| Author |
Error 426 when connecting to virtual directory
|
|
| Mike R. 2004-10-10, 5:53 pm |
| I am running SBS 2003 without ISA. I have a linksys router to direct incoming
traffics to my server. (Note: I have two NICs on this server: Local NIC and
External NIC).
On my Firewall I have forwarded ports 20 and 21 to my server's External NIC.
I also enabled FTP from SBS firewall.
I also created a ftp users group and added this group to "Domain Controller
Security Policy" under "Allow Log on Locally" and made my FTP user to be part
of this group.
Now when I use a FTP client I am getting this error:
426 Connection closed; transfer aborted.
Am I missing something here?
Can someone please guide me as far as how to confgure my ftp users with IIS
6 on SBS 2003 server and an external firewall?
Thanks alot,
Mike
| |
| Bernard 2004-10-11, 2:47 am |
| Sounds like passive mode issue again.
if you try command prompt ftp.exe from remote host,
can you login ? and do dir listing ?
For passive mode to work, you need to open certain port range.
read -
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
How To Configure PassivePortRange In IIS
http://support.microsoft.com/?id=555022
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:464DDBA6-D555-4074-9A60-8A88D0A7B2C7@microsoft.com...
> I am running SBS 2003 without ISA. I have a linksys router to direct
incoming
> traffics to my server. (Note: I have two NICs on this server: Local NIC
and
> External NIC).
>
> On my Firewall I have forwarded ports 20 and 21 to my server's External
NIC.
> I also enabled FTP from SBS firewall.
>
> I also created a ftp users group and added this group to "Domain
Controller
> Security Policy" under "Allow Log on Locally" and made my FTP user to be
part
> of this group.
>
> Now when I use a FTP client I am getting this error:
> 426 Connection closed; transfer aborted.
>
> Am I missing something here?
>
> Can someone please guide me as far as how to confgure my ftp users with
IIS
> 6 on SBS 2003 server and an external firewall?
>
> Thanks alot,
>
> Mike
>
>
| |
| Mike R. 2004-10-15, 9:26 pm |
| Bernard,
Thanks for your reply.
Now I can't even connect to my server!!!
Here is the new error message:
C:\ftp domain.com
Connected to domain.com.
Connection closed by remote host.
I have no clue what's going on.
Port 20 and 21 are open.
Thanks,
Mike
"Bernard" wrote:
> Sounds like passive mode issue again.
> if you try command prompt ftp.exe from remote host,
> can you login ? and do dir listing ?
>
> For passive mode to work, you need to open certain port range.
> read -
> Information About the IIS File Transmission Protocol (FTP) Service
> http://support.microsoft.com/?id=283679
> How To Configure PassivePortRange In IIS
> http://support.microsoft.com/?id=555022
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:464DDBA6-D555-4074-9A60-8A88D0A7B2C7@microsoft.com...
> incoming
> and
> NIC.
> Controller
> part
> IIS
>
>
>
| |
| Bernard 2004-10-15, 9:26 pm |
| what did you changed ?
first - always test internally and locally first.
try ftp at the server, make sure everything is running, then test remote
connection.
You only need inbound 21 and outbound 20 (active mode)
for passive mode, 21 + outbound passive port range.
also try ftp using IP address to skip the host name resolution.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:2E6CCD96-82C1-418F-9493-6C513B0F4003@microsoft.com...[vbcol=seagreen]
> Bernard,
>
> Thanks for your reply.
> Now I can't even connect to my server!!!
> Here is the new error message:
>
> C:\ftp domain.com
> Connected to domain.com.
> Connection closed by remote host.
>
> I have no clue what's going on.
> Port 20 and 21 are open.
>
> Thanks,
>
> Mike
>
> "Bernard" wrote:
>
NIC[vbcol=seagreen]
External[vbcol=seagreen]
be[vbcol=seagreen]
with[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| Internally it is working.
I think I just need active mode.
FTP IP gives me the same issue.
"Bernard" wrote:
> what did you changed ?
> first - always test internally and locally first.
> try ftp at the server, make sure everything is running, then test remote
> connection.
>
> You only need inbound 21 and outbound 20 (active mode)
> for passive mode, 21 + outbound passive port range.
>
> also try ftp using IP address to skip the host name resolution.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:2E6CCD96-82C1-418F-9493-6C513B0F4003@microsoft.com...
