Users can upload and download files by using FTP (File Transfer Protocol) clients such as FileZilla or WinSCP. These clients connect to an FTP server hosted by IIS (Internet Information Server) or other web server technologies. In most cases, it is easy to set up and maintain an FTP server. However, you may run into issues like “530 User cannot log in, home directory inaccessible” error while trying to connect your FTP server. In this post, I will explain how to solve this issue in IIS.
No matter if you are using anonymous access or basic authentication, you may come across this error message. Here is the full connection log from FileZilla:
Connecting to 192.168.83.82:21…
Connection established, waiting for welcome message…
Insecure server, it does not support FTP over TLS.
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS *
530 User cannot log in, home directory inaccessible.
Critical error: Could not connect to server
This issue may appear as “Failed to retrieve directory listing” or “Home directory inaccessible” error as well.
Depending on the FTP client, you may not see the detailed error message right away. For instance, when I tried to connect to the same site with the same configuration by using WinSCP, I received “Access Denied” error. If your FTP client doesn’t show the entire connection history, look for the log folder to get more information about the root cause.
It is not always easy to choose an FTP client that fits your requirements. Check my related post for a comparison of FTP clients: Which FTP client is better: FileZilla, CuteFTP or TotalCommander?
Root causes and solutions for “530 User cannot log in, home directory inaccessible” error
There might be a few reasons for running into this error. Here are the most common root causes and their solutions:
- The user is not able to access to the home directory. This is by far the most common root casue of “home directory inaccessible” error. Go to “IIS > FTP site > FTP User Isolation”. Make sure to select the directory that your users can access to. If you are not sure about what to select, select “FTP root directory”. More information: User Isolation Settings.
- IIS is not supporting passive mode FTP. There are two types of FTP connections: Active mode and passive mode. In active mode, the client opens a port. The server connects to this port for transferring data. In passive mode, the server opens a port. The client connects to this port to transfer data (More information: Active and Passive FTP). In order to configure IIS for supporting passive mode, enter a port range and external IP address in “IIS > Server name > FTP Firewall Support” page (More information: Using a single port for IIS FTP in passive mode).
- NTFS permissions. The issue might be simply caused by a missing NTFS permission on the FTP folder in Windows. Make sure the account you are using to connect to FTP server has permission on the folder that has FTP files.
Note: If you don’t want to turn on passive mode in IIS, you can force your FTP client to use only the active mode. In order to do this, go to “Edit > Settings > FTP” and choose “Active” in FileZilla.
Less common reasons for 530 error and how to fix them
The items below may cause “530 User cannot log in, home directory inaccessible” as well.
- Authorization rules. Make sure to have an Authorization rule that allows the user or anonymous access. Check “IIS > FTP site > FTP Authorization Rules” page to allow or deny access for certain or all users.
- NTFS permissions. The FTP users (local or domain users) should have permissions on the physical folder. Right click the folder and go to Properties. In the Security tab, make sure the user has required permissions. You can ignore Shared tab. It is not used for FTP access. A related post: Combining AD permissions with FTP.
- Locked account. If you local or domain account is locked or expired, you may end up seeing “User cannot log in” error. Check local user properties or Active Directory user settings to make sure the user account is active. A related topic: Microsoft Support.
- Other permission issues. The user account may not have “Log on locally” or “Allow only anonymous connections security” rights. More information: Microsoft Support.
Still having the issue?
It’s time to dive deep. Check IIS logs but don’t let it mislead you. IIS logs sometimes may show PASS. It doesn’t mean everything is well. It’s better to check FTP logs that IIS records for FTP connections. It is located in c:\inetpub\logs\LogFiles\FTPSVC2
In FTP logs, you will see a status and sub-status code. Here is a list of the most common FTP status codes:
4xx- Transient Negative Completion Reply
The command was not successful, but the error is temporary. If the client retries the command, it may succeed.421 – Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down.
425 – Cannot open data connection.
426 – Connection closed; transfer aborted.
431 – Need some unavailable resource to process security.
450 – Requested file action not taken. File unavailable (e.g., file busy).
451 – Requested action aborted. Local error in processing.
452 – Requested action not taken. Insufficient storage space in system.
5xx- Permanent Negative Completion Reply
The command was not successful, and the error is permanent. If the client retries the command, it receives the same error.500 – Syntax error, command unrecognized. This may include errors such as command line too long.
Source
501 – Syntax error in parameters or arguments.
502 – Command not implemented.
503 – Bad sequence of commands.
504 – Command not implemented for that parameter.
521 – Data connection cannot be opened with this PROT setting.
522 – Server does not support the requested network protocol.
530 – Not logged in.
532 – Need account for storing files.
533 – Command protection level denied for policy reasons.
534 – Request denied for policy reasons.
535 – Failed security check (hash, sequence, and so on).
536 – Requested PROT level not supported by mechanism.
537 – Command protection level not supported by security mechanism.
550 – Requested action not taken. File unavailable (for example, file not found, or no access).
551 – Requested action aborted: Page type unknown.
552 – Requested file action aborted. Exceeded storage allocation (for current directory or dataset).
553 – Requested action not taken. File name not allowed.
Note 1: In a case with “Connection closed by the server” error for FTP connection, we determined the root cause as the corruption of system files occurred during in-place server upgrade.
Note 2: If your FTP server is behind Azure Firewall, please check the known-issues page. For example, passive FTP may not work based on FTP configuration.
Are you trying to upload files to FTP server programmatically? Check this post out: How to upload a file via FTP in C#