IIS7 FTP Setup - An error occured during the authentication process. 530 End Login failed

6

I'm having a problem very similar to IIS 7.5 FTP IIS Manager Users Login Fail (530) on Windows Server 2008 R2 Standard.

I have created an FTP site and IIS Manager user but am having trouble logging in. I could really do with getting this working with the IIS Manager user rather than by creating a new system user since I'm fairly restricted with those accounts.

Here is the output when connecting locally through command prompt:

C:\Windows\system32>ftp localhost
Connected to MYSERVER.
220 Microsoft FTP Service
User (MYSERVER:(none)): MyFtpLogin
331 Password required for MyFtpLogin.
Password: ***
530-User cannot log in.
 Win32 error:   Logon failure: unknown user name or bad password.
 Error details: An error occured during the authentication process.
530 End
Login failed.

I have followed the guide to configure ftp with iis manager authentication in iis 7 and Adding FTP Publishing to a Web Site in IIS 7

Things I have done and checked:

  • The FTP Service is installed (along with FTP Extensibility).
  • Local Service and Network Service have been given access to the site folder
  • Permission has been given to the config files
  • Granted read/write permissions to the FTP Root folder
  • The Management Service is installed and running
  • Enable remote connections is ticked with 'Windows credentials or IIS manager credentials' selected
  • The IIS Manager User has been added to the server (root connection in the IIS connections branch)
  • The new FTP site has been added
  • IIS Manager Authentication has been added to the FTP authentication providers
  • The IIS Manager user has been added to the IIS Manager Permissions list for the site
  • Added Read/Write permissions for the user in the FTP Authorization Rules

Here's a section of the applicationHost config file associated with the FTP site

<site name="MySite" id="8">
    <application path="/" applicationPool="MyAppPool">
        <virtualDirectory path="/" physicalPath="D:\Websites\MySite" />
    </application>
    <bindings>
        <binding protocol="http" bindingInformation="*:80:www.mydomain.co.uk" />
        <binding protocol="ftp" bindingInformation="*:21:www.mydomain.co.uk" />
    </bindings>
    <ftpServer>
        <security>
            <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
            <authentication>
                <basicAuthentication enabled="true" />
                <customAuthentication>
                    <providers>
                        <add name="IisManagerAuth" enabled="true" />
                    </providers>
                </customAuthentication>
            </authentication>
        </security>
    </ftpServer>
</site>

...

<location path="MySite">
    <system.ftpServer>
        <security>
            <authorization>
                <add accessType="Allow" users="MyFtpLogin" permissions="Read, Write" />
            </authorization>
        </security>
    </system.ftpServer>
</location>

If I connect to the Site (not FTP) from my local IIS Manager using the same IIS Manager account details then it connects fine, I can browse files and change settings as I would locally (though I don't seem to have an option to upload files). Trying to connect via FTP though either through the browser or FileZilla etc... gives me:

Status: Resolving address of www.mydomain.co.uk
Status: Connecting to 123.456.12.123:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    USER MyFtpLogin
Response:   331 Password required for MyFtpLogin.
Command:    PASS *********
Response:   530 User cannot log in.
Error:  Critical error
Error:  Could not connect to server

I have tried collecting etw traces for ftp sessions, in the logs I get a FailBasicLogon followed by a FailCustomLogon, but no other info:

FailBasicLogon  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ErrorCode=0x8007052E
StartCustomLogon    SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | LogonProvider=IisManagerAuth
StartCallProvider   SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | provider=IisManagerAuth
EndCallProvider SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55}
EndCustomLogon  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55}
FailCustomLogon SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ErrorCode=0x8007052E
FailFtpCommand  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ReturnValue=0x8007052E | SubStatus=ERROR_DURING_AUTHENTICATION

In the normal FTP logs I just get:

2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 ControlChannelOpened - - 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 USER MyFtpLogin 331 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 PASS *** 530 1326 41 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 ControlChannelClosed - - 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -

If anyone has any ideas than I would be very grateful to hear them. Many thanks.

iis-7
ftp
asked on Server Fault Oct 23, 2012 by robmzd • edited Apr 13, 2017 by Community

5 Answers

4

So after many lost hours, I came back to this with fresh eyes and new fire in my soul. It seemed I was a little too focused on what settings the new FTP site had and paid little attention to other influences.

It turned out that there was a global 'Default FTP Site' which was catching all FTP requests on port 21, since the user wasn't added to the list of authorised accounts for this site, it was returning an unauthorised response.

Adding the user to the default FTP site enabled me to log in, but I was then getting put into the root FTP directory for the default site (similar to http://forums.iis.net/t/1156913.aspx). Changing the Log on to <hostheader>|<username> didn't work either and returned a 530 Valid hostname is expected response.

After banging my head on the desk a few times I went back and checked and re-checked each and every setting. Typically in the end it turned out to be a typo in the host header name set in the site bindings. Logging on using <hostheader>|<username> subsequently worked once the typo had been fixed.

In Summary

  1. I needed to log in using the <hostheader>|<username> format in order for IIS to pick up which site I intended to log in to
  2. I had a typo in the hostheader value in the site bindings
answered on Server Fault Oct 30, 2012 by robmzd
3

Same issue here. What fixed it for me was setting a default domain.

  1. In IIS Manager, click on the FTP site
  2. Go to FTP Authentication
  3. Click on Basic Authentication
  4. In the right column click on Edit
  5. Enter the FQDN of your Active Directory domain against which the users authenticate
answered on Server Fault Aug 8, 2014 by Koen Zomers
2

I just wanted to add to this answer here, because it came up early in my search.

I found this question while looking for a solution to my scenario, which was:
A ftp user was able to login 90% of the time, but would almost always fail to login the first time.

This was quite an annoying problem. I was bleeding my eyes out trying to fix it.
The solution ended up being very simple: Reset the user's password. Problem solved. I hope this helps someone not waste some much time.

answered on Server Fault Feb 11, 2013 by Brian
0

Also got this error on Windows 2012 IIS 8

My setup is a new simple ftp site, auth basic, auth rules allow domain users, ftp user isolation set to ftp root directory (no messing with AD)

Worked for old users, worked for admins - wouldn't work for new users!

Altered the defaultapppool identity to be localsystem, then it worked.

answered on Server Fault May 29, 2014 by KinetekRob • edited May 29, 2014 by Ladadadada
0

In my case, under the FTP site >> FTP Authentication >> Basic Authentication (Select 'Edit' under Actions on the right). When the prompt for 'Edit Basic Authentication Settings' pops up, leave the 'Default domain' as empty. This worked for us for Server 2008 R2.

answered on Server Fault Nov 13, 2019 by KKevin

User contributions licensed under CC BY-SA 3.0