Access Denied When Connecting to a FTP Directory That Uses a UNC Path with "Connect As" Feature (247099)


The information in this article applies to:

  • Microsoft Internet Information Server 1.0
  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 6.0
This article was previously published under Q247099
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

When accessing an FTP site whose Home Directory connects to a remote share using a UNC path with the Connect As feature, one of the following symptoms might occur:
  • The Access Control List (ACL) permissions of the user account logged onto the FTP session are not used to determine the access permissions for the Home Directory.

  • The following error occurs:
    Access Denied

CAUSE

This is by design. The Home Directory uses the credentials of the user account and password specified in the Connect As feature to connect to the UNC. All access permissions to the Home Directory are determined by the ACLs for that Connect As user account.

Therefore, the credentials (and associated permissions) for the user account that was used to log onto the FTP site are not used to determine access to the UNC Home Directory.

RESOLUTION

To avoid these problems, do one of the following, depending on your situation:
  • Do not use the UNC and Connect As feature for the Home Directory. Instead, specify a Home Directory on the local computer.

  • Specify a user account for the Connect As feature that has the appropriate ACL permissions needed by the FTP site users.

MORE INFORMATION

The settings for the UNC and Connect As option are specified in the Home Directory tab of the FTP site's property sheet in the MMC. The user account specified in the Connect As option must be a local user account on both the FTP site computer as well as the UNC file server computer, or must be a domain user account.

Additional References

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

247970 How to Enable Pass-Through Authentication for FTP UNC Virtual Directories

239120 Create a Secure FTP Directory that Uses Password Authentication

237987 FTP GET Does Not Work Correctly on UNC Virtual Directories

201771 How To Set Up an FTP Site So That Users Log Onto Their Folders

195259 FTP Site Mapped to a Remote Share May Have Access Problems

185377 Users Cannot Access FTP or Web Site

Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbpending kbprb KB247099
©2004 Microsoft Corporation. All rights reserved.