Home
%3CLINGO-SUB%20id%3D%22lingo-sub-945873%22%20slang%3D%22en-US%22%3EFTP%20user%20isolation%20failing%20with%20access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-945873%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%26nbsp%3B%20I%20was%20working%20on%20a%20case%20where%20we%20wanted%20to%20setup%26nbsp%3B%20FTP%20User%20level%20isolation%20.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3BWe%20created%20test%20FTP%20site%20with%20basic%20authentication%20enabled%26nbsp%3B%20and%20created%20the%20folder%20structure%20required%20for%20User%20isolation%26nbsp%3B%20with%20%E2%80%9Cusername%20directory(disable%20global%20virtual%20directory)%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22368%22%3E%3CP%3EWindows%20domain%20accounts%20(requires%20basic%20authentication)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22261%22%3E%3CP%3E%25FtpRoot%25%25UserDomain%25%25UserName%25%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%26nbsp%3B%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fiis%252Fpublish%252Fusing-the-ftp-service%252Fconfiguring-ftp-user-isolation-in-iis-7%26amp%3Bdata%3D02%257C01%257Cabegum%2540microsoft.com%257Cf70dad949e5f48e5661108d75896b5ce%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637075276626130846%26amp%3Bsdata%3D5KK%252Bu9jMmJi83kItrFVHPtYcjAAaaGaE1QIZqygp3JU%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fpublish%2Fusing-the-ftp-service%2Fconfiguring-ftp-user-isolation-in-iis-7%3C%2FA%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EUser%20name%20directory%20(disable%20global%20virtual%20directories)%20%3A%20%3C%2FSTRONG%3E%26nbsp%3BThis%20option%20specifies%20that%20you%20want%20to%20isolate%20FTP%20user%20sessions%20to%20the%20physical%20or%20virtual%20directory%20with%20the%20same%20name%20of%20the%20FTP%20user%20account.%20The%20user%20sees%20only%20their%20FTP%20root%20location%20and%20is%2C%20therefore%2C%20restricted%20from%20navigating%20higher%20up%20the%20physical%20or%20virtual%20directory%20tree%3C%2FLI%3E%0A%3CLI%3ETo%20create%20home%20directories%20for%20each%20user%2C%20you%20first%20need%20to%20create%20a%20physical%20directory%20under%20your%20FTP%20server's%20root%20folder%20that%20is%20named%20after%20your%20domain%20or%20named%20LocalUser%20for%20local%20user%20accounts.%20Next%2C%20you%20need%20to%20create%20a%20physical%20directory%20for%20each%20user%20account%20that%20will%20access%20your%20FTP%20site.%20The%20following%20table%20lists%20the%20home%20directory%20syntax%20for%20the%20authentication%20providers%20that%20ship%20with%20the%20FTP%20service.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22386%22%3E%3CP%3E%3CSTRONG%3EUser%20Account%20Types%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22263%22%3E%3CP%3E%3CSTRONG%3EPhysical%20Home%20Directory%20Syntax%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22386%22%3E%3CP%3EAnonymous%20users%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22263%22%3E%3CP%3E%25FtpRoot%25%5CLocalUser%5CPublic%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22386%22%3E%3CP%3ELocal%20Windows%20user%20accounts%20(requires%20basic%20authentication)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22263%22%3E%3CP%3E%25FtpRoot%25%5CLocalUser%25UserName%25%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22386%22%3E%3CP%3EWindows%20domain%20accounts%20(requires%20basic%20authentication)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22263%22%3E%3CP%3E%25FtpRoot%25%25UserDomain%25%25UserName%25%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22386%22%3E%3CP%3EIIS%20Manager%20or%20ASP.NET%20custom%20authentication%20user%20accounts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22263%22%3E%3CP%3E%25FtpRoot%25%5CLocalUser%25UserName%25%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20started%20seeing%20issues%20where%20user%20isolation%20was%20not%20working%20and%20failing%20with%20%E2%80%9Caccess%20denied%E2%80%9D%20error.%20We%20checked%20and%20found%26nbsp%3B%20NTFS%20and%20%26nbsp%3BFTP%20default%20permissions%20to%20be%20ok%20and%20good.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F147126i5ECD5B0C2AB3D4A6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.jpeg%22%20title%3D%22clipboard_image_0.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20collected%20procmon%26nbsp%3B%26nbsp%3B%20and%20found%20that%20there%20was%20No%20access%20denied%20errors%20but%20failing%20with%26nbsp%3B%20%22PATH%20NOT%20FOUND%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3%3A02%3A25.5810043%20PM%20svchost.exe%206128%20TCP%20Accept%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%200%2C%20mss%3A%201380%2C%20sackopt%3A%201%2C%20tsopt%3A%200%2C%20wsopt%3A%201%2C%20rcvwin%3A%20262200%2C%20rcvwinscale%3A%208%2C%20sndwinscale%3A%208%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.5934536%20PM%20svchost.exe%206128%20TCP%20Send%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%2027%2C%20startime%3A%209113403%2C%20endtime%3A%209113405%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.5934751%20PM%20svchost.exe%206128%20TCP%20Receive%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%2035%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.5987981%20PM%20svchost.exe%206128%20TCP%20Send%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%2023%2C%20startime%3A%209113405%2C%20endtime%3A%209113405%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.5988119%20PM%20svchost.exe%206128%20TCP%20Receive%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%2021%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.5992702%20PM%20svchost.exe%206128%20CreateFile%20C%3A%5CFTPROOT%5CContoso%5Cabc.com%5C%20%3CFONT%20color%3D%22%230000FF%22%3EPATH%20NOT%20FOUND%20%3C%2FFONT%3EDesired%20Access%3A%20Generic%20Read%2C%20Disposition%3A%20Open%2C%20Options%3A%20Synchronous%20IO%20Non-Alert%2C%20Attributes%3A%20n%2Fa%2C%20ShareMode%3A%20Read%2C%20Write%2C%20AllocationSize%3A%20n%2Fa%2C%20Impersonating%3A%20S-1-5-21-3402317017-4039385704-2910592383-7730%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.6051110%20PM%20svchost.exe%206128%20TCP%20Send%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%2054%2C%20startime%3A%209113405%2C%20endtime%3A%209113406%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.6051238%20PM%20svchost.exe%206128%20TCP%20Receive%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%200%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E3%3A02%3A25.6103687%20PM%20svchost.exe%206128%20TCP%20Disconnect%20ITL-DC-SFTP-2.Contoso.lab.lan%3A2121%20-%26gt%3B%20172.21.12.104%3A50495%20SUCCESS%20Length%3A%200%2C%20seqnum%3A%200%2C%20connid%3A%200%20NT%20AUTHORITY%5CSYSTEM%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWe%20went%20back%20and%20checked%20our%20configuration%20and%20found%20that%26nbsp%3B%20we%20were%20giving%20user%20account%20details%20as%26nbsp%3B%20%22%3CSTRONG%3EContoso.xxxx.xxxxx.com%5Cuse%3C%2FSTRONG%3Er%22%26nbsp%3B%20and%20path%20as%20%E2%80%9C%22%20C%3A%5CFTPROOT%5C%20Contoso.xxxx.xxxxx.com%5C%20abc%5C%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3BSVCHOST.exe%20%26nbsp%3Bis%20creating%20file%20and%20looking%20for%20%3CSTRONG%3EContoso%3C%2FSTRONG%3E%20path%20C%3A%5CFTPROOT%5CContoso%5Cabc%5C%20%26nbsp%3B%26nbsp%3Band%20we%20were%20getting%20access%20denied%20as%20soon%20as%20the%20user%20isolation%20is%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERESOLUTION%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20renamed%20the%20path%20to%20%22%20C%3A%5CFTPROOT%5CContoso%5Cabc%5C%26nbsp%3B%22%20and%20logged%20in%20with%20%22Contoso%5Cusername%20(Contoso%20%5Cabc)%22%20and%20we%20were%20able%20to%20achieve%20user%20isolation%20and%20connection%20successfully.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Recently  I was working on a case where we wanted to setup  FTP User level isolation .

