Ftp server Authentication

Question

Dear community,

Can somebody please direct me to good theoretic documentation about how IIS Ftp Server should work?
I did everything by the book, but can not authenticate.

I think I tried, trial on error, every possible combination but to no avail.
I think this is a very common issue but were unable to find solutions in Q&A.

All methods of authentication will suffice, but I prefer domain authentication.

Yours sincerely,

Bjarne Petersen

Answer 1

Hi Petersen,

To help you solve the problem effectively, here is a step-by-step guide on the necessary architectural adjustments.

First, Preparing the Environment and Active Directory

Before configuring the server software, the server and domain environment must be properly prepared to communicate with each other. The IIS server must be successfully connected to your Active Directory domain. In Active Directory, it is highly recommended to create a dedicated security group for your FTP users instead of managing each account individually later. After the group is created and users are added, you must ensure that the Microsoft FTP Service, usually running as a Local System or Network Service account, has the necessary network access to query the domain and authenticate these users.

Second, Configuring the File System

The physical file system is the most common point of failure, because if the directory is not explicitly accessible to domain users, IIS will automatically refuse the connection. You first need to create the root directory on the server's local drive. Next, you must modify the folder's security properties to assign NTFS permissions to your domain group, ensuring you select your Active Directory domain from the location menu instead of the local server database. It's also crucial to verify that the Network Service account has at least read permissions to this folder so that the IIS service can view the folder structure.

Third: Configuring the IIS Server

After setting up the platform, you can configure the FTP site in IIS Manager by pointing a new site to the physical folder you just secured. Since you're dealing with domain credentials, which FTP transmits as plain text by default, you must configure the site binding to require an SSL certificate to encrypt the session. For authentication settings, you must enable Basic Authentication and disable Anonymous Authentication, relying on the SSL tunnel to protect the transmission. Finally, you need to navigate to the FTP Authorization Rules, delete any default rules, and add a rule that specifically allows the domain group you created, granting them appropriate read or write permissions.

Fourth: Client Connection

When a user attempts to log in using an external FTP client, the login information syntax and connection protocol are crucial for a successful handshake. The username cannot be entered as a simple bare name; it must explicitly reference the domain name, using the standard domain-hash-username format or the username-primary format containing the @ symbol. Additionally, the FTP client must be configured to connect via explicit FTP over TLS or SSL. If a user attempts to connect using regular FTP, a properly configured IIS server will proactively disconnect to protect the domain password from being stolen.

Finally: Troubleshooting Strategy

If you've completed the previous configuration steps and authentication is still failing, there are a few specific areas to investigate. First, verify that FTP User Isolation is disabled in IIS, as enabling it requires a very specific subdirectory structure tailored to each domain user, which will cause logins to fail immediately if those directories are missing. Next, confirm that both port 21 and your specified passive port range are allowed through the Windows Firewall. If network traffic is still active but authentication fails, the Windows Event Viewer Security logs will be the best diagnostic tool, as the error events checked will reveal specifically whether the problem stems from an incorrect password, a locked Active Directory account, or a lack of local login permissions on the server itself.

Answer 2

For IIS FTP, authentication is controlled by the <authentication> element at the site level and must be aligned with matching authorization rules and (for domain logons) valid Windows/domain accounts.

Key concepts and options:

1. Supported FTP authentication types

• Anonymous authentication
  • Users connect without a local/domain account.
  • Typically log on as ftp or anonymous; password is often an email address but not required.
  • Common for public download-only FTP sites.
• Basic authentication
  • Requires a valid local or domain Windows account.
  • User name and password are sent in clear text over FTP; therefore, it is recommended to combine Basic with SSL (FTPS) so credentials are encrypted.
• Client Certificate authentication
  • Uses client certificates to authenticate FTP clients.
• Custom authentication
  • Uses custom providers (e.g., ASP.NET Membership or IIS Manager authentication) so that accounts do not need to exist as Windows/domain accounts.

2. Enabling Basic (domain) authentication in IIS FTP To use domain authentication, configure Basic authentication and ensure the domain account has NTFS and FTP authorization permissions:
3. Open IIS Manager.
4. In the Connections pane, expand the server, expand Sites, and select the FTP site.
5. In the site’s Home pane, double‑click FTP Authentication.
6. Select Basic Authentication and click Enable in the Actions pane.
7. Ensure Anonymous authentication is disabled if only domain logons should be allowed.

To create a new FTP site with Basic authentication and read/write access using the wizard:

1. In IIS Manager, start the Add FTP Site wizard.
2. Configure binding (IP, port 21 or 990 for implicit FTPS, and SSL options as needed).
3. On the Authentication and Authorization page:
   • Set Authentication to Basic.
   • Under Authorization, choose Specified users and enter the domain or local account(s) that should have access.
   • Select Read and Write permissions.
4. Finish the wizard.
5. SSL considerations for Basic/domain authentication Because FTP transmits credentials in clear text, when using Basic authentication (including domain accounts), configure FTP over SSL:

• In the FTP binding settings, choose one of:
  • Allow SSL – clients may use FTPS but are not forced.
  • Require SSL – clients must use FTPS; this is preferred for securing credentials.
• Select a valid server certificate in the SSL Certificate drop‑down.

4. Common causes of “cannot authenticate” with domain accounts While the context does not list specific error messages, typical issues in IIS FTP domain authentication scenarios include:

• Basic authentication not enabled (or still disabled) for the FTP site.
• Anonymous authentication enabled when only domain access is expected, leading to confusion about which identity is used.
• FTP authorization rules not granting access to the domain user (e.g., using “Anonymous users” instead of “Specified users” or the correct domain group).
• NTFS permissions on the FTP root or virtual directory not granting the domain account read/write access.

5. Additional security configuration For more advanced scenarios:

• Configure FTP authorization rules to control which users/groups can access which paths and with what permissions.
• Consider FTP User Isolation if multiple users share a single FTP site but must be restricted to their own folders.
• For environments where Windows/domain accounts should not be created for every FTP user, consider custom authentication providers such as ASP.NET Membership or IIS Manager authentication.

---

References:

• FTP Authentication <authentication>
• FTP Basic Authentication <basicAuthentication>
• How Do I Configure FTP Security in IIS?
• Default FTP Authentication Settings <authentication>