Err Msg: 530 User <Username> Cannot Log In. Login Failed.

brickborderSecurity

Nov 3, 2013 (3 years and 9 months ago)

60 views

Err Msg: 530 User <Username> Cannot Log In. Login
Failed.

View products that this article applies to.

Article ID

:

200475

Last Review

:

June 22, 2005

Revision

:

5.1

This article was previously published under Q200475

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS)
version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web
infr
astructure security. For more information about IIS security
-
related topics, visit the following
Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

On This Page


SYMPTOMS


CAUSE


RESOLUTION




Resolution 1




Resolution 2






Windows NT 4.0 servers






Windows 2000 servers




Resolution 3




Resolution 4






IIS 6.0






IIS 5.0






IIS 4.0


APPLIES TO

SYMPTOMS

When you use the FTP utility to connect to an FTP site, you receive the following error message:

53
0 User <username> cannot log in.

Login failed.


Back to the top

CAUSE

This problem occurs when one of the following scenarios is true:



The
Allow only anonymous connections security

setting has b
een turned on in the Microsoft
Management Console (MMC).



The username does not have the
Log on locally

permission in User Manager.



The username does not have the
Access this computer from the network

permission in User
Manager.



The Domain Name was

not specified together with the username (in the form of
DOMAIN
\
username
).


Back to the top

RESOLUTION

Resolution 1

To clear the
Allow only anonymous connections security

check box, follow these
steps:

1.

Start the Internet Service Manager (ISM) ISM loads the Internet Information Server (IIS) snap
-
in
for the Microsoft Management Console (MMC).

2.

Right
-
click the default FTP site folder, and then click
Properties
.

3.

On the
Security Accounts

tab
, clear the
Allow only anonymous connections security

check
box.

4.

Click
OK
.


Back to the top

Resolution 2

To give the username the "Log On Locally" permission, follow these steps:

Windows NT
4.0 servers

1.

In the Administrative Tools group, click
User Manager for Domains
, click the
Policies

tab, and
then click
User Rights
.


Note

If the username is not a member of the default domain opened by User Manager, click the
User

menu, and then click
Do
main

to specify the correct domain. If the username is a member
of the local computer's user list, type
\
\
<computer_name>

in the
Domain

text box.

2.

On the
Policies

menu, click
User Rights
.

3.

In the
Rights

drop
-
down list, click
Log on Locally
.

4.

Clic
k
Add
, and add the appropriate username (or user group).

5.

Click
OK

two times.

Windows 2000 servers

To configure the
Log on locally

right on a stand
-
alone server, follow these steps:

1.

In the Microsoft Management Console (MMC), open the
Local Computer

Policy

snap
-
in. To do
this, follow these steps:

a.

Click
Start
, type
MMC
, and then click
OK
.

b.

Click
Console
, click
Add/Remove Snap
-
in
, and then click
Add
.

c.

Select
Group Policy
, and then click
Add
.

d.

Make sure that the Group Policy object says

Local Computer, and then click
Finish
.

e.

Click
Close
, and then click
OK
.


2.

Grant users or groups the
Log on locally

right. To do this, follow these steps:

a.

Expand the following path in the MMC:

Local Computer Policy
\
Computer Configuration
\
Wind
ows Settings
\
Security Settings
\
Local
Policies
\
User Rights Assignment

b.

Double
-
click
Log on Locally
.

c.

Add any users or groups that will use Basic/Clear Text authentication.


Note

Microsoft does not recommend that you install an IIS Web server on a

Windows 2000 domain
controller. The following steps describe how to configure
Log on locally

right by using Group Policy
if it is necessary that you install an IIS Web server on a Windows 2000 domain controller.


To configure the
Log on locally

right on
a domain controller, follow these steps:

1.

In MMC, open the Default Domain Controllers Policy snap
-
in. To do this, follow these steps:

a.

Click
Start
, type
MMC
, and then click
OK
.

b.

