I had setup this FTP mode a while back and had to do it again recently. I didn’t take good notes the first time, so I thought I would help out anyone trying to get this setup.
1.Setup a new user called ftpuser
This account will be used to read AD for all other FTP accounts. You DO NOT want to use administrator as your AD lookup account. Then, under active directory users and computers click view -> advanced. This will give you the security tab for the user properties. Open up the properties for ftpuser and click the security tab. Make sure read is checked for authenticated users. (make sure you select the read permissions or you will get “home directory not accessible” and event id 13 errors.)
If the “security” tab is not visible, click view -> advanced features on the mmc window
2. Delete the Default FTP Site in IIS Manager as you will be creating one from scratch.
Now in IIS Manager, expand FTP Sites and create a new FTP site. You can call it whatever you like. Make sure you choose the AD Isolation mode. Also check both read and write permission as you will be defining the true permission on the folder. When prompted for a user to authenticate to AD, put in the user from above in the form: domain\ftpuser. It is very important you put the domain in front of the user.
3. Now you need to define the FTPRoot and FTPDir properties
In this example, we will use the username john
First, you need to create a folder for your users or just use the default c:\inetpub\ftproot
Create a folder called john at c:\inetput\ftproot. The full path would be c:\inetpub\ftproot\john
Then you can take the easy road and use this nifty tool to define the root and directory:
http://blog.crowe.co.nz/archive/2006/02/15/556.aspx
Or, you can do it manually using iisftp from a command prompt. Open up a cmd window and use the following syntax:
iisftp /setadprop
iisftp /setadprop
Make sure the ftp directory has the correct permissions for john.
That’s all. If you have any question, please ask.
Tags: ad isolation, ftp, iisftp, Windows 2003
