FTP permissions problem with virtual directories
- From: Library Sysadmin <LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Jul 2009 16:22:01 -0700
Win2003 R2 servers. One is an internal web server with IIS 6 and FTP
installed. The other is our NAS File Server. Both servers are members of
our local domain.
On the file server, I’ve created a folder called FTPSites with a couple of
subfolders underneath, Site1 and Site2. FTPSites is shared as FTPSites$ and
the share permissions are set to full control for Admins, Domain Admins and
TestUser (user is a domain account in AD). The FTPSites folder has NTFS
permissions for full control for Admins, Domain Admins and System; full
control for subfolders and files for Creator/Owner. Site2 folder has
additional NTFS permissions for full control for TestUser.
On the web server, under the Default FTP site I’ve created two virtual FTP
directories called Site1 and Site2, mapping these to the folders on the file
server.
The Default FTP Site is configured with the C:\Inetpub\ftproot folder, does
not allow anonymous connections, nor does it allow reads or writes to the
directory – only log visits is checked there. All users are granted access
by default.
Site1 is a virtual directory mapped to \\file server\ftpsites$\site1
connecting with the credentials of the domain admin. It is set to allow
read/write/log visits. Directory Security denies access to all computers
except specific IP ranges.
Site2 is a virtual directory mapped to \\file server\ftpsites$\site2
connecting with the TestUser’s credentials and is also set for read/write/log
visits. Directory Security denies access to all computers except specific IP
ranges. Some of the IP ranges are different than the Site1 list.
With these settings, in the IIS MMC Site2 displays with ‘Access is denied’
in the status column. Site1 displays with nothing in the Status column. I
can right-click on both virtual directories and use Explore, Open or
Permissions, but not Browse. Browse opens a login box but no matter how the
credentials are typed in, the login box keeps prompting for name/password.
On my PC, if I open either IE or Windows Explorer and attempt to ftp to
Site1, I am presented with a login box, but no matter how I type the
name/password or which credentials I use, I am not granted access – the login
box keeps prompting for name/password. My account is a domain admin and my
PC has an IP address that is in the allowed list for both sites.
I have tried numerous iterations of permissions in both NTFS and IIS but
cannot get access to these FTP directories. As to the credentials for the
virtual directories, I have read numerous articles from many sites which
state that checking the box for ‘Always use the Authenticated User’s login
credentials…’ sends these in clear text and should be avoided. The
recommendation is to connect to the virtual directory with supplied
credentials, instead. I’ve also confirmed the default ‘Bypass traverse
checking’ privileges on the NAS server folders, which would seem to indicate
that no further rights need granted to the FTPSites folder to allow the
TestUser to access the Site2 folder beneath it.
I’m stumped on this right now. If anyone can tell me what the correct
security setting should be, I would appreciate it. Basically, I don’t want
anyone reading or writing files to the FTP root directory; domain admins
should have full control/access to both virtual directories and the TestUser
should only have full access to Site2, with no access to Site1.
TIA
Rick
.
- Follow-Ups:
- Re: FTP permissions problem with virtual directories
- From: Rick Merrill
- Re: FTP permissions problem with virtual directories
- From: Ben Nardone
- Re: FTP permissions problem with virtual directories
- Prev by Date: FTP Permissions Issues and other issues
- Next by Date: Re: FTP permissions problem with virtual directories
- Previous by thread: FTP Permissions Issues and other issues
- Next by thread: Re: FTP permissions problem with virtual directories
- Index(es):
Relevant Pages
|
