FTP Client Certificate Authentication <clientCertAuthentication>
Overview
The <clientCertAuthentication>
element specifies the settings for Client Certificate authentication. This form of Secure Sockets Layer (SSL) authentication was introduced in FTP 7 and uses client certificates to authenticate FTP clients by mapping to client certificates Windows user accounts.
Client Certificate authentication has the following dependencies:
For the
<ssl>
element:- The
serverCertHash
attribute must be set to a valid certificate hash. - The
controlChannelPolicy
anddataChannelPolicy
attributes must be configured to allow SSL.
- The
For the
<sslClientCertificates>
element:- The
clientCertificatePolicy
attribute must be configured to allow SSL certificates. - The
useActiveDirectoryMapping
attribute must be set to true.
- The
Note
The FTP service requests Active Directory to validate client certificates, but the validation by Active Directory is performed independently of the FTP service.
Compatibility
Version | Notes |
---|---|
IIS 10.0 | The <clientCertAuthentication> element was not modified in IIS 10.0. |
IIS 8.5 | The <clientCertAuthentication> element was not modified in IIS 8.5. |
IIS 8.0 | The <clientCertAuthentication> element was not modified in IIS 8.0. |
IIS 7.5 | The <clientCertAuthentication> element of the <authentication> element ships as a feature of IIS 7.5. |
IIS 7.0 | The <clientCertAuthentication> element of the <authentication> element was introduced in FTP 7.0, which was a separate download for IIS 7.0. |
IIS 6.0 | The <ftpServer> element and its child elements replace the IIS 6.0 FTP settings that were located in the LM/MSFTPSVC metabase path. |
Note
The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:
With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.
Setup
To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.
Windows Server 2012 or Windows Server 2012 R2
On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), and then select FTP Server.
Click Next, and then on the Select features page, click Next again.
On the Confirm installation selections page, click Install.
On the Results page, click Close.
Windows 8 or Windows 8.1
On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
Expand Internet Information Services, and then select FTP Server.
Click OK.
Click Close.
Windows Server 2008 R2
On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
Select FTP Service.
Click Next.
On the Confirm Installation Selections page, click Install.
On the Results page, click Close.
Windows 7
On the taskbar, click Start, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
Expand Internet Information Services, and then FTP Server.
Select FTP Service.
Click OK.
Windows Server 2008 or Windows Vista
Download the installation package from the following URL:
Follow the instructions in the following walkthrough to install the FTP service:
How To
At this time there is no user interface that enables you to configure the Client Certificate authentication settings for an FTP site. See the Configuration and Sample Code sections of this document for additional information about how to configure the Client Certificate authentication settings for an FTP site.
Configuration
The <clientCertAuthentication>
element is configured at the site level.
Attributes
Attribute | Description |
---|---|
enabled |
Optional Boolean attribute. true if Client Certificate authentication is enabled; otherwise, false. The default value is false . |
Child Elements
None.
Configuration Sample
The following sample displays an FTP server that requires SSL, and uses Client Certificate authentication to map users to Active Directory accounts.
<site name="ftp.example.com" id="5">
<application path="/">
<virtualDirectory path="/" physicalPath="c:\inetpub\www.example.com" />
</application>
<bindings>
<binding protocol="ftp" bindingInformation="*:21:" />
</bindings>
<ftpServer serverAutoStart="true">
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<clientCertAuthentication enabled="true" />
</authentication>
<ssl serverCertHash="57686f6120447564652c2049495320526f636b73"
controlChannelPolicy="SslRequire"
dataChannelPolicy="SslRequire" />
<sslClientCertificates clientCertificatePolicy="CertRequire"
useActiveDirectoryMapping="true"
validationFlags="NoRevocationCheck" />
</security>
</ftpServer>
</site>
Sample Code
The following examples configure an FTP site so that it disables both Anonymous and Basic authentication and enables Client Certificate authentication.
AppCmd.exe
appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.anonymousAuthentication.enabled:"False" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.basicAuthentication.enabled:"False" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.clientCertAuthentication.enabled:"True" /commit:apphost
Note
You must be sure to set the commit parameter to apphost
when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
ConfigurationElementCollection sitesCollection = sitesSection.GetCollection();
ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"ftp.example.com");
if (siteElement == null) throw new InvalidOperationException("Element not found!");
ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer");
ConfigurationElement securityElement = ftpServerElement.GetChildElement("security");
ConfigurationElement authenticationElement = securityElement.GetChildElement("authentication");
ConfigurationElement anonymousAuthenticationElement = authenticationElement.GetChildElement("anonymousAuthentication");
anonymousAuthenticationElement["enabled"] = false;
ConfigurationElement basicAuthenticationElement = authenticationElement.GetChildElement("basicAuthentication");
basicAuthenticationElement["enabled"] = false;
ConfigurationElement clientCertAuthenticationElement = authenticationElement.GetChildElement("clientCertAuthentication");
clientCertAuthenticationElement["enabled"] = true;
serverManager.CommitChanges();
}
}
private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues)
{
foreach (ConfigurationElement element in collection)
{
if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase))
{
bool matches = true;
for (int i = 0; i < keyValues.Length; i += 2)
{
object o = element.GetAttributeValue(keyValues[i]);
string value = null;
if (o != null)
{
value = o.ToString();
}
if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase))
{
matches = false;
break;
}
}
if (matches)
{
return element;
}
}
}
return null;
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection
Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "ftp.example.com")
If (siteElement Is Nothing) Then
Throw New InvalidOperationException("Element not found!")
End If
Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")
Dim securityElement As ConfigurationElement = ftpServerElement.GetChildElement("security")
Dim authenticationElement As ConfigurationElement = securityElement.GetChildElement("authentication")
Dim anonymousAuthenticationElement As ConfigurationElement = authenticationElement.GetChildElement("anonymousAuthentication")
anonymousAuthenticationElement("enabled") = False
Dim basicAuthenticationElement As ConfigurationElement = authenticationElement.GetChildElement("basicAuthentication")
basicAuthenticationElement("enabled") = False
Dim clientCertAuthenticationElement As ConfigurationElement = authenticationElement.GetChildElement("clientCertAuthentication")
clientCertAuthenticationElement("enabled") = True
serverManager.CommitChanges()
End Sub
Private Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ByVal ParamArray keyValues() As String) As ConfigurationElement
For Each element As ConfigurationElement In collection
If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
Dim matches As Boolean = True
Dim i As Integer
For i = 0 To keyValues.Length - 1 Step 2
Dim o As Object = element.GetAttributeValue(keyValues(i))
Dim value As String = Nothing
If (Not (o) Is Nothing) Then
value = o.ToString
End If
If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
matches = False
Exit For
End If
Next
If matches Then
Return element
End If
End If
Next
Return Nothing
End Function
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var sitesCollection = sitesSection.Collection;
var siteElementPos = FindElement(sitesCollection, "site", ["name", "ftp.example.com"]);
if (siteElementPos == -1) throw "Element not found!";
var siteElement = sitesCollection.Item(siteElementPos);
var ftpServerElement = siteElement.ChildElements.Item("ftpServer");
var securityElement = ftpServerElement.ChildElements.Item("security");
var authenticationElement = securityElement.ChildElements.Item("authentication");
var anonymousAuthenticationElement = authenticationElement.ChildElements.Item("anonymousAuthentication");
anonymousAuthenticationElement.Properties.Item("enabled").Value = false;
var basicAuthenticationElement = authenticationElement.ChildElements.Item("basicAuthentication");
basicAuthenticationElement.Properties.Item("enabled").Value = false;
var clientCertAuthenticationElement = authenticationElement.ChildElements.Item("clientCertAuthentication");
clientCertAuthenticationElement.Properties.Item("enabled").Value = true;
adminManager.CommitChanges();
function FindElement(collection, elementTagName, valuesToMatch) {
for (var i = 0; i < collection.Count; i++) {
var element = collection.Item(i);
if (element.Name == elementTagName) {
var matches = true;
for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
var property = element.GetPropertyByName(valuesToMatch[iVal]);
var value = property.Value;
if (value != null) {
value = value.toString();
}
if (value != valuesToMatch[iVal + 1]) {
matches = false;
break;
}
}
if (matches) {
return i;
}
}
}
return -1;
}
VBScript
Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set sitesCollection = sitesSection.Collection
siteElementPos = FindElement(sitesCollection, "site", Array("name", "ftp.example.com"))
If siteElementPos = -1 Then
WScript.Echo "Element not found!"
WScript.Quit
End If
Set siteElement = sitesCollection.Item(siteElementPos)
Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")
Set securityElement = ftpServerElement.ChildElements.Item("security")
Set authenticationElement = securityElement.ChildElements.Item("authentication")
Set anonymousAuthenticationElement = authenticationElement.ChildElements.Item("anonymousAuthentication")
anonymousAuthenticationElement.Properties.Item("enabled").Value = False
Set basicAuthenticationElement = authenticationElement.ChildElements.Item("basicAuthentication")
basicAuthenticationElement.Properties.Item("enabled").Value = False
Set clientCertAuthenticationElement = authenticationElement.ChildElements.Item("clientCertAuthentication")
clientCertAuthenticationElement.Properties.Item("enabled").Value = True
adminManager.CommitChanges()
Function FindElement(collection, elementTagName, valuesToMatch)
For i = 0 To CInt(collection.Count) - 1
Set element = collection.Item(i)
If element.Name = elementTagName Then
matches = True
For iVal = 0 To UBound(valuesToMatch) Step 2
Set property = element.GetPropertyByName(valuesToMatch(iVal))
value = property.Value
If Not IsNull(value) Then
value = CStr(value)
End If
If Not value = CStr(valuesToMatch(iVal + 1)) Then
matches = False
Exit For
End If
Next
If matches Then
Exit For
End If
End If
Next
If matches Then
FindElement = i
Else
FindElement = -1
End If
End Function