> NIC
> External
> be
> with
>
>
>
| |
| Bernard 2004-10-15, 9:26 pm |
| Ok, so from remote machine you try:
ftp.exe yourserverip
where do you experienced 426 error ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:BA9E1C5C-18CC-4AE0-B190-1AB037E3A82F@microsoft.com...[vbcol=seagreen]
> Internally it is working.
>
> I think I just need active mode.
>
> FTP IP gives me the same issue.
>
> "Bernard" wrote:
>
direct[vbcol=seagreen]
Local[vbcol=seagreen]
to[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| from outside (ftp public ip)
"Bernard" wrote:
> Ok, so from remote machine you try:
> ftp.exe yourserverip
>
> where do you experienced 426 error ?
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:BA9E1C5C-18CC-4AE0-B190-1AB037E3A82F@microsoft.com...
> direct
> Local
> to
>
>
>
| |
| Bernard 2004-10-15, 9:26 pm |
| Can you post the log ?
Connecting to ...
220 Microsoft FTP Service
.....
also IIS FTP log as well.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:3DBD9368-A888-4437-9D9A-DB303FF446E6@microsoft.com...[vbcol=seagreen]
> from outside (ftp public ip)
>
> "Bernard" wrote:
>
remote[vbcol=seagreen]
Service[vbcol=seagreen]
"Domain[vbcol=seagreen]
user[vbcol=seagreen]
users[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| C:\Documents and Settings\mike>ftp publicip
Connected to publicip.
Connection closed by remote host.
log:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-10-11 02:00:16
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
02:00:16 192.168.16.2 [2]USER administrator 331 0
02:00:20 192.168.16.2 [2]PASS - 230 0
02:02:55 192.168.16.2 [2]closed - 421 121
02:24:55 192.168.16.11 [4]closed - 421 121
"Bernard" wrote:
> Can you post the log ?
> Connecting to ...
> 220 Microsoft FTP Service
> .....
>
> also IIS FTP log as well.
>
>
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:3DBD9368-A888-4437-9D9A-DB303FF446E6@microsoft.com...
> remote
> Service
> "Domain
> user
> users
>
>
>
| |
| Alun Jones [MSFT] 2004-10-15, 9:26 pm |
| "Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:A84A370A-478D-4C70-B6DB-D361ECFD248F@microsoft.com...
> 02:00:16 192.168.16.2 [2]USER administrator 331 0
> 02:00:20 192.168.16.2 [2]PASS - 230 0
> 02:02:55 192.168.16.2 [2]closed - 421 121
421 is a different error from 426. 421 is used to indicate a closure of the
control connection, whereas 426 is used for closing the data connection.
The win32-status field gives you some further information, which can be
gleaned from "net helpmsg 121" - that tells you:
"The semaphore timeout period has expired."
Ignore, for now, the technical term "semaphore", and concentrate, instead,
on the word "timeout". Now go back and look at the log, and you'll see that
two and a half minutes, and no commands, came between the logon (USER and
PASS commands) and the time when you were disconnected for no activity.
This seems like everything's working as it should on the server's side.
426, on the other hand, is a very common error now that the world uses
firewalls and NATs - which one are we debugging right now?
Alun.
~~~~
| |
| Mike R. 2004-10-15, 9:26 pm |
| Thank you Alun for your reply,
First when I started configuring my ftp server it gave me error 426 and
after couple days the error changed to 421.
How can I give you more information so we can troubleshoot this problem? Any
logs that you need to look at? Please let me know.
Thanks,
Mike
"Alun Jones [MSFT]" wrote:
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:A84A370A-478D-4C70-B6DB-D361ECFD248F@microsoft.com...
>
> 421 is a different error from 426. 421 is used to indicate a closure of the
> control connection, whereas 426 is used for closing the data connection.
> The win32-status field gives you some further information, which can be
> gleaned from "net helpmsg 121" - that tells you:
>
> "The semaphore timeout period has expired."
>
> Ignore, for now, the technical term "semaphore", and concentrate, instead,
> on the word "timeout". Now go back and look at the log, and you'll see that
> two and a half minutes, and no commands, came between the logon (USER and
> PASS commands) and the time when you were disconnected for no activity.
> This seems like everything's working as it should on the server's side.
>
> 426, on the other hand, is a very common error now that the world uses
> firewalls and NATs - which one are we debugging right now?
