Subscribe to the TST RSS Feed

RSS Feed

    Subscribe to Train Signal Training via RSS

    get real-time updates   •   more info

RSS by Email

    Or Subscribe via Email

    no spam   •   more info

How to Setup User Authentication in FTP 7 on IIS 7.0

Posted on April 30th, 2008 by Dave Lawlor 24 Comments »

Dave LawlorAs I wrote in the article Installing FTP 7 on IIS 7.0, Microsoft completely rewrote the FTP service code for Server 2008.

Included in this update were a number of ways to secure your FTP server against intrusion. One of the easiest ways to secure your FTP site is to have users authenticate instead of allowing anonymous access, and that’s what we’ll look at today.

For this article I will assume that you already have Server 2008, IIS 7, and FTP installed and ready to go. Now let’s secure your FTP servers.


User Authentication

In our first article on FTP, I showed you how to install and then configure an anonymous public site. This allowed anyone to get the files located in those directories.

While this is great for a certain type of site, if you require greater security you can setup authentication for your FTP site. We are going to look at two types of user authentication, one using Windows users and another using IIS Manager authentications.


Windows Users FTP Authentication

This type of user authentication allows the FTP site to use the local Server user accounts/groups for access to the FTP site.

This example assumes you already have a user created for this purpose and given the account access to the FTP directory; we are using the account FTPUser.



1. Start by opening IIS Manager


2. Right click on Sites, and then click on Add FTP Site …



How to Setup User Authentication in FTP 7 on IIS 7.0 - 1


3. Fill in the site name and path to the directory that will hold the files. We are using WindowsFTPuser.com and C:\inetpub\privateftp for our example. Click Next when done.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 2

4. Choose an IP for this FTP site to use, and change the radio button to Allow SSL. Leave the rest of the setting alone for now.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 3

5. In this window we will specify what users are allowed access and Read/Write permissions will be assigned to those users.

Check the box next to Basic, set the dropdown to Specified users, under that type in the user name (in our case FTPUser), and check Read & Write. Click Next after you enter all the information.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 4

6. That ends the FTP site wizard, if you want to add or remove users after the initial setup, in the IIS Manager click on the site you want to manage and then click on FTP Authorization Rules.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 5

7. In this pane you can select to Add Allow Rule …, Add Deny Rule …, and Remove. This allows you to manage access to your ftp site through basic Windows authorization.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 6

With this configuration only those users assigned to the FTP site will be allowed access. Please note that you can also use Group permissions the same way.


IIS Manager Authentication

For a long time compared to *nix implementations of FTP, Windows was sorely lacking. One of the biggest hurdles was the fact that if you had site managers who wanted to give access to certain users there would have to be a corresponding account setup for them on the local server. Not the best situation from a security or administration standpoint.

With the release of FTP 7 and IIS 7 this has been corrected by the use of IIS 7 Management Service. In this example, I’m going to setup the service and apply the users to the domain we setup earlier.



1. We have to grant special permissions to the Network Service to be able to use this Service so open up a command prompt.

2. Type the following:

CACLS “%SystemDrive%\Windows\System32\inetsrv\config” /G “Network Service”:R /E

CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G “Network Service”:R /E

CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G “Network Service”:R /E

Now we have to give rights to the Network Service to the root FTP folder, in our instance this is C:\inetpub\privateftp. When you run this command replace the directory with your own.

3. Open Command Prompt

4. Type the following:

CACLS “%SystemDrive%\inetpub\privateftp” /G “Network Service”:C /T /E

Next we need to install the IIS 7.0 management service on the server.

5. Open Server Manager

6. Open the Roles, find the Web Server (IIS) role, and click on Add Role Services.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 7

7. In the Select Role Services window scroll down till you find Management Service, if it is unchecked then place a check mark next to it and click Next.

If there are any required features that also need to be installed you will be prompted to install those also.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 8

8. Next you will have a summary screen of everything that is going to be installed, click Install to start the process.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 9

9. The next window will show you the progress of the installation process.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 10

10. Installation Results window will appear when the installation is finished, click on Close when done.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 11

11. Open IIS Manager

Select the server in IIS Manager; in our case, TSTEST, and scroll down in the center pane to Management Service and click on it.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 12

12. In the Management Service pane, look for the Identity Credentials box and select Windows credentials or IIS Manager credentials, then click Apply.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 13

13. In the connections pane select the server you are working on, and double click on IIS Manager Users.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 14

14. Click on Add User … in the Actions pane.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 15

15. Now you will create a user account that can be used, in our case I am going to add Gomer and enter a password for that user.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 16

16. You will now see that the user is created and you can do some limited administration in this panel for those users, including Disable User and Change Password.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 17

17. Now click the site you want to configure to use IIS 7 Manager Authentication in the connections pane, choose FTP Authentication in the center pane



How to Setup User Authentication in FTP 7 on IIS 7.0 - 18

18. Click on Custom Providers in the action pane.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 19

19. In the Custom Providers dialog window place a check next to IisManagerAuth, then click Ok.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 20

20. Now let’s add the user we created earlier by selecting the FTP site in the connections pane and then select IIS Manager Permissions in the center panel.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 21

