IIS 7 and Above
Using FTP accounts
Last post Nov 06, 2007 01:01 AM by qbernard
Oct 05, 2007 05:21 PM|starpg|LINK
Okay, so I've covered just about everything in the learning I've done here about IIS7, and I'm pleased with my success.
My next step, which is something I am completely illiterate about, is allowing people to "sign into" their site via an FTP client, now I know a little idea of what I can do, but what I have tried has failed miserably.
I've made my website, it's on the 'net, and php works great, https works great...now I am ready to do some ftp testing but I dont know how to allow someone to "log in" to their site via ftp?...I dont know how to delegate the permissions. I know they need
a user account on the machine, my first tries were making regular user accounts, then adding them into the IIS_IUSRS group followed by adding the appropriate permissions on the folder their site lays in (for example...my test site is at D:\SPG\XMB\)...the
site is running fine on the internet, but I've not been able to connect to it through a test User account like I described above.
I would much appreciate any help. :)
Oct 06, 2007 01:03 AM|qbernard|LINK
which ftp component you installed ? the IIS 6 FTP which come default with W2k8 or Vista ? or the new separate download from iis.net? If this is the new component from iis.net, you can either use a local windows account or IIS Manager user.
Oct 06, 2007 06:15 AM|starpg|LINK
I installed the FTP RC0 right off this site
Oct 07, 2007 08:56 AM|steve schofield|LINK
You need to enable the BASIC authentication, allow the particular user or 'All Users' permission then make sure the folder security is setup. There is some options in the FTP settings to set where the user gets dropped, their home directory, here is the
link to the Program managers blog who is in charge of FTP 7.0, it has some good tips / tricks.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Oct 07, 2007 12:12 PM|starpg|LINK
I'll step by step what I have done.
It doesn't work.
Open "Users" folder.
Created new user named "TCH-Beta"
Assigned "Home Folder, Local Path" to D:\SPG\XMB
Assigned the user TCH-Beta to the "Hosting Accounts" User Group.
Insured "Basic Authentication" was chosen in FTP Authentication
Opened IIS7 Manager, added FTP Publishing to the "XMB-Test" site, and created an "Allow" Authorization Rule for "TCH-Beta"
Added the user "TCH-Beta" privileges to the Folder "D:\SPG\XMB"
this sounds as though the proper method to accomplish FTP access for a given user, but when I attempt a logon I get the error:
530-user TCH-Beta cannot log in: Home directory inaccessible.
win32 error: Access Denied
Error Details: Authorization Rules Denied the access
Oct 08, 2007 12:22 AM|qbernard|LINK
Ok. it is saying authroization rules denied the access. you sure you set the correct authorization rules for the user?
I would try filemon to trace and see where does IIS FTP sending the user to and whether user has permission to access it.
Oct 08, 2007 05:10 PM|starpg|LINK
okay, so how do I do this?
Oct 08, 2007 05:33 PM|starpg|LINK
I've given complete control for the user %SYSTEMNAME%/TCH-Beta on the folder D:\SPG\XMB
and well this image shows the FTP Authorization in IIS7 set:
Oct 08, 2007 11:46 PM|qbernard|LINK
1) Search filemon or procmon at microsoft website
2) Run it on the ftp server
3) From another machine or local server, try connect via
4) Upon getting the logon error. stop the filemon
5) Review the log, look for access denied error.
Oct 09, 2007 06:37 PM|starpg|LINK
yeah holy crap
that didn't work
WAAY too many processes to look through
nothing showed an access denied either
Oct 09, 2007 07:15 PM|starpg|LINK
I have no idea why it wont let me logon via cmd/ftp.exe, but It will let me logon via an FTP Client that I use.
is that normal? See I'm trying to logon using another user account (not Administrator)...and this is when it's not letting me....but see I try it out using my FTP client and it all works perfectly
.... I found a problem... It's not letting me logon when the ftp port is 21...my main website (the not-so- test) site is on port 21, but when I changed the test site's ftp port to 27 then it worked fine...? shouldn't ftp server be on port 21? as like default
for all sites to logon?
