At the company where I work, we run a client portal web app that gives our clients access to their files through a password protected website that dynamically generates content individually for each client. We wanted to provide a secondary method for our clients to access their files should anything happen, so we opted for creating an FTP site in IIS with the option Isolate users using Active Directory, since our Win2K3 servers support it out of the box. Our idea was to have the client portal web app add the user accounts and home directory properties to Active Directory automatically so we wouldn’t have to configure these things manually using scripts. To date, our solution has been working very reliably.
Setting up a user FTP should be a straightforward Windows administration task, but you might find that the Isolate users using Active Directory option doesn’t work as you would expect. While IIS allows you to select this user isolation mode during the creation of a new FTP site, it obscures some of the configuration that is essential to making everything work properly. This article focuses on those hidden essentials.
Home Directory Properties
Although IIS mentions nothing about it, when you set up an FTP site with the Isolate users using Active Directory option, you must also assign each user account in Active Directory a specific home directory. To do so, you must add two Active Directory properties to the user account: msIIS-FTPRoot and msIIS-FTPDir. These properties can be added using the command line:
iisftp /SetADProp "Username" FTPRoot "RootPath" iisftp /SetADProp "Username" FTPDir "DirectoryName"
For example, to assign the user “johndoe” to a home directory located under “c:\inetpub\userftp\johndoe\files” you would execute the following two commands:
iisftp /SetADProp "johndoe" FTPRoot "c:\inetpub\userftp" iisftp /SetADProp "johndoe" FTPDir "\johndoe\files"
Automating the Home Directory
For .NET programmers, you can set these two properties using the System.DirectoryServices namespace. However there’s one small catch, these properties do not exist on the Active Directory user account yet so they must be added. An easy way to handle this is to use a condition that either adds the property (if it does not exist) or modify the property (if it already exists). We can wrap up all of this logic in a SetProperty function. For example:
Sub SetProperty(ByVal pEntry As DirectoryServices.DirectoryEntry, ByVal pPropertyName As String, ByVal pPropertyValue As String) 'check if the DirectoryEntry object contains this property already If pEntry.Properties.Contains(pPropertyName) = True Then 'the DirectoryEntry object contains this property so we simply change the Value pEntry.Properties(pPropertyName).Value = pPropertyValue Else 'the DirectoryEntry object does not contain this property, so we add it and provide our desired value pEntry.Properties(pPropertyName).Add(pPropertyValue) End If End Sub
Then you would just call the SetProperty function by passing in the DirectoryEntry object you wish to modify, the property, and the desired value:
SetProperty(objDirectoryEntry, "msIIS-FTPRoot", "c:\inetpub\userftp") SetProperty(objDirectoryEntry, "msIIS-FTPDir", "\johndoe\files")
Default Domain Name
You may find that users cannot logon to their FTP home directory unless they specify a username in the format of “DOMAIN/Username”. This happens because by default, IIS uses the local system’s user accounts rather than the domain’s user accounts stored in Active Directory.
According to this Microsoft article (http://support.microsoft.com/kb/310723), you can resolve the issue by using the adsutil.vbs script in the AdminUtils folder to set the DefaultDomainName property. However, these instructions seem to be inaccurate. I tried running the command to set the default domain name for all FTP sites, but it had no effect on the way users were required to logon. For example:
cd /d c:\inetpub\adminscripts adsutil set msftpsvc/defaultlogondomain "DOMAIN"
The command executes successfully, but any user attempting to access their FTP home directory using “Username” instead of “DOMAIN/Username” is greeted with error 530.
The solution was to query iisftp to get the actual process identifier for my FTP site, and then specify this in the adsutil set command. For example:
cd /d c:\inetpub\adminscripts iisftp /query adsutil set msftpsvc/1087122196/defaultlogondomain "DOMAIN"