locked
Need help with Public FTP site please RRS feed

  • Question

  • User-1395118305 posted

    Hello,

    I am trying to setup a public FTp site and  am having trouble undestanding the concept here.

    I want to create the FTProot folder and under that folder have the users folders as I have normally done in the past. I want the user to dial in the default IP or host name of the ftp site and when promted enter their creds and then taken to their folder and not be able to navigate up.

    I have read and watched the vids on FTP including this one

    http://learn.iis.net/page.aspx/305/configuring-ftp-user-isolation/

    But I am having no success. I was using Filezilla before because it was much easier to manage. You just created the user and set the directory and you were done. I now would like to use the native ftp in IIS7. I have to misunderstanding something

    Thanks

    Joseph

    Friday, February 20, 2009 1:42 PM

Answers

  • User1073881637 posted

    Did you follow the section for the Configuring User Isolation Settings for All Directories section?  You need to create the 'LocalUser' vdir, then create the user vdirs.  What I did was create a folder called c:\domains\ftproot, then map the LocalUser to this path.  Then created a folder below for each user.  What I would suggest is download process monitor, filter on the PID and see what errors you are getting.  I posted a blog post on using process monitor.

    http://weblogs.asp.net/steveschofield/archive/2009/02/20/530-user-cannot-log-in-home-directory-inaccessible-ftp-7-0-user-isolation-and-process-monitor.aspx

    Also, I would enable auditing to see if anything is in the security event log.

    http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, February 20, 2009 9:42 PM
  • User1073881637 posted

    For my own clarification, do this.

    1) delete the existing settings

    2) Create a new site where it listens on only port 21.

    3) Assign a certificate

    4) Allow 'all users' to read and write in the FTP authorization section.  Verify the folder security is setup.

    5) Make sure BASIC authentication is enabled

    6) Have the PASV ports defined at server level, make sure these are set at computer level

    After setup and configuration.  Restart the FTP service (this isn't necessary, but can't hurt). 

    If you want to take pictures and link to them

    1) Take a picture of the authorization section, authentication section, bindings, user isolation, firewall settings at computer level (the ones I mentioned in a previous post).  And if you are still getting an issue, look in the logs.  c:\inetpub\logs\logfiles\ftpsvc1 or something similar.  Hope that helps. 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, February 23, 2009 10:47 PM

All replies

  • User1073881637 posted

    Did you follow the section for the Configuring User Isolation Settings for All Directories section?  You need to create the 'LocalUser' vdir, then create the user vdirs.  What I did was create a folder called c:\domains\ftproot, then map the LocalUser to this path.  Then created a folder below for each user.  What I would suggest is download process monitor, filter on the PID and see what errors you are getting.  I posted a blog post on using process monitor.

    http://weblogs.asp.net/steveschofield/archive/2009/02/20/530-user-cannot-log-in-home-directory-inaccessible-ftp-7-0-user-isolation-and-process-monitor.aspx

    Also, I would enable auditing to see if anything is in the security event log.

    http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Friday, February 20, 2009 9:42 PM
  • User-1395118305 posted

    Helo Steve,

     Thanks so much for your help here! I managed to get the site to work but I think that it is not correct. I will look at the suggested URL's that you posted and I will read in depth about it.

    I thought that MS was going to get the FTP thing sorted out. Geeezzz what a scenario.

    thanks so much for your time

     

    Joseph

    Saturday, February 21, 2009 2:03 AM
  • User1073881637 posted

    I agree the user isolation trick seems a little hokey compared to other products.  I've only implemented ws-ftp server besides working with IIS FTP.  i like the fact the new one has SSL support along with other stuff.  The 7.5 FTP will have a way for people to write code against it.  Hope the article helps, I've been meaning to do something with process monitor for a while. :)

    Take care.

    Saturday, February 21, 2009 6:30 AM
  • User-1395118305 posted

    Hello Steve,

    I have antoher question. How do you access a FTP site via SSL? Come to think of it I never done it?

    I set the cert in IIS manager but is there a special port ot URL?

    Thank you

    Joe

    Saturday, February 21, 2009 10:25 AM
  • User1073881637 posted

    Here is an article.

    http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/

    You can use port 21 and you'll have to open PASV ports.  The standard port is 990 for FTP over SSL, but the IIS 7.0 allows for port 21 over SSL, which is nice.  I'm sure other programs allow for changing the port, I've never tested. 

    http://www.auditmypc.com/port/udp-port-990.asp

    Saturday, February 21, 2009 12:43 PM
  • User-1395118305 posted

    Thanks again Steve,

    I think I am going to stick with FileZilla for now as I am having more issues with this FTP server.

    I am getting: Server sent passive reply with unroutable address..

     

    Have you seen this before? I only get it with SSL connections and I get not dir listing.

    Sunday, February 22, 2009 10:25 AM
  • User1073881637 posted

    I've seen a similar issue where the DIR listing doesn't work. 

    http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

    You have to set PASV (passive) ports in IIS and on your firewall.   After your client connects, it connects on a pasv port.  I normally use 4900-4910 for starters.  This can depend on how many concurrent connections you expect.