Oct 09, 2007 10:32 PM|robmcm|LINK
That's curious behavior - do you have Windows Firewall enabled?
Oct 10, 2007 12:07 AM|qbernard|LINK
LOL... for filemon log you can try the filtering feature... the new ftp service is under svchost.exe I believe. or just do a search on the ftp user account?
Next, I would suggest you ftp locally at the machine first. and if you can't even ftp locally, check and ensure windows firewall make sure ftp inbound rules is enabled or temporary disable windows firewall to test it.
Oct 10, 2007 04:09 AM|starpg|LINK
tried this as well - logging in locally after altering the Firewall exceptions for port 21, on the machine via cmd:
Connected to TensioncoreS01.
220 Microsoft FTP Service
User (TensioncoreS01:(none)): tch-beta
got same error as showed above.
Oct 10, 2007 11:42 PM|qbernard|LINK
Ok. the next step I would do now is analyze the filemon log. can you zip it up and post it somewhere? I like to look at the trace.
Oct 11, 2007 01:53 PM|JaroDunajsky|LINK
Filemon will not be of much help. I only return the "Authorization Rules Denied the access
" detailed error when the problem has to do only with the authorization settings of the FTP site.
If it was because of file system ACLs then the detailed error would report "File system denied the access".
What is the literal text for authorization in the applicationhost.config?
<add accessType="Allow" users="TCH-Beta" permissions="Read, Write" />
(assuming "XMB-Text" is the name of your site)
Regarding the secondary issue that was discussed regarding the firewall. A week ago I wrote a blog on how to configure new FTP RC0 server with Windows firewall:
Oct 12, 2007 12:26 AM|qbernard|LINK
Arggh! got you. Coz in the past when sometime like this happen, like home directory inaccessible, etc. Filemon is able to tell at least where FTP is sending the user to, and why user being unable to access the folder.
But in this case - error is at config level. so thanks for the clarification.
Oct 12, 2007 05:28 AM|starpg|LINK
Those lines aren't in my web.config??
but they are not in the web.config of my website either? and I can access it fine via ftp, and ftp clients
Oct 12, 2007 12:40 PM|robmcm|LINK
You are correct, those lines will not be in your web.config file. All FTP settings are kept in applicationHost.config and cannot be delegated to web.config. The logic behind this decision is that a corrupt web.config file can break the HTTP experience, (e.g.
you get an error page over HTTP until you fix the problem), and we didn’t want to have this problem with FTP. Essentially it comes down to this - since we want FTP publishing to always work, FTP settings cannot be delegated to web.config files.
Oct 12, 2007 08:52 PM|starpg|LINK
so is the applicationHost.config accessible and changeable, for the manner outlined in that previous post?
and if so where is the config located (I'd look for it right now but I'm struck for time)
Oct 13, 2007 11:25 PM|qbernard|LINK
Should be at the end of applicationHost.config, do a search on location path ...
<location path="XMB-Test"> or FTP
Oct 14, 2007 06:40 AM|starpg|LINK
I found the apphost config file, and Those lines were exactly present in the configuration for that site.
it's so weird
Oct 16, 2007 09:26 AM|JaroDunajsky|LINK
Is your machine in domain environment? Do you happen to have local account and domain account with matching name? I analyzed authorization code and couldn't find a gap. But for the basic authentication (with windows accounts) we translate names to SIDs for
comparisons and I wonder if those SIDs resolve OK.
Oct 16, 2007 08:02 PM|starpg|LINK
I noticed that in the "Test settings" it is giving me a warning:
"Authorization: cannot verify access to folder ( D:\Folder name[I replaced name]\)
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access
to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again. "
does this happen to be the issue?
Oct 16, 2007 08:05 PM|starpg|LINK
oh and as my own reply to this
the user for log-in has full control in the Folder's Security settings
and it is also set as the "home directory" or whatever it's called via the lusrmgr
Oct 17, 2007 01:10 AM|qbernard|LINK
The test settings msgs mainly refers to Web or HTTP.
I did a quick test by loading the new ftp.msi to my RC0, was unable to procedure your error :)
Can you recap that -
a) this is a windows user, right?
b) you are in standalone setup
c) d:\ path is local disk (this is same as webroot, right?), what's the NTFS permissions look like.
