Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Confused about FTP for IIS7 authorization

1,881 views
Skip to first unread message

Colin Baker

unread,
Jul 29, 2008, 12:16:02 PM7/29/08
to
Hi,

I'm confused how authorization works in FTP for IIS7, hopefully someone can
help me understand - the documentation is almost non-existent.

I have set up a number of Windows users who should be able to login to my
FTP site. These users are only members of the Users group and the folder
permissions on my FTP home directory only allow read permission for the Users
group.

In the IIS7 FTP Authorization Rules screen I choose the Specified Users
option and list the Windows users I created, giving them read AND write
access.

My question is: when I login via FTP as one of these users I'm allowed to
read and write files despite the fact that Windows folder permissions should
not allow me to do this. Why? Does the FTP service actually use a different
user account to access the file system?

This is very different to IIS6 where I could easily use folder permissions
to control access.

Thanks in advance,

Colin

WenJun Zhang[msft]

unread,
Jul 30, 2008, 5:58:20 AM7/30/08
to
Hi Colin,

Bascially I think it's true that a specified windows user account(i.e
Network Service) is used to access physical files in FTP7. This is because
we now supports non-windows accounts(IIS manager users) for FTP site
authorization.

I will go ahead to confirm this for you and update you if it's possible to
still use NTFS permission for FTP authorization.

Please wait for my further response.

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Colin Baker

unread,
Jul 30, 2008, 6:43:00 AM7/30/08
to
Thanks WenJun, I'll look forward to your confirmation.

On a related issue with Authorization...

If I create 3 Windows users (for example), Bob, Pete and Fred. I then
create a Windows group called WebPublishers and make Bob, Pete and Fred
members of this group. In IIS FTP Authorization Rules I select the Specified
Roles and User Groups option and then enter WebPublishers in the textbox.
After doing this I cannot log in as any of the 3 users I created, the
username and password is accepted but then I get the following reponse from
the FTP server:

530 User cannot log in, home directory inaccessible.
Login failed.

What am I doing wrong here. In IIS6 I used this technique of assigning
users to different groups in order to control which FTP sites (we have many
on one server) users can access and it worked very nicely.

Regards,

Colin

WenJun Zhang[msft]

unread,
Aug 1, 2008, 7:10:42 AM8/1/08
to
Hi Colin,

Based on my test results, NTFS permission is still required for Windows
user account authorization. I suspect that some user group in the FTP dir's
ACL list includes your test account and that's why you can login without
explicitly granting the NTFS permission. The ACL list in my test is:

CREATEOR OWNER FC
SYSTEM FC
Administrators FC

In this, Administrator can login but any other test account not. Both of
them are with allowed rules in FTP authorization. Furthermore, the error
returned for test account is just the same one as you met: Home directory
inaccessible.

However for IIS manager users, this totally doesn't affect. I've confirmed
with our IIS group that Local System is used for FTP service to access the
physical file when using IIS manager user authorization.

So please ensure NTFS permission is correctly set for your Windows groups
or accounts for FTP authorization and see if the error still persists.

For your reference:

Configure FTP with IIS 7.0 Manager Authentication
http://learn.iis.net/page.aspx/321/configure-iis-manager-authentication/

Have a nice weekend.

WenJun Zhang[msft]

unread,
Aug 5, 2008, 5:17:37 AM8/5/08
to
Hi Colin,

Just wonder if you have any further question on this issue?

Thanks.

Simotas@discussions.microsoft.com Jason Simotas

unread,
Sep 9, 2008, 4:56:01 PM9/9/08
to
Yes, I had the same issue inside FTP Authorization Rules.
I couldn't add Groups and was getting

530 User cannot log in, home directory inaccessible.

The solution was to restart the whole IIS service. I'm guessing because it
was a new Group added to Active Dir.

Bernard Cheah [MVP]

unread,
Sep 11, 2008, 2:54:17 AM9/11/08
to
This could be related to IIS caching the credential token - UserTokenTTL
default is 900 seconds.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://msmvps.com/blogs/bernard/


"Jason Simotas" <Jason Sim...@discussions.microsoft.com> wrote in message
news:5318FD19-A1CD-4257...@microsoft.com...

Colin Baker

unread,
Sep 22, 2008, 10:20:01 AM9/22/08
to
Hi WenJun,

Sorry for the delay, I only just noticed your post - I didn't get an email
notification for some reason.

This is still a problem for me, I'll explain my setup below:

First I created the user Bob who belongs only to the group Users.

Then I created the folder that will be the home directory of the FTP site.
This has the following permissions:

Creator Owner - Special
System - Full Control
Administrators - Full Control
Users - Read & Execute, List Folder Contents, Read, Special

Lastly I created the FTP site whose home directory is the folder specified
above. Authentication is set to Basic only and Authorization is set to the
specific user Bob (Read and Write).

When I connect as Bob using my FTP client I am able to upload files, surely
I shouldn't be able to do this since the only group Bob belongs to is Users
and this group does not have Write permission.

If I've missed something really obvious please let me know and put me out of
my misery!

Thanks,

Colin

WenJun Zhang[msft]

unread,
Sep 23, 2008, 6:48:09 AM9/23/08
to
Hi Colin,

Somehow the result is expected at my side. I login with a FTPtest windows
group's account which only has Read/List NTFS permission. The login
succeeded but uploading with a PUT command failed with a 550 - Access is
denied error(expected). Then I login with my administrator account and the
same PUT command works fine.

So please check the Special permission in the folder's ACL of your Users
group by opening its advanced property. Probably it leaks Write right to
this group.

If the NTFS ACL appears to be correct and the problem still persists, would
you please email me at: wjz...@online.microsoft.com ? I will work with you
offline directly for furtehr troubleshooting.

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at

http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us.

Colin Baker

unread,
Sep 23, 2008, 12:54:01 PM9/23/08
to
Hi WenJun,

You're absolutely right, the Special permission on the Users group was
responsible. This is one of the reasons I really dislike this permission -
it's not at all obvious what's going on.

I think I have another issue with FTP but I'll double-check and if necessary
create a new post.

Thanks for your help.

Colin

WenJun Zhang[msft]

unread,
Sep 23, 2008, 11:31:41 PM9/23/08
to
Colin,

Glad to hear the issue has been figured out. Please don't hesitate to post
here whenever you meet any problem on IIS. You are always welcome.

0 new messages