Previous Next

• 06-16-2008, 1:55 PM

  pmcgraw Joined on 06-16-2008, 5:49 PM Posts 3 pmcgraw

  AD 2008 FTP & UPN Reply Contact  Hi, We have a IIS 6.0  web server that users were FTPing to with their UPN. Recently we updated to 2008 AD. Suddenly, users can't connect with their UPN anymore. Their samaccountname works fine. The UPN and the samaccountname are different. The error I'm getting in the logs is "The server was unable to logon the Windows NT account username@domain.com. The stub received bad data." The users are able to authenticate to the domain with their UPN when logging into a workstation. Any ideas?   Thanks   -Patrick

• 06-17-2008, 1:36 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,214 steve schofield	Re: AD 2008 FTP & UPN Reply Contact Interesting.  Did you set the DefaultDomain metabase property?  Or was it ever set before?  What mode is your AD set? Steve Schofield Windows Server MVP - IIS MCTS - Windows Hosting http://weblogs.asp.net/steveschofield http://www.iislogs.com http://www.orcsweb.com/ Managed Hosting Solutions #1 in Service and Support

• 06-17-2008, 8:29 AM

  In reply to

  pmcgraw Joined on 06-16-2008, 5:49 PM Posts 3 pmcgraw	Re: AD 2008 FTP & UPN Reply Contact  It was never set. We are in native Mode.

• 06-18-2008, 11:56 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,214 steve schofield

  Re: AD 2008 FTP & UPN Reply Contact I setup an environment and I was able to reproduce the issue.  Couple things I did to fix it.  I set the DefaultLogonDomain metabase property on IIS 6. Here is the link with the syntax http://support.microsoft.com/kb/184319 Secondly, I didn't use a UPN (steve@ss.local) logon format.  I simply used steve and I was able to logon.  I set the DefaultLogonDomain metabase property to 'ss' (which is the netbios name of my w2k8 native domain).  I could logon as steve or ss\steve, it failed on steve@ss.local format.  Hope this helped. btw - I didn't set any attribute values on the user object in AD.   Steve Schofield Windows Server MVP - IIS MCTS - Windows Hosting http://weblogs.asp.net/steveschofield http://www.iislogs.com http://www.orcsweb.com/ Managed Hosting Solutions #1 in Service and Support

• 06-19-2008, 8:44 AM

  In reply to

  pmcgraw Joined on 06-16-2008, 5:49 PM Posts 3 pmcgraw

  Re: AD 2008 FTP & UPN Reply Contact That is what I was seeing as well. The format of domain\user or user is able to authenticate fine. It's just the UPN format that is not working. I confirmed that this is the case on all my FTP servers running iis 6.0 and not isolated to one. UPN was working fine before we migrated to AD 2008. Unfortunately, I have to have the UPN format working. Thanks for the help

• 06-19-2008, 9:55 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,214 steve schofield

  Re: AD 2008 FTP & UPN Reply Contact I've also tried granting SPN (service principal name) on the user account and server running FTP, no luck.  I enabled account logging on the FTP server and got a LOGON TYPE 8 failure, which can't send the password across the network as clear text.  It looks like w2k8 locks down this setting.  I don't know right off which one in the local or domain security policy, but that appears to be a legitmate lead.  Hope this helps. Here is the error i got on the ftp server. Logon Failure:   Reason:  An error occurred during logon   User Name: steve@ss.local   Domain:     Logon Type: 8   Logon Process: IIS       Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   Workstation Name: W2K3-1   Status code: 0xC003000C   Substatus code: 0x0   Caller User Name: W2K3-1$   Caller Domain: SS   Caller Logon ID: (0x0,0x3E7)   Caller Process ID: 1220   Transited Services: -   Source Network Address: -   Source Port: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.   Steve Schofield Windows Server MVP - IIS MCTS - Windows Hosting http://weblogs.asp.net/steveschofield http://www.iislogs.com http://www.orcsweb.com/ Managed Hosting Solutions #1 in Service and Support

• 06-19-2008, 10:04 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,214 steve schofield

  Re: AD 2008 FTP & UPN Reply Contact here is the link that I used to explain the logon types. http://www.windowsecurity.com/articles/Logon-Types.html I ran into something similar with this while writing the IIS 7 resource guide logging chapter, there was a couple of security policy items that were blocking access.  I don't recall them right off, one was Network Security: LAN Manager authentication level.  By default it's NTLMv2 response only.  I'm not sure what level of security the FTP service supports.  Hope this helps. Steve Schofield Windows Server MVP - IIS MCTS - Windows Hosting http://weblogs.asp.net/steveschofield http://www.iislogs.com http://www.orcsweb.com/ Managed Hosting Solutions #1 in Service and Support

• 06-20-2008, 12:57 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,214 steve schofield	Re: AD 2008 FTP & UPN Reply Contact I posted a question on the www.activedir.org list.  This appears to be more AD related than FTP 6.0.  If I hear anything, I'll post back. Steve Schofield Windows Server MVP - IIS MCTS - Windows Hosting http://weblogs.asp.net/steveschofield http://www.iislogs.com http://www.orcsweb.com/ Managed Hosting Solutions #1 in Service and Support