IIS 7 and Above
FTP 7.5 550 Access error
Last post Mar 29, 2010 11:30 PM by hillb
Mar 29, 2010 07:35 PM|hillb|LINK
I'm not sure what i'm doing wrong here, or how to fix it, and was hoping for a pointer or two.
I have a new Windows Server 2008 R2 box with FTP 7.5 installed, fully patched. The server runs a single FTP service containing about a dozen folders, each with different access permissions controlling access rights for 136 users. The server is configured
to require FTPES, if that matters. Access permissions are defined in IIS, with the apppool user account having full rights at the NTFS level. All users are accesing the server using AD login names that exist on the same domain as the server.
All 136 users have explicitly defined read-only rights to the root. For each folder below that, the FTP Authorization Rules are set up to allow read/write access to only those users who need to be in them. In case you're wondering, we set these programatically
via the Microsoft.Web.Administration api, so it's not quite the management headache that it sounds like. Generally, this works correctly. Users can log in, upload, download, or delete their own files.
The problem I'm having is that users are NOT being permitted to overwrite or delete files that were uploaded by OTHER users in the same folder, even when all users to that folder have read/write access and the access levels are identical. The FTP client
simply returns "550 Access is Denied". This is a huge problem for us because these aren't personal folders, but are shared folders where multiple people in a particular office or on a particular project need to have shared and equal access to all files.
When I look at the NTFS permissions for the file, I do see that the domain account of the original uploader is defined as the "owner" of the file, and that their Active Directory account has been assigned full control rights in NTFS for that file. Is this
normal? If so, why is the server blocking the other authorized users for that folder from modifying, deleting, or updating the file? Shouldn't those other users have the same access rights as the creator, when he/she uploaded the original file?
As an experiment, I added my own user account directly to one of the files with the same RWX permissions as the creator, and it did let me delete the file via FTP afterward. My user account had the same file rights as both the original file creator and
the cutom app pool user account. Do I have to define the user access rights for each folders specific users both within IIS AND at the NTFS level?
Mar 29, 2010 09:24 PMfirstname.lastname@example.org|LINK
Read and Write do not allow a file to be deleted or modified. You will want the users to have MODIFY permission to be able to do what you ask.
Mar 29, 2010 10:21 PM|hillb|LINK
The FTP Authorization Rules in IIS do not have a "modify" setting, only read and write. The local user account used by the ftp instances app pool does have full read/write/delete/modify permissions to the folder and all content.
I could set Modify permissions for a particular user account at the NTFS level, but the entire point here is that we aren't managing our user access via NTFS. We're managing access entirely through the IIS 7.5 FTP Authorization Rules.
If we have to set access permissions in BOTH places, the viability of the entire project becomes questionable.
Mar 29, 2010 11:30 PM|hillb|LINK
While I'd still like to know if there's a better way to do this, I found a workaround for the problem. I created a local Group account for FTP users and gave it Full NTFS permissions to the entire directory tree. Our AD has a user account for "All Users",
so I added it to the new group.
Technically, the entire AD of 1500+ people now has access rights at the NTFS level, but the FTP Authorization Rules only allow the authorized users to get at the folders in the first place. It's inelegant, but it's a fix.
Again, if there's a better way, I'm all ears.