For Windows built-in users, nothing much to set. just enable the authentication + authorization rules + user's NTFS permission setting.
while - for IIS Manager user - you need wmsvc, network service account READ access to config/temp asp.net files/ftp path, then add the user to site's 'IIS Manager Permissions', then repeat the same setting for auth + authorization, etc.
Oct 17, 2007 05:28 PM|starpg|LINK
D:\ is not the same Drive as webroot (inetpub) - thats on the C drive.
and what do you mean by standalone set up??
I'm only using Windows Authentication...using Windows Users...Could you tell me how the NTFS permissions works?? No one has ever explained this.
The user has permissions on the folder that the site is on...
Oct 17, 2007 10:26 PM|qbernard|LINK
By standalone, I mean - is the machine alone :) ? or is it part of an active directory domain?
IIS FTP uses basic/anonymous/custom auth, windows auth no supported. So you are using Windows User and not IIS Manager user. And looks like you have got everything setup correctly. Using Windows user the setup work out of the box, you just need to configure
the NTFS permission. can you try
a) grant all users read access instead of just the user.
b) ensure in ftp authentication property you have enabled anonymous + basic. have you try anonymous access ? does it work?
c) remove the ftp site then recreate again.
Oct 21, 2007 05:58 PM|starpg|LINK
I'd like to let you guys know
I've got the FTP service running on Port 21 for all accounts, I'm still using Windows Accounts, as I don't know enough to use the ASP.NET accounts you were talking about.
Is it much easier per-se than using Windows Accounts?
Oct 21, 2007 10:25 PM|qbernard|LINK
Why don't you add a new ftp site and follow the guideline on this site.
I have followed the steps and able to ftp without any issue.
Oct 22, 2007 03:24 AM|starpg|LINK
you mean the tutorial for web hosting on IIS - 100-1000 sites one?
Oct 22, 2007 04:48 AM|starpg|LINK
big problem sort of.
I am getting a huge error in the command-line input in the Shared hosting article.
I'm entering the command line code from "Step 4 and 5" :
Step 5: Creating Application Pools and Sites:
(This is the result of every one of the 100)
The command line error's I'm getting back are:
C:\Users\Administrator>REM Create Application Pool
C:\Users\Administrator>C:\Windows\system32\inetsrv\Appcmd add AppPool -name:Pool
_Site100 -processModel.username:\PoolId100 -processModel.password:PoolIDPwd100 -
ERROR ( message:Failed to add duplicate collection element "Pool_Site100". )
C:\Users\Administrator>REM Creating a site with the content, freb and log
C:\Users\Administrator>REM configuration entries set to the directories we creat
C:\Users\Administrator>REM secured before.
C:\Users\Administrator>C:\Windows\system32\inetsrv\AppCmd add site -name:Site100
-bindings:http/*:80:Site100 -physicalPath:C:\WWW\Site100\wwwroot ûlogfile.direc
ERROR ( message:The identifier is not supported in the current command usage. Y
ou specified "ûlogfile.directory:C:\WWW\Site100\logs\logfiles". )
C:\Users\Administrator>REM Now assign the root application of the newly created
C:\Users\Administrator>REM to its Application Pool
C:\Users\Administrator>C:\Windows\system32\inetsrv\Appcmd set app -app.name:"Sit
ERROR ( message:Cannot find APP object with identifier "Site100/". )
SOOO WT* happened?
I'm confused ( OH AND I'm aware of the duplicate entry stuff, I already executed the script, I just edited it and tried again, but same errors - the non duplicate errors)
Oct 22, 2007 04:54 AM|qbernard|LINK
Errr. shared hosting? We are talking about ftp right?
I'm referring to this article.
Oct 22, 2007 10:08 AM|starpg|LINK
see That article explains how to do things the exact way I don't want to, using Windows Accounts. I want an easier way of authentication.
oh and I'd still like some assistance with my problem up there. That would be nice
Nov 06, 2007 01:01 AM|qbernard|LINK
it has the section on how to deal with IIS Manager user, i followed the instruction and got not error.