21. Click on Allow User … in the Actions pane



How to Setup User Authentication in FTP 7 on IIS 7.0 - 22

22. The Allow User … dialog box now shows both types of users, Windows & IIS Manager. In our case we are going to click the Select … button.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 23

23. In the Users dialog select the user, (Gomer in our case) and click OK.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 24

24. Click Ok to continue and add the user to IIS Manager Permissions.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 25

25. Now we have to add an authorization rule, so let’s choose the site again in the connection pane, then FTP Authorization Rules, in the central pane.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 26

26. Select Add Allow Rule … in the actions pane.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 27

27. The Add Allow Authorization Rule dialog box is next, so select Specified users and type the users’ names in, separated by commas. Place a check next to either or both Read/Write permissions, and click OK.



How to Setup User Authentication in FTP 7 on IIS 7.0 - 28

We have now setup this site to use both types of users Windows and IIS Manager Users. You can use these in conjunction with each other or completely independent of the other — all depending on the needs of your organization.



Windows Server 2008 Active Directory Training Videos -- Now Available!

Windows Server 2008 Active Directory Training — Now Available!

Get complete coverage for the new 70-640 exam and get started on your MCITP certification.

Master Active Directory terms, learn about creating, organizing, and managing Users and Groups, installing and upgrading Domain Controller and much more — all on Windows Server 2008.



 

Related Posts:

Tags: , , , , ,


 

24 Responses to “How to Setup User Authentication in FTP 7 on IIS 7.0”

  • Trung Says:

    October 6th, 2008 at 6:50 pm

    I couldn’t use the code that you post. It requires to change to ICACLS. But then there is no /G and then another problem that it couldn’t under stand “network service”

  • jeff Says:

    November 2nd, 2008 at 2:47 am

    I have the same issue as Trung sadly.

    there is an error with your cacls cmd, and icacls has no /g… I tried /grant but still no luck.

    would love an update as I really found the iis user auth. VERY helpful!

    I have users created, etc… but they can’t connect as i’m lacking the permissions from the cacls cmds

    thx

    jeff

  • jeff Says:

    November 2nd, 2008 at 2:54 am

    ok, so i stopped being a monkey just blindly doing copy/paste and actually looked at what the cacls cmds were doing…

    easy… just giving read access to a folder and 2 files… and then read/write/delete/whatever you want to the ftp root folder you are using.

    I manually did that, restarted the ftp site (not sure if it was needed or not) and now i’m good to go!!

    thanks Dave!!!

  • Trystan Says:

    November 5th, 2008 at 3:39 pm

    I’m implementing my first 2008 server and the disk image I’m installing comes with IIS7 for web, but FTP6, I find a x86 version of IIS7 FTP, but no 64 bit however I do see RC0 x64 some places…

    Anyone please have a link

    I have had a problem configuring a simple FTP site with the IIS6 version of the tool to give a isolated environment on a stand alone server.

  • Trystan Says:

    November 5th, 2008 at 3:41 pm

    OK I retract that

    I missed the download links in your other article first scan through!!

    Thank you

  • forte Says:

    December 15th, 2008 at 1:55 am

    everything worked, except when I try to access the ftp site, the directory cannot be listed and I get a timeout.

    when I try testing the connection from ISS I get this

    cannot verify access to path

    “The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again. ”

    Please any help would be greatly appreciated.

  • Go_zilla Says:

    January 19th, 2009 at 2:41 pm

    How can we type the following commands with Icalcs?
    Because CALCS is not working anymore

    CACLS “%SystemDrive%\Windows\System32\inetsrv\config” /G “Network Service”:R /E

    CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G “Network Service”:R /E

    CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G “Network Service”:R /E

    CACLS “%SystemDrive%\inetpub\privateftp” /G “Network Service”:C /T /E

    any help wil be highly appreciated

  • Phil Says:

    February 24th, 2009 at 5:10 am

    Hey guys!

    It works for me this way:

    ICACLS C:\Windows\System32\inetsrv\config /grant NETZWERKDIENST:R

    ICACLS C:\Windows\System32\inetsrv\config\administration.config /grant NETZWERKDIENST:R

    ICACLS C:\Windows\System32\inetsrv\config\redirection.config /grant NETZWERKDIENST:R

    I suggest you replace NETZWERKDIENST with “Network Service” because I’m from Austria ;)

    greetings

  • Phil Says:

    February 24th, 2009 at 5:18 am

    I forgot one…

    ICACLS C:\inetpub\privateftp /grant NETZWERKDIENST:M /T

    I suggest you replace NETZWERKDIENST with “Network Service”, again =)

    Happy ftping!

  • David Stubblefield Says:

    March 10th, 2009 at 1:55 pm

    Great Article!

    I’m testing this out on a Windows Server 2008 box and found I couldn’t run the calcs command portion, got the following. I ended up just using the GUI to apply speacial permissions but wanted to see if there was another way to use the command line with ICALCS.

    C:\>CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config”
    /G “Network Service”:R /E
    Invalid arguments.
    NOTE: Cacls is now deprecated, please use Icacls.