>
> Alun.
> ~~~~
>
>
>
| |
| Alun Jones [MSFT] 2004-10-15, 9:26 pm |
| "Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:915B6B0D-B322-4BA4-9FAB-BF2772FDE5F2@microsoft.com...
> Thank you Alun for your reply,
>
> First when I started configuring my ftp server it gave me error 426 and
> after couple days the error changed to 421.
>
> How can I give you more information so we can troubleshoot this problem?
Any
> logs that you need to look at? Please let me know.
When you use ftp.exe, and get the 421 error logged, what commands are you
typing at the "ftp>" prompt? At the moment, it looks like all you're doing
is entering your username and password, then not sending any more commands.
Alun.
~~~~
| |
| Mike R. 2004-10-15, 9:26 pm |
| ftp> open publicip
Connected to publicip
Connection closed by remote host.
"Alun Jones [MSFT]" wrote:
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:915B6B0D-B322-4BA4-9FAB-BF2772FDE5F2@microsoft.com...
> Any
>
> When you use ftp.exe, and get the 421 error logged, what commands are you
> typing at the "ftp>" prompt? At the moment, it looks like all you're doing
> is entering your username and password, then not sending any more commands.
>
> Alun.
> ~~~~
>
>
>
| |
| Alun Jones [MSFT] 2004-10-15, 9:26 pm |
| That doesn't fit with the log entry that shows you sent a user name
("administrator") and a password.
Alun.
~~~~
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:3E44B943-5491-44F8-8447-86CCE4B01479@microsoft.com...[vbcol=seagreen]
> ftp> open publicip
> Connected to publicip
> Connection closed by remote host.
>
> "Alun Jones [MSFT]" wrote:
>
and[vbcol=seagreen]
problem?[vbcol=seagreen]
you[vbcol=seagreen]
doing[vbcol=seagreen]
commands.[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| Huh!!
I think the log wasn't updated at that time:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-10-12 16:39:15
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
16:39:15 192.168.1.10 [6]closed - 421 121
"Alun Jones [MSFT]" wrote:
> That doesn't fit with the log entry that shows you sent a user name
> ("administrator") and a password.
>
> Alun.
> ~~~~
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:3E44B943-5491-44F8-8447-86CCE4B01479@microsoft.com...
> and
> problem?
> you
> doing
> commands.
>
>
>
| |
| Alun Jones [MSFT] 2004-10-15, 9:26 pm |
| Under the properties for that FTP site, select the "Directory Security"
tab - what are the settings on that page? Is it possible that you've denied
access from outside here?
Alun.
~~~~
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:FEC28ACA-B4E8-4662-8EAF-B3A303BEB0CE@microsoft.com...[vbcol=seagreen]
> Huh!!
> I think the log wasn't updated at that time:
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2004-10-12 16:39:15
> #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
> 16:39:15 192.168.1.10 [6]closed - 421 121
>
>
>
> "Alun Jones [MSFT]" wrote:
>
426[vbcol=seagreen]
are[vbcol=seagreen]
you're[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| > Under the properties for that FTP site, select the "Directory Security"
> tab - what are the settings on that page?
Granted Access
Is it possible that you've denied
> access from outside here?
Are you talking about my firewall?
I don't think so since I see port 20 and 21 are fully opened!
| |
| Mike R. 2004-10-15, 9:26 pm |
| I disabled VPN tunel on my firewall and i was abled to get little bit deep
this time. Here is my current log:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-10-12 21:20:43
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
21:20:43 ip [1]USER mike 331 0
21:20:44 ip [1]PASS - 530 5
21:21:33 ip [1]QUIT - 530 0
21:21:45 ip [2]USER mike 331 0
21:21:46 ip [2]PASS - 530 5
Here is the ftp command:
C:\Documents and Settings\mike>ftp ip
Connected to ip.
220-Microsoft FTP Service
220 domain
User (ip none)): mike
331 Password required for mike.
Password:
530 User mike cannot log in, home directory inaccessible.
Login failed.
ftp>
| |
| Mike R. 2004-10-15, 9:26 pm |
| I am logged in now 
I added read access to the Default FTP and that fixed it so I think that VPN
settings on my firewall caused this!
I mentioned at the beginning of this forum that each ftp user is part of the
"Log on Locally" of this domain server. Is this ok?
