Re: FTP permissions problem with virtual directories
- From: Rick Merrill <RickMerrill@xxxxxxxxxxxx>
- Date: Fri, 31 Jul 2009 12:56:32 -0400
Library Sysadmin wrote:
Win2003 R2 servers. One is an internal web server with IIS 6 and FTP installed. The other is our NAS File Server. Both servers are members of our local domain.
On the file server, I’ve created a folder called FTPSites with a couple of subfolders underneath, Site1 and Site2. FTPSites is shared as FTPSites$ and the share permissions are set to full control for Admins, Domain Admins and TestUser (user is a domain account in AD). The FTPSites folder has NTFS permissions for full control for Admins, Domain Admins and System; full control for subfolders and files for Creator/Owner. Site2 folder has additional NTFS permissions for full control for TestUser.
On the web server, under the Default FTP site I’ve created two virtual FTP directories called Site1 and Site2, mapping these to the folders on the file server.
The Default FTP Site is configured with the C:\Inetpub\ftproot folder, does not allow anonymous connections, nor does it allow reads or writes to the directory – only log visits is checked there. All users are granted access by default.
Site1 is a virtual directory mapped to \\file server\ftpsites$\site1 connecting with the credentials of the domain admin. It is set to allow read/write/log visits. Directory Security denies access to all computers except specific IP ranges.
Site2 is a virtual directory mapped to \\file server\ftpsites$\site2 connecting with the TestUser’s credentials and is also set for read/write/log visits. Directory Security denies access to all computers except specific IP ranges. Some of the IP ranges are different than the Site1 list.
With these settings, in the IIS MMC Site2 displays with ‘Access is denied’ in the status column. Site1 displays with nothing in the Status column. I can right-click on both virtual directories and use Explore, Open or Permissions, but not Browse. Browse opens a login box but no matter how the credentials are typed in, the login box keeps prompting for name/password.
On my PC, if I open either IE or Windows Explorer and attempt to ftp to Site1, I am presented with a login box, but no matter how I type the name/password or which credentials I use, I am not granted access – the login box keeps prompting for name/password. My account is a domain admin and my PC has an IP address that is in the allowed list for both sites.
I have tried numerous iterations of permissions in both NTFS and IIS but cannot get access to these FTP directories. As to the credentials for the virtual directories, I have read numerous articles from many sites which state that checking the box for ‘Always use the Authenticated User’s login credentials…’ sends these in clear text and should be avoided. The recommendation is to connect to the virtual directory with supplied credentials, instead. I’ve also confirmed the default ‘Bypass traverse checking’ privileges on the NAS server folders, which would seem to indicate that no further rights need granted to the FTPSites folder to allow the TestUser to access the Site2 folder beneath it.
I’m stumped on this right now. If anyone can tell me what the correct security setting should be, I would appreciate it. Basically, I don’t want anyone reading or writing files to the FTP root directory; domain admins should have full control/access to both virtual directories and the TestUser should only have full access to Site2, with no access to Site1.
TIA Rick
Have you tried setting active ports?
- http://tinyurl.com/mvqq66
.
- References:
- FTP permissions problem with virtual directories
- From: Library Sysadmin
- FTP permissions problem with virtual directories
- Prev by Date: Re: FTP permissions problem with virtual directories
- Previous by thread: Re: FTP permissions problem with virtual directories
- Index(es):
Relevant Pages
|
Loading
