How to Configure FTP User Isolation for Active Directory

FTP User IsolationAt the company where I work, we run a client portal web app that gives our clients access to their files through a password protected website that dynamically generates content individually for each client. We wanted to provide a secondary method for our clients to access their files should anything happen, so we opted for creating an FTP site in IIS with the option Isolate users using Active Directory, since our Win2K3 servers support it out of the box. Our idea was to have the client portal web app add the user accounts and home directory properties to Active Directory automatically so we wouldn’t have to configure these things manually using scripts. To date, our solution has been working very reliably.

Setting up a user FTP should be a straightforward Windows administration task, but you might find that the Isolate users using Active Directory option doesn’t work as you would expect. While IIS allows you to select this user isolation mode during the creation of a new FTP site, it obscures some of the configuration that is essential to making everything work properly. This article focuses on those hidden essentials.

Home Directory Properties

Although IIS mentions nothing about it, when you set up an FTP site with the Isolate users using Active Directory option, you must also assign each user account in Active Directory a specific home directory. To do so, you must add two Active Directory properties to the user account: msIIS-FTPRoot and msIIS-FTPDir. These properties can be added using the command line:

iisftp /SetADProp "Username" FTPRoot "RootPath"
iisftp /SetADProp "Username" FTPDir "DirectoryName"

For example, to assign the user “johndoe” to a home directory located under “c:\inetpub\userftp\johndoe\files” you would execute the following two commands:

iisftp /SetADProp "johndoe" FTPRoot "c:\inetpub\userftp"
iisftp /SetADProp "johndoe" FTPDir "\johndoe\files"

Automating the Home Directory

For .NET programmers, you can set these two properties using the System.DirectoryServices namespace. However there’s one small catch, these properties do not exist on the Active Directory user account yet so they must be added. An easy way to handle this is to use a condition that either adds the property (if it does not exist) or modify the property (if it already exists). We can wrap up all of this logic in a SetProperty function. For example:

Sub SetProperty(ByVal pEntry As DirectoryServices.DirectoryEntry, ByVal pPropertyName As String, ByVal pPropertyValue As String)
    'check if the DirectoryEntry object contains this property already
    If pEntry.Properties.Contains(pPropertyName) = True Then
        'the DirectoryEntry object contains this property so we simply change the Value
        pEntry.Properties(pPropertyName).Value = pPropertyValue
    Else
        'the DirectoryEntry object does not contain this property, so we add it and provide our desired value
        pEntry.Properties(pPropertyName).Add(pPropertyValue)
    End If
End Sub

Then you would just call the SetProperty function by passing in the DirectoryEntry object you wish to modify, the property, and the desired value:

SetProperty(objDirectoryEntry, "msIIS-FTPRoot", "c:\inetpub\userftp")
SetProperty(objDirectoryEntry, "msIIS-FTPDir", "\johndoe\files")

Default Domain Name

You may find that users cannot logon to their FTP home directory unless they specify a username in the format of “DOMAIN/Username”. This happens because by default, IIS uses the local system’s user accounts rather than the domain’s user accounts stored in Active Directory.

According to this Microsoft article (http://support.microsoft.com/kb/310723), you can resolve the issue by using the adsutil.vbs script in the AdminUtils folder to set the DefaultDomainName property. However, these instructions seem to be inaccurate. I tried running the command to set the default domain name for all FTP sites, but it had no effect on the way users were required to logon. For example:

cd /d c:\inetpub\adminscripts
adsutil set msftpsvc/defaultlogondomain "DOMAIN"

The command executes successfully, but any user attempting to access their FTP home directory using “Username” instead of “DOMAIN/Username” is greeted with error 530.

The solution was to query iisftp to get the actual process identifier for my FTP site, and then specify this in the adsutil set command. For example:

cd /d c:\inetpub\adminscripts
iisftp /query
adsutil set msftpsvc/1087122196/defaultlogondomain "DOMAIN"

References

Related

Tags: ,

2 Comments

  1. How do I do this via Active Directory? Should the Home Directory be on the webserver?

  2. Rick, as far as I know you cannot do this via the Active Directory Snapin (at least for Win2K3) which is why I wrote the tutorial. The tutorial explains that you should use the iisftp command from a command prompt in order to add the IIS-specific properties to the desired Active Directory users/objects.Unfortunately, advanced procedures and configurations such as this one are sometimes not built into the GUI utilities and must be run from a command line.

    I’m pretty sure the Home Directory can be any system path at the very least, so mapped network drive paths should be OK. I’m not sure if UNC paths work, but that shouldn’t be too difficult to test.

Leave a Reply

Your email address will not be published. Required fields are marked *