I am running an IIS 6 FTP Server on a Windows Server 2003 computer (lets call it FTPPC), connected to a domain (lets call it DOMAIN).
Allow anonymous connections is off, so a user requires a domain account to connect to the ftp. The user connects to the ftp using DOMAIN\USERNAME
The root of the ftp is pointing at E:\FTP-ROOT\, and inside are 2 folders: \PATH1\ \PATH2\
There is a Virtual Directory called PATH1 pointing to a UNC share on another pc on the domain (called DOMAINPC), set to "always use the authenticated users credentials". When connected to the ftp, a user can browse to this and will see the contents successfully.
There is also a Virtual Directory called PATH2 pointing to a UNC share on a pc that is NOT CONNECTED to the domain (called NODOMAINPC).
I have created a user on NODOMAINPC called USER1, and creating the exact same username on FTPPC with an identical password on both accounts.
In the "connect as" section for the PATH2 virtual directory, I have tried multiple things with different results:
Set the username to FTPPC\USER1 - when trying to browse the virtual directory over ftp, the error is "Access is denied" Set the username to NODOMAINPC\USER1 - when trying to browse the virtual directory over ftp, the error is "Logon failure: unknown user or bad password" Set the username to USER1 - when trying to browse the virtual directory over ftp, the error is "Access is denied"
Can this be done? And if so, where am I going wrong? I can connect to the UNC path via windows, just not via ftp.
Thanks
This is indeed an odd one. I setup the config you describe with IIS running on a DC not a member server and the virtual directory configured to use the logged on user. This worked. Then I tried it with IIS running on a non-domain server, and it worked as well. Sadly IIS running on a domain member server is the one config I can't test.
I then configured the virtual directory to connect as nondomainpc\administrator. On the DC this did not work, but on non-domain server it did.
I fired up Network Monitor to have a look, and when the virtual directory on the DC is configured to use the non-DC PC's administrator account the DC attempted to make an anonymous connection. It made no attempt to use the nondomainpc\administrator username that I had configured for the virtual directory. This looks like a bug to me.
Note that the virtual directory did work on the DC when using the logged in user, while in your case it didn't. However I've noticed that DCs tend to be oblivious to the "host" bit of the username "host\user", presumably because there is no SAM on a DC, so I wouldn't attach too much significance to this. The member server is presumably passing the logged on username as "domain\user" and you're non-DC server is rejecting it.
In terms of fixing your problem, all I can suggest is to move the FTP server onto a DC or a non-domain server, but I guess neither of these options would be too attractive :-(
JR
If you think about it your PC is passing a credential token to the FTP server as you are already domain authenticated. However the FTP server can't pass this token to the NODOMAINPC as it won't recognise the token (it doesn't recognise the domain controller as such).
I think the only option you have is that all users connect to the UNC share as the FTP Service account credentials. Obviously then though all users effectively have the same NTFS ACL permissions.
Since you'd be having to replicate all usernames/passwords with your original approach anyway, why not just dump IIS and use FileZilla server or similar and set all of the permissions per user within the FTP server? I find FTP permissions in IIS more of a hindrance than a help mostly.