Troubleshooting FTP 530 Error: Fixing “User Cannot Log In, Home Directory Inaccessible” on IIS 7


3 views

When configuring FTP on Windows Server 2008 with IIS 7, many administrators encounter the frustrating 530 error during client authentication. The error sequence typically looks like this:

Response: 220 Microsoft FTP Service
Command: USER testuser
Response: 331 Password required for testuser.
Command: PASS ********
Response: 530 User cannot log in, home directory inaccessible.

This error fundamentally indicates a permission issue at either the NTFS or IIS authorization level. Here's what to verify:

// PowerShell snippet to check folder permissions
$acl = Get-Acl "C:\FTPRoot\Users\testuser"
$acl.Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited -AutoSize

The user account must have at least these permissions on their home directory:

  • Read & Execute
  • List folder contents
  • Read
  • Special permission: Traverse folder/execute file

For user isolation scenarios, add these permissions via PowerShell:

$user = "DOMAIN\testuser"
$folder = "C:\FTPRoot\Users\testuser"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"ReadAndExecute","Allow")
$acl = Get-Acl $folder
$acl.SetAccessRule($rule)
Set-Acl -Path $folder -AclObject $acl

In IIS Manager, verify these settings under FTP Authorization Rules:

  1. Ensure "Allow" rule exists for specific user/user group
  2. Permissions should include at least "Read"
  3. Check inheritance isn't blocked

When using virtual directories, ensure the physical path exists and has proper permissions:

// Batch script to create virtual directory structure
@echo off
mkdir C:\FTPRoot\Users\testuser\data
mkdir C:\FTPRoot\Users\testuser\log
icacls "C:\FTPRoot\Users\testuser" /grant "IUSR:(OI)(CI)(RX)"
icacls "C:\FTPRoot\Users\testuser" /grant "IIS_IUSRS:(OI)(CI)(RX)"

Enable FTP logging in IIS for detailed error tracking:

  1. Open IIS Manager
  2. Select server node → FTP Logging
  3. Enable logging with "W3C Extended Log File Format"
  4. Review logs in %SystemDrive%\inetpub\logs\LogFiles

When setting up FTP services on Windows Server 2008 with IIS 7, many administrators encounter the frustrating 530 error during client authentication. The specific error sequence typically looks like this:

Status: Connecting to xxx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: USER userFTP
Response: 331 Password required for userFTP.
Command: PASS ********
Response: 530 User cannot log in, home directory inaccessible.

The root cause usually stems from permission issues, but it's more nuanced than simple read/write access. Here's what actually happens behind the scenes:

  • The FTP service needs both NTFS and IIS authorization to access the home directory
  • The system account (IUSR) requires explicit permissions
  • Inherited permissions often don't propagate correctly

Follow these steps precisely to resolve the 530 error:

:: PowerShell commands to verify permissions
$acl = Get-Acl "C:\FTP\user_directory"
$acl.Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited -AutoSize

Essential permission requirements:

  1. FTP user account: Read/Write
  2. IIS_IUSRS: Read/Execute
  3. SYSTEM: Full Control
  4. Administrators: Full Control

For more complex setups using isolation or virtual directories, add these IIS configuration settings:

<location path="Default Web Site">
  <system.ftpServer>
    <security>
      <authorization>
        <add accessType="Allow" users="*" permissions="Read, Write" />
      </authorization>
    </security>
  </system.ftpServer>
</location>

When standard fixes fail, use Sysinternals Process Monitor to identify the exact permission check failure:

Filter setup:
- Process Name: inetinfo.exe OR ftpsvc.exe
- Operation: CreateFile
- Result: ACCESS DENIED

This will show you precisely which file or folder is causing the authentication failure.

For domain accounts, additional considerations apply:

  • Ensure the computer account has permission to read user objects
  • Verify the "Log on locally" right in Group Policy
  • Check for SID filtering between domains

For multiple user directories, use this script to apply consistent permissions:

$ftpRoot = "C:\FTPRoot"
$users = Get-ChildItem $ftpRoot -Directory

foreach ($userDir in $users) {
    $path = $userDir.FullName
    $acl = Get-Acl $path
    
    # Add IIS_IUSRS
    $iisRule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS","ReadAndExecute","Allow")
    $acl.AddAccessRule($iisRule)
    
    # Add specific user
    $userRule = New-Object System.Security.AccessControl.FileSystemAccessRule($userDir.Name,"Modify","Allow")
    $acl.AddAccessRule($userRule)
    
    Set-Acl $path $acl
}