| Groups | Blog | Home |
iis ftp : ftp virtual folder access
I recently migrated a webserver using windows server 2000 and IIs 5.0 to a
new machine with windows server 2003 sp1 and IIs 6.0. The new server is now part of a new active directory domain, the old one was in a workgroup. This server is for a local isp and it hosts 10 web domains. The isp has it's own web domain and this isp offers internet users free webspace on their site. The previous setup utilized virtual directories under their domain for both displaying the personal web sites and ftp access. Since they were using IIs 5.0, they did not utilize user isolation. Instead they placed the user folders in a different directory and setup local users on the webserver for ftp access. Everything is working very well, except for the ftp virtual directories. The website virtual directories are viewable on the internet, but users are not able to login to their personal websites. I have setup the same local users that were setup on the old webserver. I have tried using user isolation with folders under the website's directory and I have tried using it without user isolation in a different directory, but every time I try to log into a ftp site that is using a virtual directory, I get an event in the webservers system event log" event id 13 from source MSFTPSVC, user "whoever I try" failed to log on, could not access the home directory /. I went as far as to share the folder out for one user, and ran a unc path over the internet and was able to connect fine using the user's credentials, yet I cannot connect through ftp, either from a command line or internet explorer of an ftp client. The users in question, do have the logon locally permission. I have followed every doc I could find from Microsoft and still no luck. Do I need to create a/d users in the local domain?? I have no idea what is wrong. One thing I did note was that on the old webserver(IIs 5.0), there was no default ftp site, it appears that they simply renamed and configured it to be the isp's ftp site. On the new webserver, I didn't use the default ftp site and since it defaulted to all available ip addresses and would cause all of the other sites to stop. The webserver has all of the ip addresses for the websites in the nic properties and each site is assigned it's address in IIs. I've tried to use filemon while trying to log in, but I honestly didn't see anything that would help. I have tried setting things up with ad isolation mode and using standard, but get the same result either way. I did add localuser to the directory as I was supposed for isolation mode, but that maded no difference. I also tried iisreset.
There's no need to start a new thread just reply to the previous thread.
Now - you don't need logon locally rights for IIS FTP 6, it is done via network interactive. what ftp user isolation mode you created ? AD or local ? do a query with adsutil.vbs c:\inetpub\adminscripts> adsutil get msftpsvc/xxxx/UserIsolationMode xxx is the site id. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Rodge" <Rodge@discussions.microsoft.com> wrote in message news:A7B82EF4-9167-492A-8473-71221E8AC060@microsoft.com... >I recently migrated a webserver using windows server 2000 and IIs 5.0 to a > new machine with windows server 2003 sp1 and IIs 6.0. The new server is > now > part of a new active directory domain, the old one was in a workgroup. > This > server is for a local isp and it hosts 10 web domains. The isp has it's > own > web domain and this isp offers internet users free webspace on their site. > The previous setup utilized virtual directories under their domain for > both > displaying the personal web sites and ftp access. Since they were using > IIs > 5.0, they did not utilize user isolation. Instead they placed the user > folders in a different directory and setup local users on the webserver > for > ftp access. Everything is working very well, except for the ftp virtual > directories. The website virtual directories are viewable on the internet, > but users are not able to login to their personal websites. I have setup > the > same local users that were setup on the old webserver. I have tried using > user isolation with folders under the website's directory and I have tried > using it without user isolation in a different directory, but every time I > try to log into a ftp site that is using a virtual directory, I get an > event > in the webservers system event log" event id 13 from source MSFTPSVC, user > "whoever I try" failed to log on, could not access the home directory /. I > went as far as to share the folder out for one user, and ran a unc path > over > the internet and was able to connect fine using the user's credentials, > yet I > cannot connect through ftp, either from a command line or internet > explorer > of an ftp client. The users in question, do have the logon locally > permission. I have followed every doc I could find from Microsoft and > still > no luck. Do I need to create a/d users in the local domain?? I have no > idea > what is wrong. One thing I did note was that on the old webserver(IIs > 5.0), > there was no default ftp site, it appears that they simply renamed and > configured it to be the isp's ftp site. On the new webserver, I didn't use > the default ftp site and since it defaulted to all available ip addresses > and > would cause all of the other sites to stop. The webserver has all of the > ip > addresses for the websites in the nic properties and each site is assigned > it's address in IIs. > I've tried to use filemon while trying to log in, but I honestly didn't > see > anything that would help. I have tried setting things up with ad isolation > mode and using standard, but get the same result either way. I did add > localuser to the directory as I was supposed for isolation mode, but that > maded no difference. I also tried iisreset. > >
I am using mode 2, sorry I thought I mentioned that. I have the ftp directory
setup as ftproot/domainname/username......but I am confused because I read that I needed to give logon locally to have access. So, you are saying, I can remove the ftp users group I created in active directory from logon locally and access this computer from the network? Since I was having trouble with access, I also set ntfs file permissions for each ftp user, even though I was under the impression that the virstual directories would take care of that for me. Can I remove the uses from the ntfs file permissions? Also, the directory structure for all of the websites vs. the ftp sites was setup before I came into the picture, so what I did was move the user directories from wwwroot to ftproot. [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> There's no need to start a new thread just reply to the previous thread. > > Now - you don't need logon locally rights for IIS FTP 6, it is done via > network interactive. > what ftp user isolation mode you created ? AD or local ? > > do a query with adsutil.vbs > > c:\inetpub\adminscripts> adsutil get msftpsvc/xxxx/UserIsolationMode > > xxx is the site id. > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Rodge" <Rodge@discussions.microsoft.com> wrote in message > news:A7B82EF4-9167-492A-8473-71221E8AC060@microsoft.com... > >I recently migrated a webserver using windows server 2000 and IIs 5.0 to a > > new machine with windows server 2003 sp1 and IIs 6.0. The new server is > > now > > part of a new active directory domain, the old one was in a workgroup. > > This > > server is for a local isp and it hosts 10 web domains. The isp has it's > > own > > web domain and this isp offers internet users free webspace on their site. > > The previous setup utilized virtual directories under their domain for > > both > > displaying the personal web sites and ftp access. Since they were using > > IIs > > 5.0, they did not utilize user isolation. Instead they placed the user > > folders in a different directory and setup local users on the webserver > > for > > ftp access. Everything is working very well, except for the ftp virtual > > directories. The website virtual directories are viewable on the internet, > > but users are not able to login to their personal websites. I have setup > > the > > same local users that were setup on the old webserver. I have tried using > > user isolation with folders under the website's directory and I have tried > > using it without user isolation in a different directory, but every time I > > try to log into a ftp site that is using a virtual directory, I get an > > event > > in the webservers system event log" event id 13 from source MSFTPSVC, user > > "whoever I try" failed to log on, could not access the home directory /. I > > went as far as to share the folder out for one user, and ran a unc path > > over > > the internet and was able to connect fine using the user's credentials, > > yet I > > cannot connect through ftp, either from a command line or internet > > explorer > > of an ftp client. The users in question, do have the logon locally > > permission. I have followed every doc I could find from Microsoft and > > still > > no luck. Do I need to create a/d users in the local domain?? I have no > > idea > > what is wrong. One thing I did note was that on the old webserver(IIs > > 5.0), > > there was no default ftp site, it appears that they simply renamed and > > configured it to be the isp's ftp site. On the new webserver, I didn't use > > the default ftp site and since it defaulted to all available ip addresses > > and > > would cause all of the other sites to stop. The webserver has all of the > > ip > > addresses for the websites in the nic properties and each site is assigned > > it's address in IIs. > > I've tried to use filemon while trying to log in, but I honestly didn't > > see > > anything that would help. I have tried setting things up with ad isolation > > mode and using standard, but get the same result either way. I did add > > localuser to the directory as I was supposed for isolation mode, but that > > maded no difference. I also tried iisreset. > > > > > >
Bernard, I think I am starting to see where the problem is. I have a
website, www.iceweb.net and this site is located under inetpub\iceweb\mainsite. From this mainsite are several personal sites; i.e. www.iceweb.net\dlh, etc. I created the virtual directories under this site and located their folders in inetpub\iceweb\mainsite\dlh thinking they would be able to see only their directories, and that actually cleared the 530 errors, however, now they are directed to the mainsite directory. So, I changed the folder location under the virtual directory property to inetpub\iceweb\dlh and all is well. I was just not understanding how the directory structure should be layed out. [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> There's no need to start a new thread just reply to the previous thread. > > Now - you don't need logon locally rights for IIS FTP 6, it is done via > network interactive. > what ftp user isolation mode you created ? AD or local ? > > do a query with adsutil.vbs > > c:\inetpub\adminscripts> adsutil get msftpsvc/xxxx/UserIsolationMode > > xxx is the site id. > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Rodge" <Rodge@discussions.microsoft.com> wrote in message > news:A7B82EF4-9167-492A-8473-71221E8AC060@microsoft.com... > >I recently migrated a webserver using windows server 2000 and IIs 5.0 to a > > new machine with windows server 2003 sp1 and IIs 6.0. The new server is > > now > > part of a new active directory domain, the old one was in a workgroup. > > This > > server is for a local isp and it hosts 10 web domains. The isp has it's > > own > > web domain and this isp offers internet users free webspace on their site. > > The previous setup utilized virtual directories under their domain for > > both > > displaying the personal web sites and ftp access. Since they were using > > IIs > > 5.0, they did not utilize user isolation. Instead they placed the user > > folders in a different directory and setup local users on the webserver > > for > > ftp access. Everything is working very well, except for the ftp virtual > > directories. The website virtual directories are viewable on the internet, > > but users are not able to login to their personal websites. I have setup > > the > > same local users that were setup on the old webserver. I have tried using > > user isolation with folders under the website's directory and I have tried > > using it without user isolation in a different directory, but every time I > > try to log into a ftp site that is using a virtual directory, I get an > > event > > in the webservers system event log" event id 13 from source MSFTPSVC, user > > "whoever I try" failed to log on, could not access the home directory /. I > > went as far as to share the folder out for one user, and ran a unc path > > over > > the internet and was able to connect fine using the user's credentials, > > yet I > > cannot connect through ftp, either from a command line or internet > > explorer > > of an ftp client. The users in question, do have the logon locally > > permission. I have followed every doc I could find from Microsoft and > > still > > no luck. Do I need to create a/d users in the local domain?? I have no > > idea > > what is wrong. One thing I did note was that on the old webserver(IIs > > 5.0), > > there was no default ftp site, it appears that they simply renamed and > > configured it to be the isp's ftp site. On the new webserver, I didn't use > > the default ftp site and since it defaulted to all available ip addresses > > and > > would cause all of the other sites to stop. The webserver has all of the > > ip > > addresses for the websites in the nic properties and each site is assigned > > it's address in IIs. > > I've tried to use filemon while trying to log in, but I honestly didn't > > see > > anything that would help. I have tried setting things up with ad isolation > > mode and using standard, but get the same result either way. I did add > > localuser to the directory as I was supposed for isolation mode, but that > > maded no difference. I also tried iisreset. > > > > > >
Mode 2 is user isolation with AD integration. so the path you need to set in
