Blog Post

IIS Support Blog
3 MIN READ

FTP “530 User cannot log in” error and solution

Nedim's avatar
Nedim
Icon for Microsoft rankMicrosoft
Mar 12, 2019

While trying to connect to your FTP server hosted by IIS, you may run into “530 User cannot log in, home directory inaccessible” error. This error occurs whether you are using anonymous access or basic authentication.

 

A sample connection log from an FTP client:

 

530 User cannot log in, home directory inaccessible.
Critical error: Could not connect to server

This issue may appear as “Failed to retrieve directory listing” or “Home directory inaccessible” error as well.

 

Depending on the FTP client, you may not see the detailed error message right away. For instance, when I tried to connect to the same site with the same configuration by using WinSCP, I received “Access Denied” error. If your FTP client doesn’t show the entire connection history, look for the log folder to get more information about the root cause.

 

Solution

 

There might be a few reasons for running into this error. Here are the most common root causes and their solutions:

  • IIS may not be configured to use passive mode FTP. There are two types of FTP connections: Active mode and passive mode. In active mode, the client opens a port. The server connects to this port for transferring data. In passive mode, the server opens a port. The client connects to this port to transfer data. In order to use passive mode, enter a port range and IP address in “IIS > Server name > FTP Firewall Support” page

 

Note: You can configure your FTP client to use only the active mode if you don’t want to turn on passive mode

 

Less common reasons for 530 error

 

The items below may cause “530 User cannot log in, home directory inaccessible” as well.

  • Authorization rules. Make sure to have an Authorization rule that allows the user or anonymous access. Check “IIS > FTP site > FTP Authorization Rules” page to allow or deny access for certain or all users.
  • NTFS permissions. The FTP users (local or domain users) should have permissions on the physical folder. Right click the folder and go to Properties. In the Security tab, make sure the user has required permissions. You can ignore Shared tab. It is not used for FTP access. 
  • Locked account. If you local or domain account is locked or expired, you may end up seeing “User cannot log in” error. Check local user properties or Active Directory user settings to make sure the user account is active. 
  • Other permission issues. The user account may not have “Log on locally” or “Allow only anonymous connections security” rights. 

 

If you are still seeing the issue, check IIS and FTP logs (c:\inetpub\logs\LogFiles\FTPSVC2) but don’t let it mislead you. IIS logs sometimes may show PASS. It doesn’t mean everything is well. It’s better to check FTP logs that IIS records for FTP connections

 

 

Note: In a case with “Connection closed by the server” error for FTP connection, we determined the root cause as the corruption of system files occurred during in-place server upgrade.

Updated Aug 19, 2020
Version 5.0
  • bphillus's avatar
    bphillus
    Copper Contributor

    for those that still get the 503 error after setting all the correct permissions (IIS FTP Authentication=basic, IIS FTP Authorization=allow access to user, Windows File permissions, and FTP isolation rules), you MUST restart the FTP site in order for the changes to the IIS FTP Authentication, Authorization, and Isolation rules to take effect. 

  • All of this and removing the role, restarting the server and adding the role fix my issue. (it was a new server before migration)

  • AlexChongcc93's avatar
    AlexChongcc93
    Copper Contributor

    I faced another scenario that when wrongly binding 2 ftp sites to the same port 21, also getting 530 error.

    Stopping 1 of the 2 ftp server or changing to another port resolved this issue.

  • SteveBerkholz's avatar
    SteveBerkholz
    Brass Contributor

    Andrey_Dmitriev 

    I found this post for a different reason, but we are planning to set External Firewall address and reduced ports.

    We do have some users coming over an accelerated WAN. (so technically internal)

     

    What would be the resolution in this case?  Two sites with the same folders?  Internet pointing to one and LAN/WAN pointing to the other in DNS?

  • Andrey_Dmitriev's avatar
    Andrey_Dmitriev
    Copper Contributor

    there is one more situation giving the 530 error: 

     

    if you are connecting to the FTP server from LAN, but external firewall address is specified in the server configuration

     

    yes, sounds strange.

  • beamer667's avatar
    beamer667
    Copper Contributor

    Peter_Herzog :Please allowthe svc host process in  the ftp server firewall. Allow the tcp port 21 and other passive ports which you have defined like 5000-6000 in ftp server inbound and port 20 and passive ports on ftp server windows firewall outbound.

     

    Allow the same in network firewall or any other nsg, then it should work.

  • Peter_Herzog's avatar
    Peter_Herzog
    Copper Contributor

    funktioniert bei mir nicht, der server reagiert akzeptiert keine änderungen mehr in der authorisierung egal ob standard oder anonym. egal welche konfiguration gewählt wird. keine nutzung weder virtuelle verzeichnisse noch statische verzeichnisse mehr möglich.

    server-dienst mehrfach neu gestartet, deinstallation leider nicht möglich.