Thanks a lot for all your helps,
Mike
"Alun Jones [MSFT]" wrote:
> Under the properties for that FTP site, select the "Directory Security"
> tab - what are the settings on that page? Is it possible that you've denied
> access from outside here?
>
> Alun.
> ~~~~
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:FEC28ACA-B4E8-4662-8EAF-B3A303BEB0CE@microsoft.com...
> 426
> are
> you're
>
>
>
| |
| Mike R. 2004-10-15, 9:26 pm |
| Now I can't upload anything (Access Denied):
ftp> send c:\t.txt
200 PORT command successful.
550 t.txt: Access is denied.
"Alun Jones [MSFT]" wrote:
> That doesn't fit with the log entry that shows you sent a user name
> ("administrator") and a password.
>
> Alun.
> ~~~~
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:3E44B943-5491-44F8-8447-86CCE4B01479@microsoft.com...
> and
> problem?
> you
> doing
> commands.
>
>
>
| |
| Bernard 2004-10-15, 9:26 pm |
| you ftp from internal to public IP ?
it looks like blocking...
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:FEC28ACA-B4E8-4662-8EAF-B3A303BEB0CE@microsoft.com...[vbcol=seagreen]
> Huh!!
> I think the log wasn't updated at that time:
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2004-10-12 16:39:15
> #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
> 16:39:15 192.168.1.10 [6]closed - 421 121
>
>
>
> "Alun Jones [MSFT]" wrote:
>
426[vbcol=seagreen]
are[vbcol=seagreen]
you're[vbcol=seagreen]
| |
| Bernard 2004-10-15, 9:26 pm |
| Make sure the user has write NTFS permission.
and the write property of the ftp site is checked.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:7014263A-976E-4731-921D-C90B291CF64C@microsoft.com...[vbcol=seagreen]
> Now I can't upload anything (Access Denied):
> ftp> send c:\t.txt
> 200 PORT command successful.
> 550 t.txt: Access is denied.
>
>
>
> "Alun Jones [MSFT]" wrote:
>
426[vbcol=seagreen]
are[vbcol=seagreen]
you're[vbcol=seagreen]
| |
| Bernard 2004-10-15, 9:26 pm |
| If you are using IIS6.0, this privilege is not longer needed.
as it has changed to network_cleartext rather than local logon.
For IIS5.1 and below, this is required.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:145F4B9E-458B-4B68-BE3A-6886BFE39011@microsoft.com...
> I am logged in now
> I added read access to the Default FTP and that fixed it so I think that
VPN
> settings on my firewall caused this!
>
> I mentioned at the beginning of this forum that each ftp user is part of
the[vbcol=seagreen]
> "Log on Locally" of this domain server. Is this ok?
>
> Thanks a lot for all your helps,
>
> Mike
>
>
> "Alun Jones [MSFT]" wrote:
>
denied[vbcol=seagreen]
error[vbcol=seagreen]
this[vbcol=seagreen]
commands[vbcol=seagreen]
more[vbcol=seagreen]
| |
| Mike R. 2004-10-15, 9:26 pm |
| Bernard,
The problem was the NTFS as you said. Thank you so much for your time.
By any chance do you know what are the default permissions for a web folder?
Thanks,
Mike
"Bernard" wrote:
> Make sure the user has write NTFS permission.
>
> and the write property of the ftp site is checked.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Mike R." <MikeR@discussions.microsoft.com> wrote in message
> news:7014263A-976E-4731-921D-C90B291CF64C@microsoft.com...
> 426
> are
> you're
>
>
>
| |
| Bernard 2004-10-15, 9:26 pm |
| Try -
Default permissions and user rights for IIS 6.0
http://support.microsoft.com/?id=812614
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Mike R." <MikeR@discussions.microsoft.com> wrote in message
news:DE1E36A9-09D2-4D43-A081-8AB01294BFDF@microsoft.com...
> Bernard,
>
> The problem was the NTFS as you said. Thank you so much for your time.
>
> By any chance do you know what are the default permissions for a web
folder?[vbcol=seagreen]
>
> Thanks,
>
> Mike
>
> "Bernard" wrote:
>
error[vbcol=seagreen]
this[vbcol=seagreen]
commands[vbcol=seagreen]
more[vbcol=seagreen]
| |
|
|
|
|