How to Enable Pass-Through Authentication for FTP UNC Virtual Directories


We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:

Summary


When you create a File Transfer Protocol (FTP) virtual directory that points to a Universal Naming Convention (UNC) share on a different server, the credentials that are supplied to create the virtual directory are used to grant access to the virtual directory. The credentials that are used to log on to the FTP server through an FTP client are ignored for this purpose. You can configure the Internet Information Services (IIS) FTP service to pass the credentials that are supplied at the FTP logon to the remote share by setting up the IIS FTP service to use pass-through authentication.

Note that whenever a user logs on to an FTP server, the domain name, user name, and password are sent over the network without data encryption.

More Information


Enable Pass-Through Authentication

  1. Create a virtual directory that points to a UNC share and specify valid account credentials to map to the UNC path. Verify that you can connect to the remote share and that you can locate the virtual directory without errors.
  2. Open a command prompt and change the directory to the location of Adsutil.vbs.

    Note By default, in IIS 5.0 and IIS 5.1, the file is located in the C:\Inetpub\Adminscripts folder. By default, in IIS 4.0, the file is located in the %systemroot%\System32\Inetsrv\Adminsamples folder.
  3. At the command prompt, type the following (where
    # is the number of the FTP site and
    vdir is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:
    adsutil set msftpsvc/#/root/vdir/UNCUserName ""
  4. At the command prompt, type the following (where
    # is the number of the FTP site and
    vdir is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:
    adsutil set msftpsvc/#/root/vdir/UNCPassword ""
  5. At the command prompt, type the following:
    net stop iisadmin /y
  6. At the command prompt, type the following:
    net start msftpsvc
The Internet Service Manager (ISM) now shows this virtual directory with the red error stop sign. This is typical because the ISM looks for a username and password on a UNC virtual directory, but none exists.

When your users connect and authenticate, the name that the users type is used to connect over the UNC connection to the remote share or content. The system administrator can now set share-level or NTFS-level permissions, and the user account that the client uses is the account that is used to check against the access control list (ACL) of these objects.


Note Any change to this virtual directory in the ISM changes the metabase settings back. If you change this virtual directory, you must perform the steps in this article again.