Share via

Standalone FTP with client certificate with iisClientCertificateMappingAuthentication issue

Osvaldo 1 Reputation point
2022-01-17T20:16:33.603+00:00

Hello,

I am tring to implement certificate based authntication base on IIS FTP site.
But after configuring one2one cerificate mapping for user ftp1it is able to connect with the mapped certificate but also using certificates that are not mapped to it.

That makes me thing that one2one certifcate mapping is not applied to FTP site.
I used the documentation available at https://learn.microsoft.com/en-us/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings as indicated on this site https://devblog.ztp.pt/implement-client-certificate-authentication-for-ftp-on-iis-8-2/
That is an explanation made for a WEB site but I did not found one dedicated to an FTP site.

Any ideas?

Are there any document maded for a IIS based FTP service?

Sincerilly

Osvaldo Alvarez Pozo

Windows development | Internet Information Services

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Osvaldo 1 Reputation point
    2022-01-18T10:07:18.523+00:00

    Hello @Bruce Zhang-MSFT ,

    Thans for your answer

    In applicationhost.config i have this:

    <site name="FTPS" id="2">
    <application path="/">
    <virtualDirectory path="/" physicalPath="C:\inetpub\ftproot\myftp" />
    </application>
    <bindings>
    <binding protocol="ftp" bindingInformation="192.168.1.10:21:" />
    </bindings>
    <ftpServer>
    <security>
    <ssl serverCertHash="C657EE78425790D20E4B5E1548C636A374A0CE00" serverCertStoreName="My" ssl128="false" controlChannelPolicy="SslRequire" dataChannelPolicy="SslRequire" />
    <authentication>
    <basicAuthentication enabled="true" />
    <anonymousAuthentication enabled="false" />
    </authentication>
    <sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="false" />
    </security>
    </ftpServer>
    </site>

    <location path="FTPS">
    <system.ftpServer>
    <security>
    <authorization>
    <add accessType="Allow" roles="ftpgroup" permissions="Read, Write" />
    </authorization>
    </security>
    </system.ftpServer>
    <system.webServer>
    <security>
    <authentication>
    <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
    <oneToOneMappings>
    <add userName="ftp01" password="[enc:IISCngProvider:gDmQuTLUM/AqQ3lk1DwBSzN3zwTTHdTSJ32fNAFtxEMZiedXFWCuA+aH/TOsyaT/+FXt+Jv/s5unKE4qbFlKiHILh+ulAc29/uZ/jQfG+TQ=:enc]" certificate="cert here in PEM format without --BEGIN-- ---END---" />
    </oneToOneMappings>
    </iisClientCertificateMappingAuthentication>
    </authentication>
    </security>
    </system.webServer>
    </location>

    I check the logs when user get connected and there is no line concerning onetone certificate mapping

    Software: Microsoft Internet Information Services 10.0

    Version: 1.0

    Date: 2022-01-18 09:42:40

    Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath

    2022-01-18 09:42:40 192.168.25.129 - 192.168.25.10 21 ControlChannelOpened - - 0 0 69b04f17-6407-4dfb-afdc-6e3a73e093c0 -
    2022-01-18 09:42:40 192.168.25.129 - 192.168.25.10 21 AUTH TLS 234 0 0 69b04f17-6407-4dfb-afdc-6e3a73e093c0 -
    2022-01-18 09:43:01 192.168.25.129 - 192.168.25.10 21 ControlChannelClosed - - 0 0 69b04f17-6407-4dfb-afdc-6e3a73e093c0 -
    2022-01-18 09:43:13 192.168.25.129 - 192.168.25.10 21 ControlChannelOpened - - 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:13 192.168.25.129 - 192.168.25.10 21 AUTH TLS 234 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 - 192.168.25.10 21 USER ftp01 331 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PASS *** 230 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 SYST - 215 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 FEAT - 211 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 OPTS UTF8+ON 200 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PBSZ 0 200 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PROT P 200 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PWD - 257 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 CWD /bin 250 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /bin
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PWD - 257 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 TYPE A 200 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PASV - 227 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 49807 DataChannelOpened - - 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 49807 DataChannelClosed - - 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 LIST -a 226 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /bin
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 PWD - 257 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 CWD /bin/FileZilla_3.57.0_win64_sponsored-setup.exe 550 123 3 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /bin/FileZilla_3.57.0_win64_sponsored-setup.exe
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 TYPE I 200 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 -
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 SIZE /bin/FileZilla_3.57.0_win64_sponsored-setup.exe 213 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /bin/FileZilla_3.57.0_win64_sponsored-setup.exe
    2022-01-18 09:43:14 192.168.25.129 DESKTOP-I6K65KR\ftp01 192.168.25.10 21 MDTM /bin/FileZilla_3.57.0_win64_sponsored-setup.exe 213 0 0 c52c44d2-a956-4a4f-b26c-051ab3c7c092 /bin/FileZilla_3.57.0_win64_sponsored-setup.exe

    Sincerilly

    Osvaldo

  2. Osvaldo 1 Reputation point
    2022-01-19T20:34:45.213+00:00

    Hello,
    Yes i have rebooted the VM severals times. But that did not help.
    Thanks
    Sincerilly

    Osvaldo

  3. Osvaldo 1 Reputation point
    2022-02-09T07:30:41.693+00:00

    Hello,

    Sorry if I answer late I have being on vacations.

    I use ftp clients with ftps support not browses.

    If I remove the basic authentication I am not able to connect to ftp service.

    Sincerilly

    Osvaldo

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.