Err Msg: 530 User <Username> Cannot Log In. Login
Failed.
View products that this article applies to.
Article ID
: 200475
Last Review : June 22, 2005
Revision
: 5.1
This article was previously published under Q200475
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS)
version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web
infrastructure security. For more information about IIS security-related topics, visit the following
Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
On This Page
SYMPTOMS
CAUSE
RESOLUTION
Resolution 1
Resolution 2
Windows NT 4.0 servers
Windows 2000 servers
Resolution 3
Resolution 4
IIS 6.0
IIS 5.0
IIS 4.0
APPLIES TO
SYMPTOMS
When you use the FTP utility to connect to an FTP site, you receive the following error message:
530 User <username> cannot log in.
Login failed.
Back to the top
CAUSE
This problem occurs when one of the following scenarios is true:
• The Allow only anonymous connections security setting has been turned on in the Microsoft
Management Console (MMC).
• The username does not have the Log on locally permission in User Manager.
• The username does not have the Access this computer from the network permission in User
Manager.
• The Domain Name was not specified together with the username (in the form of
DOMAIN\username).
Back to the top
RESOLUTION
Resolution 1
To clear the Allow only anonymous connections security check box, follow these steps:
1. Start the Internet Service Manager (ISM) ISM loads the Internet Information Server (IIS) snap-in
for the Microsoft Management Console (MMC).
2. Right-click the default FTP site folder, and then click Properties.
3. On the Security Accounts tab, clear the Allow only anonymous connections security check
box.
4. Click OK.
Back to the top
Resolution 2
To give the username the "Log On Locally" permission, follow these steps:
Windows NT 4.0 servers
1. In the Administrative Tools group, click User Manager for Domains, click the Policies tab, and
then click User Rights.
Note If the username is not a member of the default domain opened by User Manager, click the
User menu, and then click Domain to specify the correct domain. If the username is a member
of the local computer's user list, type \\<computer_name> in the Domain text box.
2. On the Policies menu, click User Rights.
3. In the Rights drop-down list, click Log on Locally.
4. Click Add, and add the appropriate username (or user group).
5. Click OK two times.
Windows 2000 servers
To configure the Log on locally right on a stand-alone server, follow these steps:
1. In the Microsoft Management Console (MMC), open the Local Computer Policy snap-in. To do
this, follow these steps:
a. Click Start, type MMC, and then click OK.
b. Click Console, click Add/Remove Snap-in, and then click Add.
c. Select Group Policy, and then click Add.
d. Make sure that the Group Policy object says Local Computer, and then click Finish.
e. Click Close, and then click OK.
2. Grant users or groups the Log on locally right. To do this, follow these steps:
a. Expand the following path in the MMC:
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
b. Double-click Log on Locally.
c. Add any users or groups that will use Basic/Clear Text authentication.
Note Microsoft does not recommend that you install an IIS Web server on a Windows 2000 domain
controller. The following steps describe how to configure Log on locally right by using Group Policy
if it is necessary that you install an IIS Web server on a Windows 2000 domain controller.
To configure the Log on locally right on a domain controller, follow these steps:
1. In MMC, open the Default Domain Controllers Policy snap-in. To do this, follow these steps:
a. Click Start, type MMC, and then click OK.
b. Click Console, click Add/Remove Snap-in, and then click Add.
c. Select Group Policy, and then click Add.
d. Click Browse.
e. Double-click the domain controller for the domain.
f. Double-click Default Domain Controllers Policy, and then click Finish.
g. Click Close, and then click OK.
2. Grant users or groups the Log on locally right. To do this, follow these steps:
a. Expand the following path in the MMC:
Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
b. Double-click Log on Locally.
c. Add any users or groups that will use Basic/Clear Text authentication.
3. Open a command prompt, type secedit /refreshpolicy machine_policy, and then close the
command prompt to refresh the policy.
Back to the top
Resolution 3
To give the username the Access this computer from the network permission, follow the same
steps that are outlined in Resolution 2, but select the Access this computer from the network
advanced user right.
Back to the top
Resolution 4
Try using the command line FTP utility and specify the FTP username in DOMAIN\Username format
when you log into the FTP Site. If this works, then you can either instruct all users to log on by
using DOMAIN\Username format, or you can specify the default authentication domain that the FTP
Service should use when authenticating accounts that do not exist locally and that were not entered
in the DOMAIN\Username format. To do this you must make changes to the Metabase.
To specify a default logon domain so users do not have to type DOMAIN\Username when logging
on to the FTP Server, you can either use the Windows Script Host (if it was installed during the
Windows NT Option Pack setup) or the NTOP utility Mdutil.exe.
Both methods are described below.
To use the Windows Script Host method, use one of the following methods depending on the version
of IIS that you are running:
Note In IIS 6.0, you can resolve this issue by modifying the metabase only when the FTP isolation
type is "Isolated (Active Directory)" or if the UserIsolationMode property is set to 2.
IIS 6.0
1. Change to the %Systemroot%\Inetpub\Adminscripts directory.
2. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type in the Domain Name that it is enclosed in quotation marks.
3. Stop and restart the FTP Service.
IIS 5.0
1. Change to the %Systemroot%\Inetpub\Adminscripts directory.
2. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type the Domain Name that it is enclosed in quotation marks.
3. Stop the FTP Service, and then restart the FTP Service.
IIS 4.0
1. Change to the %systemroot%\system32\inetsrv\adminsamples directory.
2. Type the following:
cscript //h:cscript
This sets Cscript as the default WSH interpreter.
3. Type the following:
Adsutil Set MSFTPSVC/DefaultLogonDomain "Domain Name"
Make sure when you type in the Domain Name that it is enclosed in quotation marks.
4. Stop the FTP Service, and then restart the FTP Service.
If the Windows Script Host was not installed during the NTOP setup, use Mdutil.exe. as follows:
1. Copy Mdutil.exe. from the Windows NT Option Pack compact disc to the %WINDIR%\System32\
directory.
Make sure to copy Mdutil.exe. from the appropriate platform directory on the compact disc.
2. Open a command prompt, and change to the %WINDIR%\System32 directory.
3. Execute the command below replacing <DomainName> with the name of the accounts domain
you want to authenticate your user against by default:
mdutil set msftpsvc/DefaultLogonDomain -utype UT_Server -dtype
String -value <DomainName>
Make sure that <DomainName> is typed without quotes.
4. When the command completes successfully, stop and restart the FTP Service.