October, 2007

October, 2007

  • Care, Share and Grow!

    Troubleshooting FTP related issues on IIS 6.0

    • 9 Comments

    Troubleshooting FTP related issues on IIS can be a real pain. If you have not encountered so far you are lucky:-)

    What I do generally is to create a new FTP site and make it to work rather than working on the already corrupted site. It depends on your personal choice depending upon how much you want to invest.

    Here I will be talking about some issues and relevant troubleshooting that you can do to resolve the issue.

    To start with, there are three modes in IIS 6.0 using which you can setup an FTP site. Now these modes are different isolation levels for FTP users such that they can access only restricted folders within their dedicated home directory and sub-directories.

    These are:

    1. Do not isolate users (This is same as the only mode available in IIS 5.0)

    2. Isolate users (This is applicable for local as well as domain users, and is not integrated with Active Directory (AD))

    3. Isolate users using Active Directory (Also called Active directory user isolation mode, applicable only for AD users, integrated with AD)

     

    Here is the Screen shot of the options available when you create a new FTP site.

    image

     

    1. Do not isolate users (Users can access the FTP home directory of other users)

    Now in the first mode (Do not isolate users) there is a security risk wherein unauthorized access is possible since FTP do not provide any mechanism to isolate users by itself. You will have to make sure the NTFS permissions (ACLs) are properly set to deny unauthorized users. The wizard clearly shows that users can access the FTP home directory of other users.

    ***In IIS 6.0 with an FTP site running in the above mode, users may not be able to logon directly to the root folder of the FTP site. Instead they may be automatically routed a folder created just for them under the FTP root. Now this is by design and it may happen when there is a sub-folder inside the FTP Root folder that matches the users' alias (logged-on username). In such a case they will automatically be placed into that folder upon logon.

    To work around this behavior, it is necessary to place another folder level between the users and the Root folder of the FTP site.

    2. Isolate users

    image

    This is one of the new FTP modes available in IIS 6.0 (not available in IIS 5.0) wherein users can be isolated from each other by FTP itself and they will be taken directly to their home directory instead of the FTP root directory. This mode can be set for local as well as domain user accounts. However you need to ensure that we have proper directory hierarchy maintained for each user from the FTP root onwards. I will shortly show you how. Any user who has logged on to his/her FTP home directory won't be able to access the home directory of other users provided you restrict them using NTFS permissions.

    If you want to have an FTP site for local user accounts and want isolation such that users should be taken directly to their home directory here is the hierarchy you need to follow:

    Let's assume the root directory for the FTP site is C:\FTPRoot (You may change it to whatever location you want). Now you need to have a folder named "LocalUser" just underneath the FTP root directory. And under this folder (LocalUser) you need to add sub-folders for different users. Remember to have the name of the sub-folder same as the local user account. And for domain users you need to create a folder with the same name as the <domain> and under it you need to create sub-folders for every domain user.

    Pictorially it should be like this:

    Here I have the domain name as Saurabh1.com.

    image

    So I have the following folders for my FTP site based on the users.

    ftpuser1 and ftpuser2 are local user accounts and saurabh1\domainuser1 and saurabh1\domainuser2 are domain user accounts.

    Also notice that if you allow anonymous access to the site you need to have a public folder inside the LocalUser folder as shown above.

    Also you can have as many virtual directories as you want under the FTP site for various users. Whenever the user logs on to the site with their credentials they will be taken to their own respective folders.

    image

    If you look into the screen capture below a user cannot go above his/her home directory. User will be confined to their own folder or sub-folders.

    image

    Also it is recommended to ensure we have proper NTFS permissions set in place. Do not allow access to any other account except administrator/System to the user's folder. Obviously user should have the necessary permissions dedicated to him/her on that folder. If you have Anonymous account enabled users will be taken directly to the public folder (to be more precise it depends upon the FTP client in use. FTP.exe will prompt you to enter the username/password whereas IE will directly take you to the public folder).

     

    3. Isolate users using Active Directory (AD) isolation mode

    Here are the steps for AD isolation mode. It is not meant for local users account and only for Active directory users. Please follow the steps carefully since AD isolation mode issues can be a bit tricky to resolve :-)

    image

    Here below add the domain admin account and make sure you click on Browse to select the user account and not just manually type it.. I have a reason for asking that.

    image

    Create Virtual directories for each of the domain accounts that will be used for accessing the FTP site. Be sure to name the virtual directory identical to the
    username of the user who will be logging in. For instance, the user account of User1 will need a virtual directory named User1. Please remember that it is not a must to have a separate virtual directory for all the users under the root FTP site. Based on the commands mentioned below, users will be automatically taken to their respective folders and they need not have a Virtual directory created under the FTP site.

    Then, Run the IISFTP.vbs script as below:

    In a command prompt, navigate to C:\windows\system32 and run the VBScript iisftp.vbs twice (with different arguments shown below) for each user that will need access to the FTP site. This will do the necessary changes to the user account in AD's LDAP database.

