2015-01-26

Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).

The goal of this article is to describe how to create FTP(S) on IIS  so we can use Active Directory accounts to authenticate to FTP. And configure AD user isolation, so  the users have individual home folders.
 
1. Install IIS Role and required features
 
In Server Manager click on Add roles and features
Click Next
Installation Type - choose Role-based or feature-based installation and click Next
Server Selection - choose your server and click Next
Server Roles - select Web Server (IIS) and confirm required features by clicking Add Features in the popup window, click Next
In the Features and Web Server Role (IIS) sections click Next
Role Services - deselect the roles you don't need, if it's going to be dedicated FTP server then leave only FTP Server/FTP Service and Management Tools/IIS management Console selected and click Next
Confirmation - click Install
 
2. Create FTP users and Groups
In active directory create your FTP users for example:
FTPuser1
FTPuser2
FTPuser3
 
And create FTP users security group:
FTP Users
 
Add all ftp users to the membership of "FTP Users" group.
 
3. Create folders and assign permissions
Prepare folder structure on your preferred location. In this example we will be using Fileserver as FTP root so users can access ftp folders directly via file share while they are connected to company network.
 
Share a folder on Fileserver
Set sharing permissions for group "FTP Users" to Full Control.
Set NTFS permissions (security tab) for "FTP Users" group to List folder contents.
 
Next we will create home folder for every user group that needs to be isolated.
For example users FTPuser1 and FTPuser2 will share same home folder, because they are colleagues and are working with the same data and FTPuser3 is from another department, so he will have separate home folder.
 
Add security permissions for users FTPuser1 and FTPuser2 and set them to Modify
 
Add security permissions for user FTPuser3 and set them to Modify
 
4. Configure IIS
Open IIS Manager in Control Panel->Administrative Tools->Internet Information Services (IIS) Manager
 
In IIS Manager expand your server, right click Sites and choose Add FTP Site...
Enter site name: myFTP
Physical path: \\Fileserver\FTProot
 
If you want to run FTPS select Require SSL and select your SSL Certificate, otherwise select No SSL.
 
 
Authentication:
Basic
Auhorization:
Select Specified roles or user groups from drop-down menu.
Type FTP Users.
Select Read and Write checkboxes.
Click Finish.
 
Next configure FTP User Isolation.
Under myFTP site open FTP User Isolation.
Select Isolate users. Restrict users to the following directory:
FTP home directory configured in Active Directory
and enter credentials of user that has access to read AD properties.
 
5. Configure user AD properties
Open Active Directory Users and Computers (ADUC) and modify properties for your FTPusers.
To be able to modify attributes, first in ADUC select View and turn on Advanced Features.
Now you should see Attribute Editor tab in user properties.
Configure AD properties as follows:
 
FTPuser1
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
 
FTPuser2
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
 
FTPuser3
msIIS-FTPDir: \Home2
msIIS-FTPRoot: \\Fileserver\FTProot\
 
6. Login
For testing login we will use FileZilla FTP client.
Configure connection as follows.
Host: address of your FTP server
Protocol: FTP File Transfer Protocol
Port: 21
Encryption: if your FTP requires SSL select Require explicit FTP over TLS, otherwise select Only use plain FTP (insecure)
Logon type: Ask for password
User: FTPuser1
 
Click Connect, enter your password and click OK.
 
 
7. Conclusion
If everything went to plan users FTPuser1 and FTPuser2 should login to \\Fileserver\FTProot\Home1 folder and user FTPuser3 should login to \\Fileserver\FTProot\Home2.
 
Links:

1 comment:

  1. Just want to say, out of a days worth of searching you are the only one who was able to put this in a simple format and easy to follow. Thank you!

    ReplyDelete