THE INFORMATION IN THIS ARTICLE APPLIES TO:
SYMPTOM
When configuring the server to host a site that uses NTLM or AD authentication on the same machine, or against a domain controller, you are unable to log in any user. You can connect and issue a USER and PASS command, but each time you do so you get a response "530 Not Logged In" from the server.
RESOLUTION
The NT AuthManager, which is the module that provides both NTLM and AD authentication of users, requires that the account under which the EFT service is running has certain permissions. For setting these permissions:
- The account must be able to log in as a service. This is generally done for you by the operating system (OS) when you specify this account as the one under which the service runs: if the OS prompts you to add "Act as part of the operating system" or similar, let the OS make this change for you.
- The server's NT Auth Manager actually impersonates the user who is logging in over the FTP or FTPS, or SFTP, HTTP, and HTTPS channel. This means that the application emulates that user sitting at the terminal is typing in his or her username and password. This requires that the accounts that are to be used as clients (the "user list") be granted "log in interactively" rights.
Once the service account and the user accounts have these privileges set, users will be able to log in from any standard FTP, FTPS, SFTP, HTTP, or HTTPS client.
To resolve this problem
- Grant the privilege "Log in as service" on the server machine for the account under which the service runs.
- Grant the "Allow logon interactively" privilege on the server machine for each user that connects to the EFT Server.
MORE INFORMATION
For authenticating users, the application uses the LogonUser function, with the dwLogonType parameter set to LOGON32_LOGON_INTERACTIVE.
The service checks itself at startup time, to make sure it has the proper "Log on as service" right by using the LsaAddAccountRights function, passing "SeTcbPrivilege" as the UserRights parameter.