How to configure FTP folders and permissions for domain authentication in IIS

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:


This article describes how to configure the IIS FTP server for FTP authentication and how to automatically use the domain user database rather than your local user accounts database, so that your users can access FTP folders by using their familiar login without having to explicitly specify their domain information.


NOTE: These procedures are designed to assist Web server administrators that host FTP sites that require users to use their domain user name and password to access their FTP folders. If you follow the procedures outlined in this article, you will affect public access to FTP sites. Therefore, you should not use these procedures if you are hosting public FTP sites.

Important Warning: FTP passwords are sent over networks in "clear text" and are therefore easily stolen, especially on the Internet. For this reason, many administrators set up FTP sites for anonymous read-only access, and use file sharing if local network write access is needed or use the FrontPage Server Extensions for Internet publishing.

Disable Anonymous FTP Access in IIS 5.0

When you disable Anonymous FTP access, users must always enter a valid user name and password when they access your FTP site. (This configuration is more secure when you allow users to upload files to your server.)
  1. Open the Internet Services Manager. To do this, follow the steps for your version of IIS:
    • For IIS 4.0:
      1. On the Start menu, point to Programs, and then click Windows NT 4.0 Option Pack.
      2. Click Microsoft Internet Information Server, and then click Internet Service Manager.
    • For IIS 5.0:
      1. On the Start menu, point to Programs, and then click Administrative Tools.
      2. Click Internet Services Manager.
  2. In the console tree, right-click the FTP site that you want to configure, and then click Properties.
  3. On the Security Accounts tab, click to uncheck the Allow Anonymous Connections check box.
  4. Click Yes if you are prompted to continue.
  5. Click OK.

Modify the DefaultLogonDomain in the IIS Metabase

Run the Adsutil tool at the command prompt by using the following syntax, depending on whether you want to set the DefaultLogonDomain domain for all FTP sites, for only the default FTP site, or for any other site:
  • To set the DefaultLogonDomain domain for all FTP sites, run the following command:
    adsutil set msftpsvc/DefaultLogonDomain "DomainName"
  • To set the DefaultLogonDomain domain for only the default FTP site, run the following command:
    adsutil set msftpsvc/1/DefaultLogonDomain "DomainName"
    Note This command uses the Adsutil tool. If this command fails, you can use the following command instead:
    mdutil.exe set /msftpsvc/1/DefaultLogonDomain "DomainName"
    This command uses the Mdutil tool from the Windows NT Option Pack CD.
  • To set the DefaultLogonDomain domain for any other site, run the same command that you run for the default FTP site, but change the 1 parameter to the appropriate service number.


For more information about using, configuring, and troubleshooting the FTP service in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:

184319 FTP service's DefaultLogonDomain not available in MMC

200475 Error message in IIS: "530 User <Username> cannot log in. Login failed."

175638 FTP login using domain and trusted domain accounts


Article ID: 310723 - Last Review: Jun 19, 2014 - Revision: 1