Monday 16 June 2008

Case of Unexplained, IIS FTP Problem….

Scenario: IIS FTP is configured in “Isolate User (without Active Directory)” mode as documented in following Microsoft Support Article:

http://support.microsoft.com/kb/555018

Problem: After reinstalling and reconfiguring all IIS related services many times, IIS FTP was not working in isolated mode. Every time when user tries to login into the system via FTP, it fails with following error:

Event Type: Warning

Event Source: MSFTPSVC

Event Category: None

Event ID: 13

Date: 01/06/2008

Time: 10:20:38

User: N/A

Computer: IWISHICOULDCHAN

Description:

User administrator failed to log on, could not access the home directory /.

I have decided to dive into the problem and I came to conclusion that IIS or IIS FTP is not the source problem. Inetinfo.exe is working as expected but could not able to find the home directory for specific users. I verified many time that directory with user’s username exists and have necessary permission for Inetinfo.exe process.

I have decided to launch ProcessMonitor and created a filter for Ineinfo.exe to investigate what was going on and I got the following activity.

Sequence: 12145

Date Time:08:59:25.0538032

Process Name: inetinfo.exe

PID: 1172

Operation: CreateFile

Path: C:\Inetpub\ftproot\LocalUser\IWISHICOULDCHAN\Administrator\

Result: PATH NOT FOUND

Detail: Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: IWISHICOULDCHAN\Administrator

I was stumped that inetinfo.exe tries to read the user’s home directory at above mentioned location. According to Microsoft’s support article, you need to create user’s home directory in “LocalUser” folder but here it seems that is not the case. I went ahead and created user directory as desired and everything started to work.

Investigation:

Microsoft Support articles mentioned following things about how to recreate FTP root-print and user folders:

If users of the local computer log in with their individual account user names, create the subdirectories LocalUser under the FTP site root directory you specified when you creating the FTP site.

For Example -

FTP root directory -> D:\MyFTP\

LocalUser locate at D:\MyFTP\LocalUser

For individual user, you need to create folder in this format - LocalUser\username

User: Susan locate at D:\MyFTP\LocalUser\Susan

If users of different domains log on with their explicit domain\username credentials, create a subdirectory for each domain (by using the name of the domain) under the FTP site root directory you specified when you creating the FTP site.

For Example -

Domain Name: Account

FTP root directory -> D:\MyFTP\

LocalUser locate at D:\MyFTP\Account

For individual domain user, you need to create folder in this format - Domain\username

Domain User: Nancy locate at D:\MyFTP\Account\Nancy[1]

It appeared that FTP problem I had follows the pattern of root print folder creation in domain environment but slight problem was I was running a server in Workgroup environment.

Inetinfo.exe was trying to read the file at “FTPRootDirectory\ServerName\%username%”. Careful look revealed that Server name was not actual name but it was server’s NetBIOS name. My full computer name was “IWISHICOULDCHANGE” longer than 15 characters (I have changed it for clarity) and hence NetBIOS name was “IWISHICOULDCHAN”.

Technical Details:

It seems that when you try to login via FTP, Inetinfo.exe process tries to read computer name. Please see the following event in ProcessMonitor:

Sequence: 11436

Date Time: 09:34:38.3419286

Process Name: inetinfo.exe

PID: 1172

Operation: RegQueryValue

Path:HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName

Result: SUCCESS

Data: IWISHICOULDCHAN

As we can see, Inetinfo.exe reads the computer name from registry and it returns only NetBIOS name of server.

I believe the original problem is how the authentication works and it gets transitioned. IIS FTP users Windows Authentication by default and relies on NTLM. When you login, IIS FTP impersonates the logging user to access the file or directory. ProcessMonitor shows following event:

Sequence: 7265

Date Time: 09:58:57.8573348

Process Name: inetinfo.exe

PID: 1172

Operation: CreateFile

Path C:\Inetpub\ftproot\LocalUser\IWISHICOULDCHAN\Administrator

Result: SUCCESS

Data: Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: IWISHICOULDCHAN\Administrator, OpenResult: Opened

And you will notice following event in Security Event Log:

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 552

Date: 01/06/2008

Time: 11:22:50

User: NT AUTHORITY\SYSTEM

Computer: IWISHICOULDCHAN

Description:

Logon attempt using explicit credentials:

Logged on user:

User Name: IWISHICOULDCHAN$

Domain: WORKGROUP

Logon ID: (0x0,0x3E7)

Logon GUID: -

User whose credentials were used:

Target User Name: Administrator

Target Domain: IWISHICOULDCHAN

Target Logon GUID: -

Target Server Name: localhost

Target Server Info: localhost

Caller Process ID: 1172

Source Network Address: -

Source Port: -

It seems that while doing NTLM authentication when server name is longer than 15 characters, Inetinfo.exe process find that Isolated FTP site is running in domain environment and hence tries to excess the user’s home directory at “FTPRootDirectory\ServerName\%username%”.

Conclusion:

It seems that if you have a computer name longer than 15 characters and you are trying to create Isolated FTP site, you need to create user’s home directory in “FTPRootDirectory\NetBIOS Name of Server\” and not in “FTPRootDirectory\” as documented in support article. I haven’t found any support article mentioning this or any article pointing that server hosting IIS should not have name longer than 15 characters yet.

Side Problem:

When you change the computer name longer than 15 characters, Windows give you an Information Dialog box as follow but it is not enough with the problems you might have in future:

This saga continues with one more problems you have while creating a website.

My server has following IP configuration.

When computer name is longer than 15 characters, IIS Manager shows me only primary IP address as available IP address to configure website. Please see the following output:

Technically, I should see “10.2.105.107” and “10.2.105.108” as available IP address. To verify whether the problem is with IIS manager GUI or IIS it self, I modified server binding in “Metabase.xml” as follow:

Location ="/LM/W3SVC/1"

AppPoolId="DefaultAppPool"

DefaultDoc="Default.htm,Default.asp,index.htm,iisstart.htm"

LogPluginClsid="{FF160663-DE82-11CF-BC0A-00AA006111E0}"

ServerBindings="10.2.105.107:80:

10.2.105.108:80:"

ServerComment="Default Web Site"

ServerSize="1"

>

So it seems that IIS Manager is now aware of additional IPs available on the server (at least forced by us!!). I went ahead and start creating new website and stumped again!!!

IIS manager do not show me additional IP. It only shows me primary IP address of the server. I have verified that the problem is related to GUI and not IIS itself because when you create a new website manually (via command line) and create sever bindings to user only secondary IP address, IIS functions normally. I believe this happens because of how drop down dialog box gets populated!!



[1] http://support.microsoft.com/kb/555018