IIS: Configure permissions for FTP site

Question

I am trying to configure a simple FTP site as a local "cloud" for a CCTV to upload recordings. I am having problems with authentication.

I have a user "nobody" in my domain and I have verified that:

• I know the password: "runas /user:nobody notepad.exe" asks for the
  password and then runs notepad.
• "nobody" has R/W access to "C:\inetpub\ftproots\Cobra" through membership in the group "FTP Users" (image 3 below).
• The Microsoft FTP service is running as "Local System", and I believe that "Local System" has R/W access to "C:\inetpub\ftproots\Cobra", as "SYSTEM".

I have configured IIS (8.5) with a site called "Cobra" and an Application Pool also called "Cobra". If I "Test Connection" with the pool, I see a permissions problem with the filesystem path (image 2 below), but if I use a specify credential there is no problem (image 3 below), however, in neither case can I actually authenticate with the FTP client. (image 4 below) Discussion continues after images.

Here are some screenshot of values set in these:

It looks like three problems:

• What are the "pass-through" credentials and why is the filesystem path protected against them?
• Why can I not authenticate with the FTP client, even under the most relaxed condition of "anonymous"?
• The third image includes the text, "verify that \<domain>\<computer_name>$ has Read access to the physical path". Is "\<domain>\<computer_name>$" anything different from "SYSTEM"? If it is different, than how do I perform this test?

Thanks for the help,

Chris.

Answer 1

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.

You are seeing this error message which is actually a warning message because you have chosen to use pass-through authentication. In this case, the application pool runs under a low-privilege built-in account, usually Network Service or ApplicationPoolIdentity. IIS cannot verify that built-in accounts have the correct settings, this can only be done at runtime. Also, the Test Setup process has no idea which user you authenticated as. So basically, you need to verify that the application pool identity has read permissions to the files and configuration files. You also need to make sure that the application identity has appropriate security settings. In most cases, you can ignore this warning message because in default settings all permissions are set correctly.

I think your main problem should be that you cannot use the FTP client for authentication. For the FTP 530 error you encounter, you can refer to this document, hoping to help you: https://techcommunity.microsoft.com/t5/iis-support-blog/ftp-530-user-cannot-log-in-error-and-solution/ba-p/364570

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

Best regards,
Yurong Dai