Microsoft KB Archive/247099

= Access Denied When Connecting to a FTP Directory That Uses a UNC Path with "Connect As" Feature =

Article ID: 247099

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 1.0
 * Microsoft Internet Information Server 2.0
 * Microsoft Internet Information Server 3.0
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q247099



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When accessing an FTP site whose Home Directory connects to a remote share using a UNC path with the Connect As feature, one of the following symptoms might occur:  The Access Control List (ACL) permissions of the user account logged onto the FTP session are not used to determine the access permissions for the Home Directory.

 The following error occurs:

Access Denied





CAUSE
This is by design. The Home Directory uses the credentials of the user account and password specified in the Connect As feature to connect to the UNC. All access permissions to the Home Directory are determined by the ACLs for that Connect As user account.

Therefore, the credentials (and associated permissions) for the user account that was used to log onto the FTP site are not used to determine access to the UNC Home Directory.



RESOLUTION
To avoid these problems, do one of the following, depending on your situation:
 * Do not use the UNC and Connect As feature for the Home Directory. Instead, specify a Home Directory on the local computer.


 * Specify a user account for the Connect As feature that has the appropriate ACL permissions needed by the FTP site users.



MORE INFORMATION
The settings for the UNC and Connect As option are specified in the Home Directory tab of the FTP site's property sheet in the MMC. The user account specified in the Connect As option must be a local user account on both the FTP site computer as well as the UNC file server computer, or must be a domain user account.

Additional References
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

247970 How to Enable Pass-Through Authentication for FTP UNC Virtual Directories

239120 Create a Secure FTP Directory that Uses Password Authentication

237987 FTP GET Does Not Work Correctly on UNC Virtual Directories

201771 How To Set Up an FTP Site So That Users Log Onto Their Folders

195259 FTP Site Mapped to a Remote Share May Have Access Problems

185377 Users Cannot Access FTP or Web Site

Additional query words: virtual directory vdir remote share granted storage device restricted ntfs username privileges access Universal Naming Convention iis5 iis 5.0 iis 6 iis 6.0

Keywords: kbprb kbpending KB247099

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.