Configuring FTP7 validation on IIS7 after the release of Windows Server 2008 R2, Goxia began working on related tests and evaluations. IIS is one of the key tests and evaluations! And what we share today is how to configure FTP7 to authenticate using IIS administrative credentials in IIS7. Mention Msftp service, I am afraid to know more people, but the real use of less people! Especially in the IDC environment most will choose Serv-u FTP server,goxia from Windows Server 2008 no longer use Serv-u, the reason is very simple! Serv-u is not free, this serv-u default security risks. Moreover, open FTP is also to facilitate the maintenance of their own web site, download upload information! So using the system's own software is not better! The maintenance is also relatively easy! However, friends who have used Msftp know that Microsoft has provided support for the MSFTP design with non-Windows authentication features from FTP7. That is to say, if we are going to access msftp, you don't have to add user accounts to the system, but you can use IIS to manage individual credentials together! Now we don't have to worry that using msftp will have a problem with the security of the user account.
This is a step by a, so it involves the relevant principles and knowledge content does not make too much introduction! We will implement the FTP account for IIS administrative credentials through the Iismanagerauth authentication module provided by IIS7. The specific steps are as follows:
Before we start the configuration, we need to modify the directory security permissions for the related directory, which is necessary, otherwise there will be an error when you log in to FTP. As shown in the following illustration, we will see an error indicating that the configuration file cannot be read because of insufficient permissions. Files that do not have permission to read are redirection.config files that are located under Inetsrvconfig. The Goxia test found that even if the file was added with appropriate permissions but still prompted for a login failure, the config directory permissions were eventually configured to give the network Service (FTP7 process's default account) a read permission to log on normally.
In order to simply demonstrate the setting of directory permissions, Goxia reference to the iis.net of the relevant articles in the command line, which involves the cacls can be directly run can get parameter help. The command line to execute is as follows:
cacls c:windowssystem32inetsrvconfig/g "Network Service": r/e
After you have configured the Config directory permissions, make sure that the network Service has read access to the Administration.config and Redirection.config files in the directory, or else, perform the following command line:
cacls c:windowssystem32inetsrvconfigadministration.config/g "Network Service": r/e
cacls c:windowssystem32inetsrvconfigredirection.config/g "Network Service": r/e
Then create a default directory for FTP, and note that you can add the network Service with Full Control permissions.
Below, we start to configure IIS7, create an FTP site, enable Iismanagerauth for it, and create an account with IIS administrative credentials to have the appropriate FTP access.
Before you begin, make sure that you have installed the IIS7 Management Services component, or go to server Management, click Add Role Service, and select the IIS7 Management Services component for installation.
By default, you can use C:inetpubftproot as your FTP home directory, or you can create or select a directory for your own needs, but be aware that you give the network Service Full control.
Down we configure IIS7 to enable IIS Manager credentials to use Iismanagerauth after it is enabled. To do this, open IIS Manager, double-click Manage Services, select Windows credentials or IIS manager credentials, and then click Apply under the Action list on the right.
You then use IIS Manager user to create a user account that IIS manages. To do this, double-click IIS Manager user, click Add User, and enter the user name and password in the form that pops up.
Once completed, you can start creating an FTP site, first select Web site in the navigation form on the left side of IIS Manager, right-click, and left click Add FTP site ....
In site information, enter the name of the FTP site, such as: Default FTP Web site. and select the default content directory, in this case goxia is using C:inetpubftproot, click Next.
In bindings and SSL settings, enable the virtual hostname as needed, noting that the FTP "virtual host name" may not be supported by some clients. Also, change the SSL default configuration "required" to "allow", otherwise the client connection will fail if you do not configure the SSL certificate and use the SSL FTP logon method.
In the authentication and authorization information configuration, it is more necessary to select the authentication method and specify a user and permission. If you only allow IIS Manager users to access the FTP site, this step may not be configured, and click Finish directly. Convenient for everyone to learn, this example allows the administrator of the system user to have read and write access to FTP.
Now that the Windows authentication FTP site has been created, we can use the Administrator to log on to FTP.
After testing, the FTP site that was created is already functioning properly, we will have the appropriate access rights to the IIS Manager user-goxia that was created prior to adding the FTP site.
First, select "Default ftp Site", double-click "FTP Authentication" in the content form, go to the FTP authentication setting, click "Custom Provider ..." In the right action, and tick "Iismanagerauth" in the pop-up form.
When Iismangerauth is enabled, open the FTP licensing rules, add the specified user-goxia, and give the appropriate access rights.
Finally, we will use the Goxia IIS Manager user to log in to the FTP for testing.
If you are prompted not to authenticate users and passwords if the first logon fails, you need to open the IIS Manager permissions setting for the FTP site to add the Goxia account. After that, the test login succeeds and then the account number is removed from it. Find the guidelines for IIS.net and find that the default is to perform this step configuration, but goxia that this step is to configure whether the user has remote administrative permissions for the FTP, and once the Remote Administration service for IIS is configured and enabled, the permissions that the account has may pose a security risk. At present, Goxia is not fully understood.