    The one reason why I like using FTP 7.0 w/SSL is I can use with Active Directory or local accounts, which can be used for other logins.  Mileage may vary.  Good luck!

    Sunday, February 22, 2009 12:44 PM
  • User-1395118305 posted

    Hello Steve,

    thanks for the reply,

    No doubt I like MS FTP too and I have AD on my network. I read that article and I only have the IP available to me... the ports are shaded out. I guess this is because I do not have the firewall on at all.

    I am behind a Cisco and a Firebox  that only have 21, 990 open at this time. Do you think that I should try openning these ports on that firewall. Of course this sounds like a rediculous question but non-the-less I asked.

     

    Thanks

    Joseph

    Sunday, February 22, 2009 1:08 PM
  • User1073881637 posted

    I would try 4900-4910 and configure the FTP ports and test from outside. After you connect remotely, it should show in the FTP logs what pasv port is being connected to.

     

    Sunday, February 22, 2009 1:44 PM
  • User-1395118305 posted

    Ok sounds like a great idea. Do you happen to know why my ports are shaded out in IIS manager for the FTP site? Is it because my Windows Firewall is not on?

     

    Thanks I will try from outside later I do appreciate your time Steve

     

    Joseph

    Sunday, February 22, 2009 1:59 PM
  • User1073881637 posted
    You have to set the ports at the computer level, not site level. 

    You have to s

    Sunday, February 22, 2009 5:03 PM
  • User-1395118305 posted

    Thanks Steve 

    Ok I am aware of that but if Windows Firewall is Off, there are no ports blocked.There is no Firewall. I have it off in the services section set to manual

    My ports at the site level are shaded out for the FTP

    Sunday, February 22, 2009 5:33 PM
  • User1073881637 posted

    Is there a firewall on your external router?  Cisco or Firebox device?   Here is the picture inside IIS manager I'm trying to mention.

    http://www.iislogs.com/images/ftpsslports.jpg

     

     

    Sunday, February 22, 2009 7:35 PM
  • User-1395118305 posted

    Hello Steve, 

    I think that i forgot to say this. I can access the site NON SSL and get directory listings I just cannot do it SSL Also I finally looked at the logs like I was supposed to do and the data ports are constantly changing sometimes it is 49900-49925 and other times it is 65000 - 65003

    See:

    2009-02-23 20:28:52 - DB108\Administrator 10.10.111.9 62654 DataChannelClosed - - 258 15 3fd82ff5-13d5-4888-ac09-

     2009-02-23 03:21:54 75.147.211.xx DB108\Administrator 10.10.111.9 49948 DataChannelClosed - - 64 0 4b08a95b-d480

    ***************************************************************************************************************

    Here is the FTP Client feedback: 

    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:990...
    Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
    Error: Could not connect to server
    Status: Waiting to retry...
    Status: Delaying connection due to previously failed connection attempt...
    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:990...
    Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
    Error: Could not connect to server
    Status: Waiting to retry...
    Error: Connection attempt interrupted by user
    Status: Resolving address of ftp.archive
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: AUTH TLS
    Response: 234 AUTH command ok. Expecting TLS Negotiation.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Command: USER administrator
    Status: TLS/SSL connection established.
    Response: 331 Password required for administrator.
    Command: PASS **********
    Response: 230 User logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    Response: 211-Extended features supported:
    Response:  LANG EN*
    Response:  UTF8
    Response:  AUTH TLS;TLS-C;SSL;TLS-P;
    Response:  PBSZ
    Response:  PROT C;P;
    Response:  CCC
    Response:  HOST
    Response:  SIZE
    Response:  MDTM
    Response: 211 END
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (10,10,111,9,244,190).
    Status: Server sent passive reply with unroutable address. Using server address instead.
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Connection timed out
    Error: Failed to retrieve directory listing
    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: AUTH TLS
    Response: 234 AUTH command ok. Expecting TLS Negotiation.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Command: USER administrator
    Status: TLS/SSL connection established.
    Response: 331 Password required for administrator.
    Command: PASS **********
    Response: 230 User logged in.
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (75,147,211,xx,244,191).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Connection timed out
    Error: Failed to retrieve directory listing
    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: AUTH TLS
    Response: 234 AUTH command ok. Expecting TLS Negotiation.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Command: USER administrator
    Status: TLS/SSL connection established.
    Response: 331 Password required for administrator.
    Command: PASS **********
    Response: 230 User logged in.
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (75,147,211,xx,244,193).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Directory listing aborted by user
    Status: Disconnected from server
    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: AUTH TLS
    Response: 234 AUTH command ok. Expecting TLS Negotiation.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Command: USER administrator
    Status: TLS/SSL connection established.
    Response: 331 Password required for administrator.
    Command: PASS **********
    Response: 230 User logged in.
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (75,147,211,xx,244,194).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Directory listing aborted by user
    Status: Disconnected from server
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: AUTH TLS
    Response: 234 AUTH command ok. Expecting TLS Negotiation.
    Status: Initializing TLS...
    Status: Verifying certificate...
    Command: USER administrator
    Status: TLS/SSL connection established.
    Response: 331 Password required for administrator.
    Command: PASS **********
    Response: 230 User logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    Response: 211-Extended features supported:
    Response:  LANG EN*
    Response:  UTF8
    Response:  AUTH TLS;TLS-C;SSL;TLS-P;
    Response:  PBSZ
    Response:  PROT C;P;
    Response:  CCC
    Response:  HOST
    Response:  SIZE
    Response:  MDTM
    Response: 211 END
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Command: PBSZ 0
    Response: 200 PBSZ command successful.
    Command: PROT P
    Response: 200 PROT command successful.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (75,147,211,xx,244,195).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Connection timed out
    Error: Failed to retrieve directory listing
    Status: Resolving address of ftp.archive.
    Status: Connecting to 75.147.211.xx:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: USER anonymous
    Response: 331 Anonymous access allowed, send identity (e-mail name) as password.
    Command: PASS **************
    Response: 230 User logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    Response: 211-Extended features supported:
    Response:  LANG EN*
    Response:  UTF8
    Response:  AUTH TLS;TLS-C;SSL;TLS-P;
    Response:  PBSZ
    Response:  PROT C;P;
    Response:  CCC
    Response:  HOST
    Response:  SIZE
    Response:  MDTM
    Response: 211 END
    Command: OPTS UTF8 ON
    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PASV
    Response: 227 Entering Passive Mode (75,147,211,xx,244,196).
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Error: Connection timed out
    Error: Failed to retrieve directory listing