user AD attribute. refer - http://msmvps.com/blogs/bernard/archive/2006/03/14/86260.aspx And I believe you doesn't need logon locally, but you can test it out. I tested it in normal ftp setup, it does not require logon locally. Enable security auditing, you should able to track this. As for the permissions, user need to have explicits ACL if you are not granting on group level. virtual directory is not the final or file level access restriction. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Rodge" <Rodge@discussions.microsoft.com> wrote in message news:DFA75A11-F5CD-4DA6-B255-CB42686BE794@microsoft.com... >I am using mode 2, sorry I thought I mentioned that. I have the ftp >directory > setup as ftproot/domainname/username......but I am confused because I read > that I needed to give logon locally to have access. So, you are saying, I > can > remove the ftp users group I created in active directory from logon > locally > and access this computer from the network? Since I was having trouble with > access, I also set ntfs file permissions for each ftp user, even though I > was > under the impression that the virstual directories would take care of that > for me. Can I remove the uses from the ntfs file permissions? Also, the > directory structure for all of the websites vs. the ftp sites was setup > before I came into the picture, so what I did was move the user > directories > from wwwroot to ftproot. > > "Bernard Cheah [MVP]" wrote: > >> There's no need to start a new thread just reply to the previous thread. >> >> Now - you don't need logon locally rights for IIS FTP 6, it is done via >> network interactive. >> what ftp user isolation mode you created ? AD or local ? >> >> do a query with adsutil.vbs >> >> c:\inetpub\adminscripts> adsutil get msftpsvc/xxxx/UserIsolationMode >> >> xxx is the site id. >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "Rodge" <Rodge@discussions.microsoft.com> wrote in message >> news:A7B82EF4-9167-492A-8473-71221E8AC060@microsoft.com... >> >I recently migrated a webserver using windows server 2000 and IIs 5.0 to >> >a >> > new machine with windows server 2003 sp1 and IIs 6.0. The new server is >> > now >> > part of a new active directory domain, the old one was in a workgroup. >> > This >> > server is for a local isp and it hosts 10 web domains. The isp has it's >> > own >> > web domain and this isp offers internet users free webspace on their >> > site. >> > The previous setup utilized virtual directories under their domain for >> > both >> > displaying the personal web sites and ftp access. Since they were using >> > IIs >> > 5.0, they did not utilize user isolation. Instead they placed the user >> > folders in a different directory and setup local users on the webserver >> > for >> > ftp access. Everything is working very well, except for the ftp virtual >> > directories. The website virtual directories are viewable on the >> > internet, >> > but users are not able to login to their personal websites. I have >> > setup >> > the >> > same local users that were setup on the old webserver. I have tried >> > using >> > user isolation with folders under the website's directory and I have >> > tried >> > using it without user isolation in a different directory, but every >> > time I >> > try to log into a ftp site that is using a virtual directory, I get an >> > event >> > in the webservers system event log" event id 13 from source MSFTPSVC, >> > user >> > "whoever I try" failed to log on, could not access the home directory >> > /. I >> > went as far as to share the folder out for one user, and ran a unc path >> > over >> > the internet and was able to connect fine using the user's credentials, >> > yet I >> > cannot connect through ftp, either from a command line or internet >> > explorer >> > of an ftp client. The users in question, do have the logon locally >> > permission. I have followed every doc I could find from Microsoft and >> > still >> > no luck. Do I need to create a/d users in the local domain?? I have no >> > idea >> > what is wrong. One thing I did note was that on the old webserver(IIs >> > 5.0), >> > there was no default ftp site, it appears that they simply renamed and >> > configured it to be the isp's ftp site. On the new webserver, I didn't >> > use >> > the default ftp site and since it defaulted to all available ip >> > addresses >> > and >> > would cause all of the other sites to stop. The webserver has all of >> > the >> > ip >> > addresses for the websites in the nic properties and each site is >> > assigned >> > it's address in IIs. >> > I've tried to use filemon while trying to log in, but I honestly didn't >> > see >> > anything that would help. I have tried setting things up with ad >> > isolation >> > mode and using standard, but get the same result either way. I did add >> > localuser to the directory as I was supposed for isolation mode, but >> > that >> > maded no difference. I also tried iisreset. >> > >> > >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |