How to configure FTP7 on IIS7 and use IIS to manage credentials for authentication?

After the release of Windows Server 2008 R2, gOxiA began work on related tests and evaluations. IIS is one of the key tests and evaluations! Today, I shared with you how to configure FTP7 on IIS7 to use IIS to manage credentials for authentication. Mentioned MSFTP service, I am afraid that there are many people who know, but there are fewer people who actually use it! In particular, most of the IDC environments will choose Serv-U FTP Server. gOxiA will no longer use Serv-U from Windows Server 2008 for the simple reason! Serv-U is not free. This Serv-U has security risks by default. Moreover, the opening of FTP is also to facilitate the maintenance of the website, download and upload information! So using the system's own software is not better! Maintenance is also relatively easy! However, friends who have used MSFTP know that starting from FTP7, Microsoft provides support for non-Windows authentication for MSFTP design, which means that if we want to access MSFTP, we don't have to add user accounts to the system, we can use IIS. To manage separate credentials in a unified manner! Now we don't have to worry anymore. Using MSFTP will have a security problem with user accounts.

This is a Step by Step, so the related principles and knowledge involved are not introduced too much! We will implement the FTP account for IIS administrative credentials through the IisManagerAuth authentication module provided by IIS7. The specific steps are as follows:

Before starting the configuration, we need to modify the directory security permissions of the relevant directory. This step is necessary. Otherwise, an error will occur when logging in to FTP. As shown in the following figure, we will see an error message that the configuration file could not be read due to insufficient permissions. Files that are not read by permission are the redirection.config file located under inetsrv\\config. After gOxiA's test, even if the corresponding permission is added to the file, the login fails. Finally, configure the config directory permission, and give the Network Service (the default account of the FTP7 process) read permission before logging in.

In order to simply demonstrate the process of setting up directory permissions, gOxiA refers to the command line of related articles in IIS.net, and the cacls involved can be directly run to get parameter help. The command line to execute is as follows:
cacls c:\\windows\\system32\\inetsrv\\config /G "Network Service":R /E

After configuring the config directory permissions, make sure that <;Network Service" The administration.config and redirection.config files in this directory have read permissions. Otherwise, execute the following command line:
cacls c:\\windows\\system32\\inetsrv\\config\\administration.config /G "Network Service": R /E cacls c:\\windows\\system32\\inetsrv\\config\ edirection.config /G "Network Service":R /E

Then create a default directory for FTP, please add &ldquo ;Network Service” has full control permissions.

Next, we started configuring IIS7, creating an FTP site, enabling IisManagerAuth for it, and creating an account with IIS administrative credentials to give FTP access.

Please confirm that IIS7's management service component is installed before starting. Otherwise, please enter server management, click Add role service, select IIS7 management service component, and install.

By default, C:\\Inetpub\\Ftproot can be used as the FTP home directory. Of course, you can create or select a directory according to your needs, but you need to pay attention, please Give “Network Service” have full control.

Let's configure IIS7 to enable IIS Manager credentials and enable IisManagerAuth after it is enabled. To do this, open IIS Manager, double-click "Manage Service", select "Windows Credentials or IIS Manager Credentials", and finally click "Apply" under the list of operations on the right.

Then use “IIS Manager User” to create a user account managed by IIS. To do this, double-click & ldquo; IIS Manager User & rdquo;, click “ Add User & rdquo;, enter the user name and password in the pop-up form.

Once the above operation is complete, you can start creating an FTP site, first select &ldquo in the navigation form on the left side of IIS Manager. ;website”, then right click, left click “add FTP site…”.

<; Site Information" Enter the FTP site name, such as: Default FTP Site. And select the default content directory, in this case gOxiA uses C:\\inetpub\\ftproot, click “Next”.

In the "Binding and SSL Settings" setting, enable the virtual hostname as needed. Note: FTP"virtual hostname" may not be supported by some clients. In addition, please change the SSL default configuration <;required" to "allow", otherwise the client connection will fail if the SSL certificate is not configured and the SSL FTP login method is used.

In the “Authentication and Authorization Information' configuration, you need to choose the authentication method and specify a user and permissions. If you only allow IIS Manager users to access the FTP site, then this step can be left unconfigured, just click “Complete”. It is convenient for everyone to learn. In this example, the Administrator in the system user is allowed to read and write to the FTP.

Now that the FTP site with Windows authentication is created, we can use Administrator to log in to FTP.

After testing, the created FTP site is running normally. Below we will add the previously created IIS Manager user &mdash for this FTP site; goxia has the appropriate access rights.

First, select “Default FTP Site", double-click “FTP Authentication" in the content form, go to “FTP Authentication”Click on the right side of the operation and click Customize Provider …”, check “IisManagerAuth” in the pop-up form.

After IisMangerAuth is enabled, open the “FTP authorization rule", add the specified user— goxia, and give corresponding Access rights.

Finally, let's use goxia, the IIS manager user to log in to FTP for testing.

If the first login fails and you are unable to verify the user and password, you will need to open the FTP Server's & ldquo;IIS Manager Permissions setting to add the goxia account. After the test is successfully logged in, the account can be deleted from it. Look for the relevant guidance document of IIS.net and find that the default is to perform this step configuration, but gOxiA thinks that this step is to configure whether the user has remote management rights of the FTP. Once the remote management service of IIS is configured and enabled, the account is Permissions may pose a security risk. Currently gOxiA is not fully understood. I hope that some netizens will give pointers to one or two!