Ftp server Authentication

Question

Ftp server Authentication

Bjarne Petersen 20

Dear community,

Can somebody please direct me to good theoretic documentation about how IIS Ftp Server should work?
I did everything by the book, but can not authenticate.

I think I tried, trial on error, every possible combination but to no avail.
I think this is a very common issue but were unable to find solutions in Q&A.

All methods of authentication will suffice, but I prefer domain authentication.

Yours sincerely,

Bjarne Petersen

MotoX80 37,696 Reputation points

2026-05-10T13:10:58.2233333+00:00

What error message does the client get?

What entries do you see in the FTP log?

Do you see logon failure events in the Security eventlog? What account and error codes are listed in those events?

What client program are you using? Ftp.exe? Try using Filezilla.

Is there a network firewall between the client and the server?
Bjarne Petersen 20 Reputation points

2026-05-11T22:50:35.76+00:00
-530 User cannot log in, home directory inaccessible.

I do not want home directories yet, at first connect plus transfer would suffice, I want all users to connect to the same path.

-these are entries in the FTP log

2026-05-09 16:41:17 192.168.0.11 - 192.168.0.7 21 ControlChannelClosed - - 0 0 453ef921-03ae-48b9-b276-06adee127be5 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 ControlChannelOpened - - 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 FEAT - 211 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 OPTS UTF8+ON 200 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

-the security event logon is totally clean of the requested data

-I am using ftp.exe and on your advise I momentarily am using filezilla which both give the same output, except filezilla closes the connection and ftp.exe does not.

-there is a firewall between client and server but as said, connection establishes but authentication can not fulfill.

I decided to start simple; followed the wizard, chose for basic authentication without SSL without certification.
then the interface for authentication makes way for groups, users and roles, but I have got a hunch that these are all not Active Directory integrated and I am asking myself and am pretty sure that the FTP server is having its own groups, users, and roles database but as of how and what and why I do not grasp.
Fact of the matter is that I stumble upon authentication.
MotoX80 37,696 Reputation points

2026-05-12T00:15:15.4433333+00:00

Start with a local user to test with. Something simple, like a user named testuser.

Verify that basic authentication is set. (I don't have an AD environment to play with.)

Set the home directory and verify that the Users group has at least read access in the permissions.

Set a welcome message to verify that you are connecting to your server.

FTP does not work well with a firewall. https://www.bing.com/search?q=explain%20ftp%20passive%20mode

The client FTP.exe does not support passive mode, so you will need to use FileZilla and configure it to use PASV.

You may also need to set the external IP of your firewall. (Assuming that you have set up port forwarding.)

Depending on your user and security requirements, I would suggest that you consider installing the OpenSSH feature of Windows and use SFTP instead of FTP or FTPS. FTP data is not encrypted (over the internet) and it's data channel port can be problematic. With SFTP you only need to deal with port 22.
Bjarne Petersen 20 Reputation points

2026-05-16T15:04:39.6833333+00:00

Basically, it works now.

There has been updates from Microsoft. I am not saying that was it. But I do it as I should and now it does work.
I appreciate very much your help and Filezilla is welcomed.

Answer accepted by question author

AI answer

For IIS FTP, authentication is controlled by the <authentication> element at the site level and must be aligned with matching authorization rules and (for domain logons) valid Windows/domain accounts.

Key concepts and options:

Supported FTP authentication types

Anonymous authentication
- Users connect without a local/domain account.
- Typically log on as ftp or anonymous; password is often an email address but not required.
- Common for public download-only FTP sites.
Basic authentication
- Requires a valid local or domain Windows account.
- User name and password are sent in clear text over FTP; therefore, it is recommended to combine Basic with SSL (FTPS) so credentials are encrypted.
Client Certificate authentication
- Uses client certificates to authenticate FTP clients.
Custom authentication
- Uses custom providers (e.g., ASP.NET Membership or IIS Manager authentication) so that accounts do not need to exist as Windows/domain accounts.

Enabling Basic (domain) authentication in IIS FTP To use domain authentication, configure Basic authentication and ensure the domain account has NTFS and FTP authorization permissions:
Open IIS Manager.
In the Connections pane, expand the server, expand Sites, and select the FTP site.
In the site’s Home pane, double‑click FTP Authentication.
Select Basic Authentication and click Enable in the Actions pane.
Ensure Anonymous authentication is disabled if only domain logons should be allowed.

To create a new FTP site with Basic authentication and read/write access using the wizard:

In IIS Manager, start the Add FTP Site wizard.
Configure binding (IP, port 21 or 990 for implicit FTPS, and SSL options as needed).
On the Authentication and Authorization page:
- Set Authentication to Basic.
- Under Authorization, choose Specified users and enter the domain or local account(s) that should have access.
- Select Read and Write permissions.
Finish the wizard.
SSL considerations for Basic/domain authentication Because FTP transmits credentials in clear text, when using Basic authentication (including domain accounts), configure FTP over SSL:

In the FTP binding settings, choose one of:
- Allow SSL – clients may use FTPS but are not forced.
- Require SSL – clients must use FTPS; this is preferred for securing credentials.
Select a valid server certificate in the SSL Certificate drop‑down.

Common causes of “cannot authenticate” with domain accounts While the context does not list specific error messages, typical issues in IIS FTP domain authentication scenarios include:

Basic authentication not enabled (or still disabled) for the FTP site.
Anonymous authentication enabled when only domain access is expected, leading to confusion about which identity is used.
FTP authorization rules not granting access to the domain user (e.g., using “Anonymous users” instead of “Specified users” or the correct domain group).
NTFS permissions on the FTP root or virtual directory not granting the domain account read/write access.

Additional security configuration For more advanced scenarios:

Configure FTP authorization rules to control which users/groups can access which paths and with what permissions.
Consider FTP User Isolation if multiple users share a single FTP site but must be restricted to their own folders.
For environments where Windows/domain accounts should not be created for every FTP user, consider custom authentication providers such as ASP.NET Membership or IIS Manager authentication.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

1 additional answer

Your answer

MotoX80 37,696 Reputation points

2026-05-10T13:10:58.2233333+00:00

What error message does the client get?

What entries do you see in the FTP log?

Do you see logon failure events in the Security eventlog? What account and error codes are listed in those events?

What client program are you using? Ftp.exe? Try using Filezilla.

Is there a network firewall between the client and the server?
Bjarne Petersen 20 Reputation points

2026-05-11T22:50:35.76+00:00

-530 User cannot log in, home directory inaccessible.

I do not want home directories yet, at first connect plus transfer would suffice, I want all users to connect to the same path.

-these are entries in the FTP log

2026-05-09 16:41:17 192.168.0.11 - 192.168.0.7 21 ControlChannelClosed - - 0 0 453ef921-03ae-48b9-b276-06adee127be5 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 ControlChannelOpened - - 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 FEAT - 211 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

2026-05-09 16:41:18 192.168.0.11 - 192.168.0.7 21 OPTS UTF8+ON 200 0 0 5d576424-bb86-41b0-9d2d-54e45b508d78 -

-the security event logon is totally clean of the requested data

-I am using ftp.exe and on your advise I momentarily am using filezilla which both give the same output, except filezilla closes the connection and ftp.exe does not.

-there is a firewall between client and server but as said, connection establishes but authentication can not fulfill.

I decided to start simple; followed the wizard, chose for basic authentication without SSL without certification.
then the interface for authentication makes way for groups, users and roles, but I have got a hunch that these are all not Active Directory integrated and I am asking myself and am pretty sure that the FTP server is having its own groups, users, and roles database but as of how and what and why I do not grasp.
Fact of the matter is that I stumble upon authentication.
MotoX80 37,696 Reputation points

2026-05-12T00:15:15.4433333+00:00

Start with a local user to test with. Something simple, like a user named testuser.

Verify that basic authentication is set. (I don't have an AD environment to play with.)

Set the home directory and verify that the Users group has at least read access in the permissions.

Set a welcome message to verify that you are connecting to your server.

FTP does not work well with a firewall. https://www.bing.com/search?q=explain%20ftp%20passive%20mode

The client FTP.exe does not support passive mode, so you will need to use FileZilla and configure it to use PASV.

You may also need to set the external IP of your firewall. (Assuming that you have set up port forwarding.)

Depending on your user and security requirements, I would suggest that you consider installing the OpenSSH feature of Windows and use SFTP instead of FTP or FTPS. FTP data is not encrypted (over the internet) and it's data channel port can be problematic. With SFTP you only need to deal with port 22.
Bjarne Petersen 20 Reputation points

2026-05-16T15:04:39.6833333+00:00

Basically, it works now.

There has been updates from Microsoft. I am not saying that was it. But I do it as I should and now it does work.
I appreciate very much your help and Filezilla is welcomed.

Answer 1

Hi Petersen,

To help you solve the problem effectively, here is a step-by-step guide on the necessary architectural adjustments.

First, Preparing the Environment and Active Directory

Before configuring the server software, the server and domain environment must be properly prepared to communicate with each other. The IIS server must be successfully connected to your Active Directory domain. In Active Directory, it is highly recommended to create a dedicated security group for your FTP users instead of managing each account individually later. After the group is created and users are added, you must ensure that the Microsoft FTP Service, usually running as a Local System or Network Service account, has the necessary network access to query the domain and authenticate these users.

Second, Configuring the File System

The physical file system is the most common point of failure, because if the directory is not explicitly accessible to domain users, IIS will automatically refuse the connection. You first need to create the root directory on the server's local drive. Next, you must modify the folder's security properties to assign NTFS permissions to your domain group, ensuring you select your Active Directory domain from the location menu instead of the local server database. It's also crucial to verify that the Network Service account has at least read permissions to this folder so that the IIS service can view the folder structure.

Third: Configuring the IIS Server

After setting up the platform, you can configure the FTP site in IIS Manager by pointing a new site to the physical folder you just secured. Since you're dealing with domain credentials, which FTP transmits as plain text by default, you must configure the site binding to require an SSL certificate to encrypt the session. For authentication settings, you must enable Basic Authentication and disable Anonymous Authentication, relying on the SSL tunnel to protect the transmission. Finally, you need to navigate to the FTP Authorization Rules, delete any default rules, and add a rule that specifically allows the domain group you created, granting them appropriate read or write permissions.

Fourth: Client Connection

When a user attempts to log in using an external FTP client, the login information syntax and connection protocol are crucial for a successful handshake. The username cannot be entered as a simple bare name; it must explicitly reference the domain name, using the standard domain-hash-username format or the username-primary format containing the @ symbol. Additionally, the FTP client must be configured to connect via explicit FTP over TLS or SSL. If a user attempts to connect using regular FTP, a properly configured IIS server will proactively disconnect to protect the domain password from being stolen.

Finally: Troubleshooting Strategy

If you've completed the previous configuration steps and authentication is still failing, there are a few specific areas to investigate. First, verify that FTP User Isolation is disabled in IIS, as enabling it requires a very specific subdirectory structure tailored to each domain user, which will cause logins to fail immediately if those directories are missing. Next, confirm that both port 21 and your specified passive port range are allowed through the Windows Firewall. If network traffic is still active but authentication fails, the Windows Event Viewer Security logs will be the best diagnostic tool, as the error events checked will reveal specifically whether the problem stems from an incorrect password, a locked Active Directory account, or a lack of local login permissions on the server itself.

Share via

Ftp server Authentication

1 additional answer

Your answer