Article ID: 247099 - Last Review: July 7, 2008 - Revision: 4.0

Access Denied When Connecting to a FTP Directory That Uses a UNC Path with "Connect As" Feature

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q247099
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)

On This Page

Expand all | Collapse all

SYMPTOMS

When accessing an FTP site whose Home Directory connects to a remote share using a UNC path with the Connect As feature, one of the following symptoms might occur:
  • The Access Control List (ACL) permissions of the user account logged onto the FTP session are not used to determine the access permissions for the Home Directory.

  • The following error occurs:
    Access Denied
Back to the top

CAUSE

This is by design. The Home Directory uses the credentials of the user account and password specified in the Connect As feature to connect to the UNC. All access permissions to the Home Directory are determined by the ACLs for that Connect As user account.

Therefore, the credentials (and associated permissions) for the user account that was used to log onto the FTP site are not used to determine access to the UNC Home Directory.
Back to the top

RESOLUTION

To avoid these problems, do one of the following, depending on your situation:
  • Do not use the UNC and Connect As feature for the Home Directory. Instead, specify a Home Directory on the local computer.

  • Specify a user account for the Connect As feature that has the appropriate ACL permissions needed by the FTP site users.
Back to the top

MORE INFORMATION

The settings for the UNC and Connect As option are specified in the Home Directory tab of the FTP site's property sheet in the MMC. The user account specified in the Connect As option must be a local user account on both the FTP site computer as well as the UNC file server computer, or must be a domain user account.
Back to the top

Additional References

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
247970  (http://support.microsoft.com/kb/247970/EN-US/ ) How to Enable Pass-Through Authentication for FTP UNC Virtual Directories
239120  (http://support.microsoft.com/kb/239120/EN-US/ ) Create a Secure FTP Directory that Uses Password Authentication
201771  (http://support.microsoft.com/kb/201771/EN-US/ ) How To Set Up an FTP Site So That Users Log Onto Their Folders
195259  (http://support.microsoft.com/kb/195259/EN-US/ ) FTP Site Mapped to a Remote Share May Have Access Problems
Back to the top
APPLIES TO
  • Microsoft Internet Information Server 1.0
  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 6.0
Back to the top
Keywords: 
kbpending kbprb KB247099
Back to the top