    Thanks,
    -Dave

  • Adam Says:

    April 5th, 2009 at 11:40 pm

    I too followed all the steps, but recieved a “550 No such host is known” when trying to connected. Any help would be appreciated. Thanks, Adam

  • Tino Mclaren Says:

    April 26th, 2009 at 10:37 am

    Hi

    Great Article :-)

    I run into the issue with CACLS and the fix (for me) was simply making sure you have spaces before any backslash options and I replaced %system drive% with c:

    So I ended up with

    CACLS c:\Windows\System32\inetsrv\config\redirection.config /G “Network Service”:R /E

    MAKING SURE THERES A SPACE BETWEEN THE ‘R’ and ‘/E’

    Hope this might help someone out

    Tino (an old DOS hand at heart)

  • Donny Says:

    May 11th, 2009 at 5:50 am

    Oh come on guys… shame on you :) in command promt you should use quotes such as these ” instead of the quotes used in the article: “ and ”

    Replace those and everything will work just fine.

  • Donny Says:

    May 11th, 2009 at 5:51 am

    heh, this blog automatically messes up the quotes. When pasting CACLS commands into command promt replace the quotes manually.

  • khautinh Says:

    July 14th, 2009 at 2:29 pm

    Can anyone help me how to set a domain\user1 account for anonymous authentication please?
    I was be able to do that for IIS6 but not IIS7. whenever I entered the domain\user1 and pw, it said the pw is invalid….
    Thanks a lot

  • Haraken Says:

    August 15th, 2009 at 5:27 am

    I used these commands instead of the CACLS posted above and they worked perfectly.

    ICACLS “%SystemDrive%\Windows\System32\inetsrv\config” /grant “Network Service”:R
    ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /grant “Network Service”:R
    ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /grant “Network Service”:R
    ICACLS “%SystemDrive%\inetpub\ftproot” /grant “Network Service”:(M,W)

  • Jason Says:

    October 26th, 2009 at 1:39 pm

    I used the following, but it gives me a error on the last command:

    C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config” /grant “NETWORK SERVICE”:R
    processed file: C:\Windows\System32\inetsrv\config
    Successfully processed 1 files; Failed processing 0 files

    C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /grant “NETWORK SERVICE”:R
    processed file: C:\Windows\System32\inetsrv\config\administration.config
    Successfully processed 1 files; Failed processing 0 files

    C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /grant “NETWORK SERVICE”:R
    processed file: C:\Windows\System32\inetsrv\config\redirection.config
    Successfully processed 1 files; Failed processing 0 files

    C:\Users\Administrator>ICACLS “F:\” /grant “NETWORK SERVICE”:(M,W)
    Invalid parameter “SERVICE:(M,W)”

    I’m think the space in the phase NETWORK SERVICE is the problem, but I put quotes around it. Any takers?

    Note: I’m on Windows Server 2008 and I have F:\ setup just for web and ftp site

  • Jason Says:

    October 26th, 2009 at 1:47 pm

    I ran:

    ICACLS F:\ /grant “NETWORK SERVICE”:M /T

    and it seemed to recurse though all the files:

    it outputed:

    Successfully processed 5292 files; Failed processing 0 files

    But still get a 530 error when I try to connect

    Response: 220 Microsoft FTP Service
    Command: USER jason
    Response: 331 Password required for jason.
    Command: PASS *****
    Response: 530 User cannot log in.

  • Jack Saltiel Says:

    November 5th, 2009 at 12:23 pm

    Running WS 2008 x64.
    I get up through step 16 and all is fine. I set up C:\FTP as my FTP directory, or the root of my ftp directories. I set up a user, did everything else.
    In step 17, when I expand “Sites” all I see is a Default Web Site. There is no WindowsFTPuser.com listed.
    What did I miss??

  • Helen Mooc Says:

    December 1st, 2009 at 2:56 pm

    I get this error after following thru these steps. Am able to bring up the ftp site and log in but this comes up:

    550 The system can not find the file specified.

    Anyone can have an insight on this?

  • Helen Mooc Says:

    December 1st, 2009 at 3:15 pm

    I forgot to mention that I setup the ftp folder on a d:\download and I ran this in the terminal:

    C:\Userss\Administrator>ICACLS D:\download /grant “NETWORK SERVICE”:M /T
    processed file: D:\download
    Successfully processes 1 files; Failed processing 0 files

  • Wingson Thijsen Says:

    December 24th, 2009 at 9:11 am

    Hi,

    Can anyone tell me if this is also possible with active directory accounts and NTFS security?

    Thanks!

  • sacheson Says:

    February 27th, 2010 at 10:56 pm

    Best writeup yet. Gave me exactly what I needed. Thanks for taking the time to compile an accurate and thorough walk through.

  • 7bpm Says:

    March 3rd, 2010 at 5:53 pm

    How do you go about creating different Usernames and Passwords on the same FTP server that have access to only to specific folders each one?

    i.e. the FTP server is http://ftp.7bpm.com and User1 (with Pass1) when is logging in can olny see and access folder c:/intepub/ftproot/user1folder but User2 (with Pass2) can only see and access folder c:/intepub/ftproot/user2folder…

Leave A Comment: