locked
FTP and User Isolation IIS7 Server 2008 RRS feed

  • Question

  • User1135337676 posted

    I feel like I'm the only one using IIS 7 with the new FTP. As you know, the new FTP didn't ship with 2008 Server, but I've downloaded it and I'm trying to get it to work. It's not working.

    I am trying to get FTP User Isolation to work. I am doing User Name Physical Directory. My goal is to have C:\FTP\[username] directories for all of my FTP users. Usernames would be '12345678' or 'test' or '45637654'. I don't want any of the Users to be able to see a directory list. User Isolation should do this.

    Without User Isolation (doing User Name Directory) I can log in to the correct folder... but I can traverse and see other folder names (all in the C:\FTP directory). With User Isolation I cannot login. My error message is as follows:

    C:\>ftp dc1
    Connected to DC1.[domain].net.
    220 Microsoft FTP Service
    User (DC1.[domain].net:(none)): test
    331 Password required for test.
    Password:
    530-User cannot log in, home directory inaccessible.
    Win32 error: The system cannot find the path specified.
    Error details: File system returned an error.
    530 End
    Login failed.
    ftp>

    Any thoughts on how to troubleshoot this would be greately appreciated.

    Tuesday, May 13, 2008 5:51 PM

Answers

  • User1135337676 posted

    Nothing showed-up in the logs.

    The suggestion on using Virtual Directories didn't work either.

     

    What I finally found was that I was using Domain user accounts instead of Local user accounts and I needed to create a folder for that domain as a sub of the root and then create my user folders C:\FTP\[domain]\[username].

    So for example.net where C:\FTP is the FTP root folder and 12345678 is a User defined in Users and Computers of the Active Directory Domain example.net:

     C:\FTP\example\12345678

     Make sure the domain folder does NOT have the .net extension on it.

     Thank you for your help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 15, 2008 10:06 AM

All replies

  • User1073881637 posted

    I'd check to make sure the Authentication (basic) and Authorization sections are properly configured.   

    Here is how I use FTP user isolation and it works great.

    1) Create a dummy FTPRoot folder

    2) Create a Master FTP site. (just an FTP site) No http.

    3) Create a vdir called 'LocalUser'. map the 'localuser' virtual directory to your dummy folder (grant authenticated users 'list' only permissions)

    4) Under the LocalUser vdir, create your specific user accounts mapped to the appropriate location (these should be vdirs)

    5) Under the User isolation, select the first option (disable global directories)

    6) Under the Authentication section, enable basic authentication if you are using windows accounts.

    7) Under the authorization, grant the user permissions.

    8) Grant appropriate folder security for your test user. 

    9) Test it out.

    See if you get logged in.


     
     

    Wednesday, May 14, 2008 12:28 AM
  • User989702501 posted

    Best way to troubleshoot this error and understand where IIS FTP is trying to send the user to... get procmon or filemon..... look at log and figure out where the user is redirected to.

    Thursday, May 15, 2008 5:21 AM
  • User1135337676 posted

    Nothing showed-up in the logs.

    The suggestion on using Virtual Directories didn't work either.

     

    What I finally found was that I was using Domain user accounts instead of Local user accounts and I needed to create a folder for that domain as a sub of the root and then create my user folders C:\FTP\[domain]\[username].

    So for example.net where C:\FTP is the FTP root folder and 12345678 is a User defined in Users and Computers of the Active Directory Domain example.net:

     C:\FTP\example\12345678

     Make sure the domain folder does NOT have the .net extension on it.

     Thank you for your help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 15, 2008 10:06 AM
  • User191465491 posted

    I also was using Domain user accounts and taylordc's solution of: C:\FTP\[domain]\[username].

     worked for me - thanks taylordc!

    Thursday, December 4, 2008 10:05 AM
  • User175579316 posted
    I'm also pulling my hair out try to migrate to FTP7. I have a cute little application that generates a bat file when a user signs up for a new web/ftp account on my server. The app has been bulletproof on IIS6 for years. Basically, it uses the username and password to: 1) creat a NET USER 2) MKDIR the right directories 3) CACLS the right permissions 4) iisftpdr and iiswebdr to create virtual directories. In realtime, they have an account. I have revised the bat file with appcmd for iiswebdr and everything works great, EXCEPT FTP. I've read a lot of forum entries (including this one) and tried to figure out two things: 1) how do you use appcmd (or other script) to create the FTP provision for a new account? Is it even necessary anymore? 2) What are the correct settings for User Isolation to make accounts work? In IIS6, I have all my user files on D:\ in physical folders with usernames (i.e., d:\localuser\smithx). I have tried every combination of permissions that I can in the FTP wizard. Since the server is NOT part of a domain, I use local accounts only (no AD). Any help would be much appreciated. I am about ready to hire an IIS7 top gun if anyone knows any one in the Akron/Cleveland area... Thanks!
    Sunday, February 1, 2009 2:59 PM
  • User-4264092 posted

    This worked beautifully for me. Thank you Steve!

    Sunday, March 22, 2009 3:24 PM
  • User1430700554 posted

    Nothing showed-up in the logs.

    The suggestion on using Virtual Directories didn't work either.

     

    What I finally found was that I was using Domain user accounts instead of Local user accounts and I needed to create a folder for that domain as a sub of the root and then create my user folders C:\FTP\[domain]\[username].

    So for example.net where C:\FTP is the FTP root folder and 12345678 is a User defined in Users and Computers of the Active Directory Domain example.net:

     C:\FTP\example\12345678

     Make sure the domain folder does NOT have the .net extension on it.

     Thank you for your help.

     This was the explanation that had been eluding me.  Thanks for the follow up post, it really helped me out.

    Wednesday, March 25, 2009 11:24 AM
  • User1073881637 posted

    I wrote a quick blog showing the NetBIOS name needs to be present.   Seems a bit odd honestly, but it works.

    http://weblogs.asp.net/steveschofield/archive/2009/02/20/530-user-cannot-log-in-home-directory-inaccessible-ftp-7-0-user-isolation-and-process-monitor.aspx

    Wednesday, March 25, 2009 12:26 PM
  • User989702501 posted
    netbios name? ooh.. something new for IIS7? this is not in IIS6 :)
    Tuesday, March 31, 2009 4:51 AM
  • User-566421626 posted

    Davdalton,

    I have the exact same problem.  I was using a bat file to create the accounts and FTP in server 2003 using iisftpdr and iisvdir.  These are not supported in iis7.  Did you ever find a solution for FTP?

    Friday, April 30, 2010 1:55 PM
  • User989702501 posted

    The AD config piece for ftpuser isolation is not complete at the moment. the current ftp AD config covers the AD username/pwd/etc only. For this, it is part of user object in AD, you may try adsiedit or someother AD tool to do it.
    or you can try this powershell script from Steve - http://weblogs.asp.net/steveschofield/archive/2009/01/02/powershell-1-0-script-to-update-active-directory-ftp-user-isolation-attributes-msiis-ftpdir-msiis-ftproot.aspx or you can try this. http://blogs.msdn.com/rakkimk/default.aspx?p=5


     

     

    Saturday, May 8, 2010 4:25 AM
  • User860072024 posted

    i know this post is old, but here is what i am trying to do. i have several websites that i am hosting on a 2008 R2 ent box. iis7 installed with FTP 7.5. i published ftp right out of the website in IIS and am wanting users to login to their ftp site that is the root of their website i.e ftp.sitename|username problem is, no matter what ftp site i go to or how i log in it always taked me to the root ftp of one site. i have figured out a few workarounds but none are user friendly. first go to ie, try and log in, no go. second "open ftp site in windows explorer" then it willtake you there, only thr root again. any ideas on this? isolate users based on home directory of users website... maybey using host headers in FTP that coinceide with www hostheades?

    thanks for any advice.

    Tuesday, August 24, 2010 8:36 AM
  • User-566421626 posted

    This site helped me http://aspalliance.com/386

     

     

     

     

     

     

     

     

    Tuesday, August 24, 2010 3:25 PM
  • User989702501 posted
    what user isolation mode you configure? new IE will not connect to ftp anymore, it will ask for windows explorer for such request. does it happen to all users or just one? what about command prompt or other ftp client? same behavior?
    Wednesday, August 25, 2010 10:44 AM
  • User-1371092414 posted

    Thanks so much for your tip! This also worked for me!

    I'm migrating a IIS6(win2003) server to II7(win2008) and I was trying to implement domain accounts instead of the localUser accounts that were configured in II6. Banging my head on the wall for a couple of days until I found your post!

    I was also having problems connecting via FTP with a FTP client(command line was working perfectly)  to the users home directory but constantly getting an "Error: Failed to retrieve directory listing" and find out that changing the FTP's connection to active mode solve the problem.

    Cheers!

    Tuesday, May 31, 2011 10:40 AM
  • User-1371092414 posted

     I was refering to taylordc post.

    Tuesday, May 31, 2011 10:41 AM
  • User-829820228 posted

     Hello guys I have a question that is driving me nuts.

     

    So i have FTP site running all good and happy, 

     

    only specified users have access, but now i created virtual directory within FTP and I need only specific user to access virtual directory ( that works) but the user can go back to the main ftp site and see other folders, how can I give access to only one folder within FTP and that's it, I dont want user to see anything else, is anyone following me here ?

     

    thanks so much in advance

    Thursday, August 25, 2011 3:46 PM
  • User-829820228 posted

     well what i did was, give access to the FTP site and give access to the virtual directory , and denied access to all other folders within FTP that works since i have only 5 folders in FTP but what happens when i have 100 folders it would take me forever to deny access to 99 folders and provide access to one folder, there must be a more efficient way please HELP

    Thursday, August 25, 2011 4:13 PM
  • User989702501 posted

    That's the purpose of user isolation mode, however it you use vdir as workaround to redirect user to target folder, the user will be able to cd .. back to the root I believed, hence restricting access at NTFS is the best way. If you have lot of folders then use icacls.exe and script it.

    Thursday, August 25, 2011 11:21 PM