IIS 7 and Above
How to create FTP User Accounts
Last post Sep 27, 2012 06:02 PM by cdsJerry
May 08, 2009 07:41 AM|DinuA|LINK
I am setting up a new Windows Server 2008 x64.
I downloaded and installed IIS 7.5.
I have created an FTP site
How can I assign User Accounts? The Features Pan does not contain an IIS Manager Users icon as expected.
When I click on Edit Permissions... I get the (E:) Properties box. Is this normal?
May 08, 2009 11:09 AM|lextm|LINK
Please don't double post.
You can add local users to this Windows system or add new domain users if this server is in domain. Then FTP can authenticate those new users.
May 08, 2009 02:04 PM|DinuA|LINK
Thanks Lex Li.
The solution with the Windows authentication is OK but it is not refined enough for the needs of our system.
Indeed each user has access to a different directory. Each such directory has four subdirectories say \a \b \c \d. The users have various permissions to these directories depending on the group they belong to.
So, how can I get to the User Account feature in IIS Manager?
May 09, 2009 05:03 AM|lextm|LINK
You may modify ACLs of the directories to prevent some users or groups from accessing them. That's a possible way I can think of at this moment.
May 09, 2009 07:25 AM|DinuA|LINK
But I am still interested in using the User Accounts described in the IIS7 literature.
May 18, 2009 08:17 AM|robmcm|LINK
Are you referring to using the IIS Manager user accounts for FTP authentication? If so, see the following walkthrough:
For additional security when hosting sites with multiple users you can combine IIS Manager user accounts with FTP User Isolation, which is described in the following walkthrough:
Nov 25, 2010 01:25 PM|atronseige|LINK
Thanks. I knew I was missing something, but I was looking everywhere except at the local users!
Nov 30, 2010 04:31 PM|Tines|LINK
When I started working with computers I was only 12 years old.
My first computer was a Spectrum 48. After that I worked with Amstrad, Atari, XT, AT,...
Today our company makes software with 100% Microsoft technologies (.NET, WPF, Silverlight).
When I see how many people ask the simple question "How to create a new FTP user with FTP 7.5", realy I am scared.
Is it realy so hard to make a user friendly IIS Manager, like thousands of simple applications on the world?
Did you ask yourself how it is possbile and what is wrong?
TINES - Paris - France
Dec 01, 2010 05:24 AM|kctt|LINK
If you know how to use computer, i don't think it's that difficult to create ftp site and ftp user account in IIS manager.
There's an option to Add FTP Site and several other options like FTP Authenticaion, FTP Authentication Rules.
Looking into details of those options will give an idea how to accomplish the mission setup ftp account.
Dec 02, 2010 02:03 PM|andreas205|LINK
Dec 02, 2010 02:05 PM|andreas205|LINK
Dec 02, 2010 06:54 PM|robmcm|LINK
@Petar and @Andreas,
Creating users for FTP is really very, very simple - and we have multiple ways to do that:
That being said, all of this is documented in multiple places, including the built-in FTP help file, so I will give you some things to look at. But please bear in mind - working with local or domain Windows accounts or IIS Manager users with FTP authorization
rules usually takes less than a minute or so to set up. If you have not done this before, then I suggest looking at the walkthroughs that I will list in this post. Once you've gone through the walkthroughs, it will only take you a few seconds in the future
to create accounts and set up authorization. If you're adept at scripting, you can automate all of the steps.
First, I discuss how to configure FTP with IIS 7 Manager Authentication in the following walkthrough. Most of this walkthrough discusses installing the IIS Management Service and creating an FTP site from scratch. If you have already done both of those,
you can skip all of that and just read the sections that are titled "Step 2: Configure the IIS Management Service and Add an IIS 7 Manager" and "Step 2: Configure the FTP Site to Use IIS 7 Manager Authentication" - those are the shortest parts
of the walkthrough.
You can also use .NET Membership authentication with the FTP service, although this is admittedly more difficult to set up originally. However, once you have it set up, it's pretty easy to manage.
Although some might consider writing your own authentication provider more of an advanced topic, I've written several walkthroughs that discuss creating custom authentication providers in detail. This takes a little more work to do it the first time, but
you will find that it's pretty easy to do. You can use the free
Visual Studio Express packages to create your own authentication providers that store usernames and passwords anywhere that you want to manage them; for example, SQL databases, XML files, etc.
(Notes: More often than not, I prefer to create my own custom authentication providers for FTP because it's very easy to do, and I don't like giving out Windows accounts if I don't have to. My favorite custom provider to use is the XML database provider,
and I use a different XML file for each FTP site. In addition, I wrote a blog post titled that discusses using the free Visual Studio Express packages titled "FTP
7.5 Extensibility and Visual Studio Express Editions.")
Lastly, I discuss the advantages and disadvantages of each different account type in the following blog that I wrote some time ago. I would suggest reading that blog if you ever have any question as to which type of accounts you should use.
I would suggest trying out some of the walkthroughs that I have listed, and you will quickly discover that it's really very easy to create user accounts for FTP.
Sep 23, 2011 06:55 PM|cdsJerry|LINK
I've been running computers for 35 years now and have set up countless desktop systems and about half a dozen Windows servers. It STILL isn't easy to set up FTP on a Windows machine. IIS 7.5 doesn't handle it the way earlier versions do. I've spent
over 15 hours now trying to get this FTP server set up and it still doesn't work. There's a permissions problem somewhere as I can log in but I can't get a directory listing.
But even getting to this point has required reading dozens of pages and watching many help videos all of which stop short of telling all the steps and several of which required copying and pasting command prompts over to try to configure the Windows firewall.
Telling Windows to set up and FTP is simple. Making it actually work is not. Microsoft has failed when it comes to FTP. Even the IIS.net official instructions point out that Microsoft has failed to come up with a way to set up and configure FTP without
extensive command line modifications.
Now... I need to get back to trying to get this to work.
Sep 23, 2011 07:20 PM|robmcm|LINK
As you mentioned in your post, if you can log in but you can't get a directory listing, then more than likely you have an issue with a firewall - even if you're on the same machine. Yes - there are additional steps beyond installing the FTP that are required
to enable FTP to work through a firewall, and those security settings are there by design; the alternative is leaving your server open to attack, which is even less desirable.
You mentioned using command-line instructions in articles such as the following:
The reason why I chose to use the command-line in articles such as that is because of its simplified ease-of-use for end users; you could configure all of the same firewall settings through the Windows Firewall user interface, but in this particular scenario
it was much, much easier to condense what might be thirty or forty user interface steps into a single command-line.
There is also one additional item to consider - which FTP client are you using? If you are using the built-in Windows command-line FTP client, then you are likely to have issues when a firewall is involved, and here's why - the built-in Windows FTP client
only uses Active FTP, which is very firewall-unfriendly. Most third-party FTP clients use Passive FTP, which works well with firewalls. So chances are, if you're using the FTP client that ships with Windows, you may already have your server correctly configured,
and it's the client that's having issues.
That being said, I wrote a blog series on FTP clients where I reviewed several clients and listed what worked well and what didn't, and here are the clients that I would currently recommend using instead of Windows' built-in command-line FTP client:
Sep 23, 2011 08:54 PM|cdsJerry|LINK
Thank you for the reply. I FINALLY got it working.. mostly. It was not the firewall after all, it was Windows permissions on the folder where the FTP files were located. I had to manually add permissions for my Windows FTP user. I would have thought
Windows would have done that when it set the FTP Authorization Rules in IIS 7.5 but it did not. Manually adding the user now allows the folders and files to display properly.
I think it just reinforces the point that Windows isn't as easy as it probably should be.
I still have one task to try to complete but I should probably start another thread. It's related to this topic however because Windows doesn't easily allow me to let a user SEE the contents of the folder but NOT be able to copy them. This is very valuable
in an FTP environment where you want them to be able to verify the file copied, but not allow someone else to download that file.
Customer uploads private data to us for our use. They don't want others to use it, just us. Need to be able to upload and verify. Trouble is, in Windows IIS 7.5, if you can see it, you can download it. Poor decision by Microsoft.
Sep 26, 2012 10:06 PM|atardio|LINK
Sep 27, 2012 01:18 PM|cdsJerry|LINK
After doing a LOT of research and spending a couple of days trying different things I finally concluded that it could no longer be done. It worked great in earlier verisons of Windows Server but I was unable to get it to work with Windows Server 2008.
I then installed Filezilla Server because in researching above so many people seemed happy with it. It installed quickly, easily, and it's worked perfectly. In addition it's much easier to set up FTP users in Filezilla than it was in any Windows version
I have ever done. It has worked so well in fact that I felt a bit stupid for having wasted so much time and effort trying to get Windows Server 2008 to do this.
I should also mention that setting up a user in Filezilla is independent of setting up a Windows user so you have less risk because permissions of everything else is not touched. All those FTP customers don't have Windows user names at all.
It's also so simple to set up folder permissions that it's a piece of cake to create a folder for common customers and give them read/write access to only their folder but not someone else's. This program works better than FTP ever has on any version of
Being an IIS forum this comment may get deleted. I don't know. I do know that I tried my best to solve this solution with Windows and after investing much time and effort I learned there was a better way. I've been using it since and am very happy with
it. Each time I use it I think about my efforts to get IIS to do the same thing and remember the frustration.
I have NOTHING to gain from suggesting FileZilla. I do not own it, have no involvement with it other than mentioned above. I'm just a very happy user.
Windows 2008 R2
Sep 27, 2012 05:28 PM|robmcm|LINK
Thanks, cdsJerry - rest assured, your comments won't be deleted; hearing problems from customers is part of the reason for why these forums exist. I would like to point out, however, that everything that you mentioned in your last post that you are doing
with FileZilla is 100% possible with the FTP server in Windows Server 2008; I have set up that same configuration literally hundreds of times on dozens of web servers.
FWIW - I appear to be much like you in that I prefer not to hand out Windows accounts, which is why I often use either the IIS Managers authentication provider that we added in Windows Server 2008, or I use an authentication provider that I've written myself.
In any case, that is why I posted the instructions for setting up authentication for IIS Managers earlier in this thread - I prefer not to hand out Windows user accounts if I don't need to.
You are correct, however, that the FTP service does not set physical ACLs when you add users to the authorization settings; IIS has never set physical ACLs on the file system when you make changes to authorization settings, and there is a long list of reasons
why this is the case. The closest feature that IIS has had to that is in the Windows Server 2000 version of IIS, which we had a Permissions Wizard that allowed customers to opt-in to setting ACLs through IIS; customers hated that feature, so we dropped it
in Windows Server 2003.
Thanks again for the feedback.
Sep 27, 2012 06:02 PM|cdsJerry|LINK
I struggled for so long to create the folders with restricted permissions like that. I'd done it before with no problem but nothing I tried would make it work in Windows2008. I read and posted threads about there here as well as other boards and was never
able to make it work.
I'm glad you could as it's something of a no-brainer in terms of need. It was just so easy and I'd worked so hard and been unable to in iis.
Thanks for all you do here btw. I only own a couple of servers. I really appreciate the help I've been able to get here. It's an excellent source of good information.