Having troubles with FTP’s “Isolate Users with Active Directory” Isolation Mode in IIS 6.0
The most common problem I have seen that people come across when they use the Isolate Users with Active Directory isolation mode in FTP (in IIS 6.0) is the classic Home Directory Inaccessible error message.If you try browsing to the FTP site from command prompt, you get an error message
530 User <Domain>\<UserName> cannot log in, home directory inaccessible.
Login failed.
The most common reasons for why you see this message are :-
1. The msIIS-FTPDir or msIIS-FTPRoot properties for the User Account that is trying to access the FTP site are not configured in the Active Directory.
2. The account that is set in the IIS Metabase as the ADConnectionsUserName key for the FTP site is having some problems. It may be locked out or is not having the permissions to query the Active Directory
3. The password for account connecting to AD in ADConnectionsPassword is incorrect.
4. The IIS server is not able to contact the Active Directory.
To resolve this problem...
1. Make sure that msIIS-FTPDir and msIIS-FTPRoot properties for the user account are configured properly. To do this, open up a command prompt on the IIS server and browse to c:\winnt\system32 folder. Run the following command
C:\WINDOWS\system32>iisftp.vbs /GetADProp <username> FTPDir
C:\WINDOWS\system32>iisftp.vbs /GetADProp <username> FTPRoot
If you get a valid FTPDir and FTPRoot returned as a result of this command, which means these properties are set correctly. If the result of either of the commands is something like
The value of FTPDir for user <username> is:
null
This means that the FTPDir and FTPRoot are not set correctly. You can set them in this way.
C:\WINDOWS\system32>iisftp.vbs /SetADProp testusername FTPDir testdir
C:\WINDOWS\system32>iisftp.vbs /SetADProp testusername FTPRoot c:\FTPRoot
How the home directory is determined is by adding FTPRoot + “\” + FTPDir
In the above example the user with the name testusername will be taken to c:\FTPRoot\testdir
Note: You can even specify a UNC share in the FTPRoot properties. So suppose for a domain user testuser, you set FTPDir as testdir and FTPRoot as \\server\share so he will be taken to \\server\share\testdir when he will login to the FTP Site.
2. Other problem could be the account that you have used in the Metabase as your ADConnectionsUserName is having some problems. To figure out the settings in the Metabase for your FTP AD Isolation mode site, you can run the following script.
strComputer = "."
strFTPSiteName = "Default FTP Site" ‘ Specify Site Name here as it shows in the IIS Manager.
Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}\\" & strComputer & "\root\microsoftiisv2")
Set colItems = objWMIService.ExecQuery("Select * from IIsFtpServerSetting") 'where ServerComment = " & strFTPSiteN
For Each objItem in colItems
if objItem.ServerComment = strFTPSiteName then
Wscript.Echo "AD Connections Password: " & objItem.ADConnectionsPassword
Wscript.Echo "AD Connections User Name: " & objItem.ADConnectionsUserName
end if
Next
This will give you the user name and password for the configured FTP site.
1. Make sure that the password is correct and that the account is not locked out.
2. Also ensure that the account that is configured here has enough permissions to query the Active Directory.
3. Another problem could be that the IIS server is not able to contact the Active Directory which might indicate a networking issue. You can try running a simultaneous netmon trace between the IIS machine and the domain controller to dig further as to what might be going wrong.
Leave a comment