    [Words underlined are your variables]

    For user1:

    C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftproot C:\ftproot\adroot

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    The value of ftproot for user domainuser1 has been set to C:\ftproot\adroot

    C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftpdir  folder1

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    The value of ftpdir for user domainuser1 has been set to folder1

    [Remember in the above command for ftpdir you need to set the folder name for the user account and not the complete path i.e. although the user's directory is set to C:\ftproot\adroot\folder1, you should mention "folder1" in the command as mentioned above and not the complete path].

    ftproot specifies the complete path for the parent folder (root) and ftpdir specifies the name of the user's folder. Here if you had a remote UNC share for the FTP contents you can change the command to, Cscript iisftp.vbs /setadprop domainuser1 ftproot \\ftpserver\ftproot\adroot

     

    Similarly for user2:

    C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftproot C:\ftproot\adroot    <--- [It can be a different location other than the ftproot for user1]

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    The value of ftproot for user domainuser2 has been set to C:\ftproot\adroot

    C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftpdir folder2

    Microsoft (R) Windows Script Host Version 5.6

    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    The value of ftpdir for user domainuser2 has been set to folder2

    Now before you try accessing the site using account domain\username ensure that you have the necessary folder hierarchy in place as set up in the above commands, i.e. if you do not have an existing path C:\ftproot\adroot\folder1 you will get the following error message:

    User Saurabh1\domainuser1 cannot log in, home directory inaccessible.

    Login failed.

     

    Also in an AD isolation mode you won't see the option to allow anonymous connections. Check the difference between an AD isolated site and a non-AD isolated site. Notice the number of tabs in each.

    image          image

     

    If you already have an FTP site and you don't know the isolation mode for it you can open the metabase.xml file from C:\windows\system32\inetsrv and search for the tag UserIsolationMode and check its value.

    FTP site having mode as:

    • Do not isolate users (this is same as the only mode available in IIS 5.0) ---------> will have UserIsolationMode set to 0
    • Isolate users (this is applicable for local as well as domain users)   -----------> will have UserIsolationMode set to 1
    • Isolate users using Active Directory (also called Active directory user isolation mode, applicable only for Active directory users)  -----> will have UserIsolationMode set to 2.

     

    Checklist:

    When you try to visit an AD isolated FTP site from a command prompt, you may receive the following error message:

    530 User <Domain>\<UserName> cannot log in, home directory inaccessible.
    Login failed.

    This problem can occur because of any one of the following reasons:

    • The msIIS-FTPDir or msIIS-FTPRoot properties for the User Account that is trying to access the FTP site are not configured in the Active Directory.
      Make sure that msIIS-FTPDir and msIIS-FTPRoot properties for the user account are configured properly. To do this, open up a command prompt on the IIS server and browse to C:\Windows\system32 folder. Run the following commands:

    C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp <username> FTPRoot
    C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp <username> FTPDir

    If you get a valid FTPDir and FTPRoot returned as a result of this command, which means these properties are set correctly. The actual path of the user's folder will be <FTPRoot>\<FTPDir>. If the result of either of the commands is something like

    The value of FTPDir for user <username> is:
    null

    This means that the FTPDir and FTPRoot are not set correctly. You can set them as mentioned some way above.

    • The account that is set in the IIS Metabase as the ADConnectionsUserName key for the FTP site is having some issues.

    It may have been locked out or is not having enough permissions to query the Active Directory. The password for account connecting to AD in ADConnectionsPassword may be incorrect.

    Make sure that the password is correct and that the account is not locked out. Also ensure that the account that is configured here has enough permissions to query the Active Directory.

    To check the username and password set in the metabase, run the following commands:

    C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc/<FTP site identifier>/ADConnectionsUserName

    C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc/<FTP site identifier>/ADConnectionsPassword

    [You may find the password in encrypted format like ************. In such a case you need to modify the adsutil.vbs file to get the exact password. Open Adsutil.vbs in notepad from the above location and search for the function "IsSecureProperty(ObjectParameter,MachineName)".

    In this function IsSecureProperty(ObjectParameter,MachineName), you will find the following code:

    Function IsSecureProperty(ObjectParameter,MachineName)

    On Error Resume Next
    Dim PropObj,Attribute
    Set PropObj = GetObject("IIS://" & MachineName & "/schema/" & ObjectParameter)
    If (Err.Number <> 0) Then
    ReportError ()
    WScript.Echo "Error trying to get the property: " & err.number
    WScript.Quit (Err.Number)
    End If
    Attribute = PropObj.Secure
    If (Attribute = True) Then
    IsSecureProperty = True              <--------
    Else
    IsSecureProperty = False
    End If
    End Function

    In the highlighted line above, change the value to False, save and now rerun the adsutil.vbs command and you should see the actual password]

     

    • IIS server is not able to contact the Active Directory.

    =================================================XXXXX=====================================================

    We have seen a lot of confusion among people related to Active and Passive modes in an FTP site. I was intending to write a post on it but luckily though I found a very good article on the net. You can check this if you have some confusion on Active versus Passive FTP modes.

    Ftp.exe in Windows is an active mode FTP client and IE by default is a Passive mode FTP client. You can change the settings for IE as per this KB323446

Page 1 of 1 (1 items)