Click
Console
, click
Add/Remove Snap
-
in
, and then click
Add
.

c.

S
elect
Group Policy
, and then click
Add
.

d.

Click
Browse
.

e.

Double
-
click the domain controller for the domain.

f.

Double
-
click
Default Domain Controllers Policy
, and then click
Finish
.

g.

Click
Close
, and then click
OK
.


2.

Grant users or groups
the
Log on locally

right. To do this, follow these steps:

a.

Expand the following path in the MMC:

Default Domain Controllers Policy
\
Computer Configuration
\
Windows Settings
\
Security
Settings
\
Local Policies
\
User Rights Assignment

b.

Double
-
click
Log o
n Locally
.

c.

Add any users or groups that will use Basic/Clear Text authentication.


3.

Open a command prompt, type
secedit /refreshpolicy machine_policy
, and then close the
command prompt to refresh the policy.


Back to the top

Resolution 3

To give the username the
Access this computer from the network

permission, follow the same
steps that are outlined in Resolution 2, but select the
Access this computer from the network

advanced user right.



Back to the top

Resolution 4

Try using the command line FTP utility and specify the FTP username in
DOMAIN
\
Username

format
when you log into the FTP Site. If this works, then you can either instr
uct all users to log on by
using
DOMAIN
\
Username

format, or you can specify the default authentication domain that the FTP
Service should use when authenticating accounts that do not exist locally and that were not entered
in the
DOMAIN
\
Username

format. To

do this you must make changes to the Metabase.


To specify a default logon domain so users do not have to type
DOMAIN
\
Username

when logging
on to the FTP Server, you can either use the Windows Script Host (if it was installed during the
Windows NT Option
Pack setup) or the NTOP utility Mdutil.exe.


Both methods are described below.


To use the Windows Script Host method, use one of the following methods depending on the version
of IIS that you are running:


Note

In IIS 6.0, you can resolve this issue by m
odifying the metabase only when the FTP isolation
type is "Isolated (Active Directory)" or if the
UserIsolationMode

property is set to 2.

IIS 6.0

1.

Change to the %Systemroot%
\
Inetpub
\
Adminscripts directory.

2.

Type the following:

Adsutil Set MSFTPSVC/D
efaultLogonDomain "Domain Name"

Make sure when you type in the Domain Name that it is enclosed in quotation marks.

3.

Stop and restart the FTP Service.

IIS 5.0

1.

Change to the %Systemroot%
\
Inetpub
\
Adminscripts directory.

2.

Type the following:

Adsuti
l Set MSFTPSVC/DefaultLogonDomain "Domain Name"

Make sure when you type the Domain Name that it is enclosed in quotation marks.

3.

Stop the FTP Service, and then restart the FTP Service.

IIS 4.0

1.

Change to the %systemroot%
\
system32
\
inetsrv
\
adminsamples

directory.

2.

Type the following:

cscript //h:cscript

This sets Cscript as the default WSH interpreter.

3.

Type the following:

Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"

Make sure when you type in the Domain Name that it is enclosed in quo
tation marks.

4.

Stop the FTP Service, and then restart the FTP Service.

If the Windows Script Host was not installed during the NTOP setup, use Mdutil.exe. as follows:

1.

Copy Mdutil.exe. from the Windows NT Option Pack compact disc to the %WINDIR%
\
Sys
tem32
\

directory.


Make sure to copy Mdutil.exe. from the appropriate platform directory on the compact disc.

2.

Open a command prompt, and change to the %WINDIR%
\
System32 directory.

3.

Execute the command below replacing <DomainName> with the name of th
e accounts domain
you want to authenticate your user against by default:

mdutil set msftpsvc/DefaultLogonDomain
-
utype UT_Server
-
dtype
String
-
value <DomainName>

Make sure that <DomainName> is typed without quotes.

4.

When the command completes success
fully, stop and restart the FTP Service.