 

 We created test FTP site with basic authentication enabled  and created the folder structure required for User isolation  with “username directory(disable global virtual directory)

Windows domain accounts (requires basic authentication)

%FtpRoot%%UserDomain%%UserName%

 

 

 

From  : https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-user-isolation-in...

  • User name directory (disable global virtual directories) :  This option specifies that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical or virtual directory tree
  • To create home directories for each user, you first need to create a physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you need to create a physical directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that ship with the FTP service.

User Account Types

Physical Home Directory Syntax

Anonymous users

%FtpRoot%\LocalUser\Public

Local Windows user accounts (requires basic authentication)

%FtpRoot%\LocalUser%UserName%

Windows domain accounts (requires basic authentication)

%FtpRoot%%UserDomain%%UserName%

IIS Manager or ASP.NET custom authentication user accounts

%FtpRoot%\LocalUser%UserName%

 

 

 

We started seeing issues where user isolation was not working and failing with “access denied” error. We checked and found  NTFS and  FTP default permissions to be ok and good.

 

clipboard_image_0.jpeg

 

 

We collected procmon   and found that there was No access denied errors but failing with  "PATH NOT FOUND"

 

 

3:02:25.5810043 PM svchost.exe 6128 TCP Accept ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 0, mss: 1380, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 262200, rcvwinscale: 8, sndwinscale: 8, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.5934536 PM svchost.exe 6128 TCP Send ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 27, startime: 9113403, endtime: 9113405, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.5934751 PM svchost.exe 6128 TCP Receive ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 35, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.5987981 PM svchost.exe 6128 TCP Send ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 23, startime: 9113405, endtime: 9113405, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.5988119 PM svchost.exe 6128 TCP Receive ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 21, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.5992702 PM svchost.exe 6128 CreateFile C:\FTPROOT\Contoso\abc.com\ PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: S-1-5-21-3402317017-4039385704-2910592383-7730 NT AUTHORITY\SYSTEM
3:02:25.6051110 PM svchost.exe 6128 TCP Send ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 54, startime: 9113405, endtime: 9113406, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.6051238 PM svchost.exe 6128 TCP Receive ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 0, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM
3:02:25.6103687 PM svchost.exe 6128 TCP Disconnect ITL-DC-SFTP-2.Contoso.lab.lan:2121 -> 172.21.12.104:50495 SUCCESS Length: 0, seqnum: 0, connid: 0 NT AUTHORITY\SYSTEM

We went back and checked our configuration and found that  we were giving user account details as  "Contoso.xxxx.xxxxx.com\user"  and path as “" C:\FTPROOT\ Contoso.xxxx.xxxxx.com\ abc\"

 SVCHOST.exe  is creating file and looking for Contoso path C:\FTPROOT\Contoso\abc\   and we were getting access denied as soon as the user isolation is enabled.

 

RESOLUTION:

We renamed the path to " C:\FTPROOT\Contoso\abc\ " and logged in with "Contoso\username (Contoso \abc)" and we were able to achieve user isolation and connection successfully.