    Thanks for that arial view :) helped tremendously. I did that and I still cannot get a listing.

    I have done this on another server 08 box with FileZilla to test if I was crazy and it works fine.

    Do you think that I need to delete this FTP site and start over?

    I can show pics also if you need to see them.

    Thanks

    Joseph

    Monday, February 23, 2009 3:10 PM
  • User1073881637 posted

    For my own clarification, do this.

    1) delete the existing settings

    2) Create a new site where it listens on only port 21.

    3) Assign a certificate

    4) Allow 'all users' to read and write in the FTP authorization section.  Verify the folder security is setup.

    5) Make sure BASIC authentication is enabled

    6) Have the PASV ports defined at server level, make sure these are set at computer level

    After setup and configuration.  Restart the FTP service (this isn't necessary, but can't hurt). 

    If you want to take pictures and link to them

    1) Take a picture of the authorization section, authentication section, bindings, user isolation, firewall settings at computer level (the ones I mentioned in a previous post).  And if you are still getting an issue, look in the logs.  c:\inetpub\logs\logfiles\ftpsvc1 or something similar.  Hope that helps. 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, February 23, 2009 10:47 PM
  • User-1395118305 posted

    Hello Steve,

     thanks for the tip I will try this out tomorrow.

    About number 4 in the list... For the folder security do you want me to drill down via the C drive and right click and set permissions?

    Number 6 in the list is via the image you showed me correct?

     

    I will post images for all steps see what I might be doing wrong.

    Thank you

    Joseph

    Tuesday, February 24, 2009 11:19 PM
  • User1073881637 posted

    For #4.  Create a group (domain or local) called FTPUsers, create a couple test accounts, add the test accounts to the FTPUsers group, grant this group 'modify' permissions on c:\ftproot\user1 and user2.  That is what I did on my test FTP server.   So here is what I did

    I created a folder called FTPRoot under C:\domains folder.  I created a folder called User1, User2 under FTPRoot.   Then inside the FTP site I created a virtual directory called "LocalUser" that mapped to the C:\Domains\FTPRoot folder.  This 'automatically' created the user1, user2 virtual directory.  Set the user isolation like we previously discussed.  

    Once you have the concept working, you can lockdown the folder security.  Hope that helps with #4.

    Wednesday, February 25, 2009 7:49 AM
  • User-1395118305 posted

    Just wanted to chime in here. I just started working on this again.

     

    I created the FTP site and it asked me for a root directory. What directory should I use?

    I made a dummy folder and pointed it to that. Also when it asks allow users should this be all users or should I just select Users or Certain Groups then select the FTPuser group that I created?

    I followed the #4 description and yes the virtual Directories were created automatically.

    Now in user Isolation which one do  choose?

    Thanks

    Joseph

    Sunday, March 1, 2009 9:01 PM
  • User1073881637 posted

    Username directory (disable global virtual directories)

    Monday, March 2, 2009 11:27 AM
  • User-1395118305 posted

    Hello Steve,

     

    Just wanted to catch up on this thread. I haven't revisited this issue again yet as I didn't have the time so I used FileZilla to get the job done. I will however get back to it soon as I do not like to pollute Windows with third party apps even if they are excellent apps.

     

    Thanks so much  for your time

    Joseph

    Saturday, June 6, 2009 9:17 AM