynte Broekhuizen" <ynte@ynte.net> wrote in message
news:118iavdnsjmpk9b@corp.supernews.com... > Thanks for your suggestions Bernard. > > I did as you said. I created a copy of the user that can log in, and I > also created a new user from scratch and set all attributes/groups/etc > the same. I even gave them the same password. I also made sure their > homedirs/permissions were similar to the first user. And lastly, I set > their FTPRoot and FTPDir AD attribs to match these directories. > > Note: all users in my 'FTP Users' group have local log on and network > access rights. > > The result: Neither of these 2 new users could log in. Both got 530 > homedir inaccessable. > > After this I ran Filemon and set it to filter on "inetinfo". > > Logging on with the working user gave something like this: > > 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ SUCCESS > Options: Open Access: All > 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION > E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation > 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION > E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation > 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ SUCCESS > > Logging on with the two new users gave... nothing! Not a single event > showed in Filemon. > > This indicated to me that the problem lies not in the file/folder > permissions. To double check this I created a folder and set it to deny > access to user1 (the one that can log in). > I logged on thru ftp and tried to access this folder. Filemon gave me > (as it should): > > 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED > DOMAIN1\test1 > 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED > DOMAIN1\test1 > > So, I think you'll agree that file permissions are not the issue here. > > Any thoughts? > > -- > Ynte Broekhuizen > > In article <uLxzFLfWFHA.2796@TK2MSFTNGP09.phx.gbl>, Bernard > <qbernard@hotmail.com.discuss> wrote: >> If you got 530, can't login. then it might be due to logon policy or >> account disabled, locked up, etc. >> For home directory inaccessible, mostly is due to permissions... >> >> if you 'clone' that user to another account, you able to login? >> how about recreate the account ? >> >> have you try filemon (sysinternals.com) ? >> >> >> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >> news:118ff8lhrl3770b@corp.supernews.com... >>> I'm having the exact same problem as the original poster. I'm using >>> IIS 6 on Windows Server 2003. >>> >>> One user can log on. All the others get "530 User test1 cannot log >>> in, home directory inaccessible." >>> >>> All permissions and AD attributes FTProot and FTPdir are set >>> correctly as far as I can see. A second server in regular (non-AD) >>> user isolation mode, mapped to the same physical root dir works >>> without any problem; all users can log on to their respective >>> homedirs. >>> >>> And there's another funny thing... in the past user isolation using >>> Active Directory HAS worked perfectly for all users. The problem >>> began after the installation of Exchange Server 2003. >>> >>> Exchange Server modifies the group policy to restrict local log on >>> and network access rights. I suspect this is somehow the cause, >>> altough it doesn't explain why one user can still log on. This user >>> is not in Administrators, nor any other extended rights group. >>> >>> Also, I have manually enabled 'local log on' and 'access this >>> computer from the network' for other users with the Group Policy >>> Editor. This didn't change anything. These users still get the >>> mentioned 530 error. >>> >>> Did anybody find the solution to this very strange problem? >>> >>> I'm ready to give up and settle for regular user isolation... >>> >>> -- >>> Ynte Broekhuizen >>> >>> On Bernard wrote: >>>> Thanks for the update - if you have the outcome, pls let me know. >>>> >>>> Cheers. >>>> >>>> >>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>> news:ewsopawNFHA.2580@TK2MSFTNGP09.phx.gbl... >>>>> Oh, it definitely doesn't make sense. >>>>> >>>>> I have tried creating several different users, all with the same >>>>> results. I'm also in contact with Microsoft attempting to resolve >>>>> this issue. I was >>>>> posting in this newsgroup in case someone else had encountered the >>>>> same problem. >>>>> >>>>> Thanks for taking the time to reply, >>>>> >>>>> Richard Rosenheim >>>>> >>>>> >>>>> >>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>> news:%23AadjrmNFHA.3560@TK2MSFTNGP14.phx.gbl... >>>>>> Well, it just doesn't make sense right ? so for now, I will try to >>>>>> create a new user and see if the same thing happen. And bottom >>>>>> line is I think it's >>>>>> related NTFS permissions and filemon should show you more detail >>>>>> as of why.... >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Bernard Cheah >>>>>> http://www.tryiis.com/ >>>>>> http://support.microsoft.com/ >>>>>> http://www.msmvps.com/bernard/ >>>>>> >>>>>> >>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>> news:%23Cd41ZcNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>>>> I ran filemon on the ftp server (SBS 2003). The home folder is >>>>>>> on the local >>>>>>> machine. There's is nothing special about the user. That's what >>>>>>> has made this problem so baffling. The user was created the same >>>>>>> was as the first two users. >>>>>>> >>>>>>> Richard Rosenheim >>>>>>> >>>>>>> >>>>>>> "Bernard" <qbernard@hotmail.com.discuss> wrote in message >>>>>>> news:eMO5KpZNFHA.2252@TK2MSFTNGP15.phx.gbl... >>>>>>>> are you running filemon on the ftp server ? >>>>>>>> what so special about this user ? is the home folder on local >>>>>>>> machine or remote ? >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Bernard Cheah >>>>>>>> http://www.tryiis.com/ >>>>>>>> http://support.microsoft.com/ >>>>>>>> http://www.msmvps.com/bernard/ >>>>>>>> >>>>>>>> >>>>>>>> "Richard L Rosenheim" <richard@rlr.com> wrote in message >>>>>>>> news:e7THk7YNFHA.3668@TK2MSFTNGP14.phx.gbl... >>>>>>>>> We tried that. It didn't show anything helpful. >>>>>>>>> >>>>>>>>> Richard Rosenheim >>>>>>>>>
Yeah, that's the page. Found it while googling for help on this issue :)
The groups, and everything else that's configurable through the Users and Computers applet is identical for all users. I don't have any GPO in place. The only thing that's different from a default Windows Server 2003 installation are the changes Exchange made to the group policy. All users are able to log onto workstations (double checked this). I don't quite understand what you mean with the last bit. What do you want me to check? And what, in your opinion, does IIS do with the 'special user' that is required for AD user isolation? Why can't it access AD on its own? -- Ynte Broekhuizen In article <OZzpor0WFHA.3348@TK2MSFTNGP14.phx.gbl>, Bernard [quoted text, click to view] <qbernard@hotmail.com.discuss> wrote:
> Wow! do you mean this blog ? > http://msmvps.com/bernard/archive/2004/12/24/27276.aspx > > ha! I totally forget about it. but your case is different. why one is > able to read, while one can't. why ??? For those able to login, do > they belong to any user group? Need to find out what rights are > missing...... > > How? do you have any GPO or domain policy that restrict new users? > password, etc ? Can you use the newly created account (but can't > access ftp) to do a windows domain logon on any workstation? If you > know which DC that IIS ftp service try to validate in the AD. if you > config logon audit again. any differences for the account that able > to login and those that can't login? > > > "Ynte Broekhuizen" <ynte@ynte.net> wrote in message > news:118kss05haqqi24@corp.supernews.com... >> I finally got it to work again! >> >> I took a look at the security event log, as you suggested. This >> showed the exact same events for all users. There was no difference >> between the user that could log on to FTP and all the rest that >> could not. The log showed how the IIS process offered the >> credentials, and how the system verified them. From this point of >> view everything was ok. >> >> What also showed, though, was the 'special user' used by IIS to 'gain >> access to the AD'. As instructed by the setup wizard I gave this >> special user minimal rights. Meaning no rights at all :) >> >> Just to see what would happen, I added this special user to >> Administrators, restarted the FTP service and.. everything suddenly >> works! >> >> I tried to figure out exactly what part of being an Administrator is >> required for this. I removed the special user from Administrators >> again. Then, using policy editor, I went to Default DC >> Policy\Computer Configuration\Windows Settings\Security >> Settings\Local Policies\User Rights Assignment and put the special >> user on every right that already said Administrators. This, however, >> did NOT solve the problem. So it must be something else that is >> unique to being an Admin. I haven't been able to figure out what yet. >> >> I would like to know though. I don't like the idea of having this >> special user with admin rights, especially with the password stored >> in the metabase (thanks to Bernard's pages for info on this). >> >> What I still can't understand is how one user has always been able to >> log on to FTP while the special user was no admin. I would like more >> info on what this special user is used for by IIS. >> >> And any suggestions on narrowing down this issue to a certain Admin >> property are also welcome. >> >> -- >> Ynte Broekhuizen >> >> In article <Ov83neqWFHA.1152@TK2MSFTNGP09.phx.gbl>, Bernard >> <qbernard@hotmail.com.discuss> wrote: >>> Great analysis.... you can say that this is not permission related >>> in a way :) >>> On the otherhand, what we know from this test is that.. inetinfo is >>> not doing anything at all.... meaning the request somehow somewhere >>> 'block' IIS FTP from further processing the login request. but what >>> is it? >>> >>> I can' t think of any other process. as inetinfo is the host process >>> for IIS FTP. The next I would try is to enable logon auditing... to >>> see if security event log capture more useful data. >>> >>> >>> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >>> news:118iavdnsjmpk9b@corp.supernews.com... >>>> Thanks for your suggestions Bernard. >>>> >>>> I did as you said. I created a copy of the user that can log in, >>>> and I also created a new user from scratch and set all >>>> attributes/groups/etc the same. I even gave them the same password. >>>> I also made sure their homedirs/permissions were similar to the >>>> first user. And lastly, I set their FTPRoot and FTPDir AD attribs >>>> to match these directories. >>>> >>>> Note: all users in my 'FTP Users' group have local log on and >>>> network access rights. >>>> >>>> The result: Neither of these 2 new users could log in. Both got 530 >>>> homedir inaccessable. >>>> >>>> After this I ran Filemon and set it to filter on "inetinfo". >>>> >>>> Logging on with the working user gave something like this: >>>> >>>> 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ >>>> SUCCESS Options: Open Access: All >>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation >>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation >>>> 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ >>>> SUCCESS >>>> >>>> Logging on with the two new users gave... nothing! Not a single >>>> event showed in Filemon. >>>> >>>> This indicated to me that the problem lies not in the file/folder >>>> permissions. To double check this I created a folder and set it to >>>> deny access to user1 (the one that can log in). >>>> I logged on thru ftp and tried to access this folder. Filemon gave >>>> me (as it should): >>>> >>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>>> DOMAIN1\test1 >>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>>> DOMAIN1\test1 >>>> >>>> So, I think you'll agree that file permissions are not the issue >>>> here. >>>> >>>> Any thoughts? >>>> >>>> -- >>>> Ynte Broekhuizen >>>> >>>> In article <uLxzFLfWFHA.2796@TK2MSFTNGP09.phx.gbl>, Bernard >>>> <qbernard@hotmail.com.discuss> wrote: >>>>> If you got 530, can't login. then it might be due to logon policy >>>>> or account disabled, locked up, etc. >>>>> For home directory inaccessible, mostly is due to permissions... >>>>> >>>>> if you 'clone' that user to another account, you able to login? >>>>> how about recreate the account ? >>>>> >>>>> have you try filemon (sysinternals.com) ? >>>>> >>>>> >>>>> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >>>>> news:118ff8lhrl3770b@corp.supernews.com... >>>>>> I'm having the exact same problem as the original poster. I'm >>>>>> using IIS 6 on Windows Server 2003. >>>>>>
[quoted text, click to view]
> I don't quite understand what you mean with the last bit. What do you > want me to check? I was just thinking to do the same auditing event in that DC. to see if there's anything wrong. [quoted text, click to view] > And what, in your opinion, does IIS do with the 'special user' that is > required for AD user isolation? Why can't it access AD on its own? Because this is AD object access, we need AD account that has the privileges. IIS with local system account, doesn't have that access. -- Regards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Ynte Broekhuizen" <ynte@ynte.net> wrote in message
news:118mf79ljl65j11@corp.supernews.com... > Yeah, that's the page. Found it while googling for help on this issue :) > > The groups, and everything else that's configurable through the Users > and Computers applet is identical for all users. > > I don't have any GPO in place. The only thing that's different from a > default Windows Server 2003 installation are the changes Exchange made > to the group policy. All users are able to log onto workstations (double > checked this). > > I don't quite understand what you mean with the last bit. What do you > want me to check? > > And what, in your opinion, does IIS do with the 'special user' that is > required for AD user isolation? Why can't it access AD on its own? > > -- > Ynte Broekhuizen > > In article <OZzpor0WFHA.3348@TK2MSFTNGP14.phx.gbl>, Bernard > <qbernard@hotmail.com.discuss> wrote: >> Wow! do you mean this blog ? >> http://msmvps.com/bernard/archive/2004/12/24/27276.aspx >> >> ha! I totally forget about it. but your case is different. why one is >> able to read, while one can't. why ??? For those able to login, do >> they belong to any user group? Need to find out what rights are >> missing...... >> >> How? do you have any GPO or domain policy that restrict new users? >> password, etc ? Can you use the newly created account (but can't >> access ftp) to do a windows domain logon on any workstation? If you >> know which DC that IIS ftp service try to validate in the AD. if you >> config logon audit again. any differences for the account that able >> to login and those that can't login? >> >> >> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >> news:118kss05haqqi24@corp.supernews.com... >>> I finally got it to work again! >>> >>> I took a look at the security event log, as you suggested. This >>> showed the exact same events for all users. There was no difference >>> between the user that could log on to FTP and all the rest that >>> could not. The log showed how the IIS process offered the >>> credentials, and how the system verified them. From this point of >>> view everything was ok. >>> >>> What also showed, though, was the 'special user' used by IIS to 'gain >>> access to the AD'. As instructed by the setup wizard I gave this >>> special user minimal rights. Meaning no rights at all :) >>> >>> Just to see what would happen, I added this special user to >>> Administrators, restarted the FTP service and.. everything suddenly >>> works! >>> >>> I tried to figure out exactly what part of being an Administrator is >>> required for this. I removed the special user from Administrators >>> again. Then, using policy editor, I went to Default DC >>> Policy\Computer Configuration\Windows Settings\Security >>> Settings\Local Policies\User Rights Assignment and put the special >>> user on every right that already said Administrators. This, however, >>> did NOT solve the problem. So it must be something else that is >>> unique to being an Admin. I haven't been able to figure out what yet. >>> >>> I would like to know though. I don't like the idea of having this >>> special user with admin rights, especially with the password stored >>> in the metabase (thanks to Bernard's pages for info on this). >>> >>> What I still can't understand is how one user has always been able to >>> log on to FTP while the special user was no admin. I would like more >>> info on what this special user is used for by IIS. >>> >>> And any suggestions on narrowing down this issue to a certain Admin >>> property are also welcome. >>> >>> -- >>> Ynte Broekhuizen >>> >>> In article <Ov83neqWFHA.1152@TK2MSFTNGP09.phx.gbl>, Bernard >>> <qbernard@hotmail.com.discuss> wrote: >>>> Great analysis.... you can say that this is not permission related >>>> in a way :) >>>> On the otherhand, what we know from this test is that.. inetinfo is >>>> not doing anything at all.... meaning the request somehow somewhere >>>> 'block' IIS FTP from further processing the login request. but what >>>> is it? >>>> >>>> I can' t think of any other process. as inetinfo is the host process >>>> for IIS FTP. The next I would try is to enable logon auditing... to >>>> see if security event log capture more useful data. >>>> >>>> >>>> "Ynte Broekhuizen" <ynte@ynte.net> wrote in message >>>> news:118iavdnsjmpk9b@corp.supernews.com... >>>>> Thanks for your suggestions Bernard. >>>>> >>>>> I did as you said. I created a copy of the user that can log in, >>>>> and I also created a new user from scratch and set all >>>>> attributes/groups/etc the same. I even gave them the same password. >>>>> I also made sure their homedirs/permissions were similar to the >>>>> first user. And lastly, I set their FTPRoot and FTPDir AD attribs >>>>> to match these directories. >>>>> >>>>> Note: all users in my 'FTP Users' group have local log on and >>>>> network access rights. >>>>> >>>>> The result: Neither of these 2 new users could log in. Both got 530 >>>>> homedir inaccessable. >>>>> >>>>> After this I ran Filemon and set it to filter on "inetinfo". >>>>> >>>>> Logging on with the working user gave something like this: >>>>> >>>>> 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\ >>>>> SUCCESS Options: Open Access: All >>>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation >>>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION >>>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation >>>>> 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\ >>>>> SUCCESS >>>>> >>>>> Logging on with the two new users gave... nothing! Not a single >>>>> event showed in Filemon. >>>>> >>>>> This indicated to me that the problem lies not in the file/folder >>>>> permissions. To double check this I created a folder and set it to >>>>> deny access to user1 (the one that can log in). >>>>> I logged on thru ftp and tried to access this folder. Filemon gave >>>>> me (as it should): >>>>> >>>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>>>> DOMAIN1\test1 >>>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED >>>>> DOMAIN1\test1 >>>>>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |