FTP Login Using Domain and Trusted Domain Accounts

The FTP server on a member server computer running Windows NT 4.0 (non- domain controller) can validate users using a domain accounts database or the local machine accounts database. The FTP server on a Windows NT 4.0 Domain Controller can validate users using the local domain accounts database or a trusted domain accounts database. However, the guest account setting on the FTP server's local machine accounts database and its domain accounts database must be disabled.

Local accounts database validation is the default validation method for FTP servers. The FTP client is validated against the FTP server's local machine accounts database.

Local domain accounts database validation occurs if the FTP server is a domain controller, the local domain users do not supply their domain-name in conjunction with their user name. This is because the local domain accounts database is also the local machine accounts database for a domain controller.

Local domain accounts database validation can be enabled on an FTP server which is a Windows NT Member Server by adding the registry entries: "DefaultLogonDomain: REG_SZ:"MyDomainName" as described in the following Microsoft Knowledge Base article:

ARTICLE-ID: 139341  (http://support.microsoft.com/kb/139341/EN-US/ )
TITLE : FTP Server Interaction with Guest Account

However, this setting limits accessibility to local domain users only.

Trusted domain and local domain accounts databases can be used for validation when users log on to an FTP server. Users log on to the FTP server using their local domain account or trusted domain account. This is accomplished by having them log on with their user name in the format <domain-name>\<username> and then providing their password. The FTP server will either check the local domain accounts database or will use pass- through validation to the trusted domain. If the FTP server is a domain controller, then local domain users do not supply their domain name, only their user name. If the FTP server is a member server, then the domain name must be used to validate against a local domain accounts database, as well as a trusted domain accounts database.

For a proper log on attempt using a user account in all of the above scenarios, the guest account settings in the FTP server's local machines account database and its own domain account database must be disabled. The disabled setting is needed to require users to use their log on account and password.

WARNING:

Ftp passwords are sent on the net in "clear text" and are easily stolen, especially on the Internet. For this reason, many people set up ftp for "anonymous only" access, and use file sharing if write access is needed.