How to configure FTP folders and permissions for domain authentication in IIS
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
For more information about IIS 7.0, visit the following Microsoft Web site:
This article describes how to configure the IIS FTP server for FTP authentication and how to automatically use the domain user database rather than your local user accounts database, so that your users can access FTP folders by using their familiar login without having to explicitly specify their domain information.Back to top MORE INFORMATIONNOTE
: These procedures are designed to assist Web server administrators that host FTP sites that require users to use their domain user name and password to access their FTP folders. If you follow the procedures outlined in this article, you will affect public access to FTP sites. Therefore, you should not use these procedures if you are hosting public FTP sites.Important Warning
: FTP passwords are sent over networks in "clear text" and are therefore easily stolen, especially on the Internet. For this reason, many administrators set up FTP sites for anonymous read-only access, and use file sharing if local network write access is needed or use the FrontPage Server Extensions for Internet publishing.Back to top Disable Anonymous FTP Access in IIS 5.0
When you disable Anonymous FTP access, users must always enter a valid user name and password when they access your FTP site. (This configuration is more secure when you allow users to upload files to your server.)
Back to top Modify the DefaultLogonDomain in the IIS Metabase
- Open the Internet Services Manager. To do this, follow the steps for your version of IIS:
- For IIS 4.0:
- On the Start menu, point to Programs, and then click Windows NT 4.0 Option Pack.
- Click Microsoft Internet Information Server, and then click Internet Service Manager.
- For IIS 5.0:
- On the Start menu, point to Programs, and then click Administrative Tools.
- Click Internet Services Manager.
- In the console tree, right-click the FTP site that you want to configure, and then click Properties.
- On the Security Accounts tab, click to uncheck the Allow Anonymous Connections check box.
- Click Yes if you are prompted to continue.
- Click OK.
Run the Adsutil tool at the command prompt by using the following syntax, depending on whether you want to set the DefaultLogonDomain
domain for all FTP sites, for only the default FTP site, or for any other site:
Back to top
- To set the DefaultLogonDomain domain for all FTP sites, run the following command:
adsutil set msftpsvc/DefaultLogonDomain "DomainName"
- To set the DefaultLogonDomain domain for only the default FTP site, run the following command:
adsutil set msftpsvc/1/DefaultLogonDomain "DomainName"Note This command uses the Adsutil tool. If this command fails, you can use the following command instead:
mdutil.exe set /msftpsvc/1/DefaultLogonDomain "DomainName" This command uses the Mdutil tool from the Windows NT Option Pack CD.
- To set the DefaultLogonDomain domain for any other site, run the same command that you run for the default FTP site, but change the 1 parameter to the appropriate service number.
For more information about using, configuring, and troubleshooting the FTP service in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
FTP service's DefaultLogonDomain not available in MMC
Error message in IIS: "530 User <Username> cannot log in. Login failed."
175638Back to top
FTP login using domain and trusted domain accounts
Article ID: 310723 - Last Review: 06/19/2014 13:57:00 - Revision: 7.0