IIS / FTP

Microsoft has created a new FTP service

Chris Crowe — Wed, 02 May 2007 13:25:32 GMT

Microsoft has created a new FTP service that has been completely rewritten for Windows Server Code Name "Longhorn". This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options. For additional information, please see our documentation.

This new FTP service is only for Windows Server Code Name "Longhorn" and Internet Information Services 7.0; it will not work on Windows Server 2003 and Internet Information Services 6.0.

Features

This new FTP service supports a wide range of features and improvements, and the following list contains several of the improvements in this version:

Integration with IIS 7.0:
IIS 7.0 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7.0 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.

Support for new Internet standards:
One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.

Shared hosting improvements:
By fully integrating into IIS 7.0, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.

Extensibility and custom authentication:
The new FTP server supports developer extensibility, making it possible for software vendors to write custom providers for FTP authentication. Microsoft is using this extensibility feature to implement two new methods for using non-Windows accounts for FTP authentication for IIS Managers and .NET Membership.

Improved logging support:
FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, additional detail fields in FTP logs, and much more.

New supportability features:
IIS 7.0 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.

Benefits

This add-on is a substantial step forward for helping you to enable powerful publishing capabilities for your Web environment.

Requirements

The following prerequisites must be fulfilled in order to install the new FTP server:

• You must be using Windows Server Code Name "Longhorn" Beta 3 or later.
• Internet Information Services 7.0 must be installed, and the administration tool should be installed if you are going to manage the FTP server using the IIS 7.0 user interface.
• You must install the FTP server as an administrator. (See the Downloading and Installing section for more.)
• IIS 7.0 supports a new shared configuration environment, which must be disabled on each server in a web farm before installing the new FTP server for each node. Note: Shared configuration can be re-enabled after the FTP server had been installed.
• The FTP server that is shipped on the Windows Server Code Name "Longhorn" DVD must be uninstalled before installing the new FTP server.

See http://www.iis.net/downloads/default.aspx?tabid=34&i=1454&g=6 for more details and to download.

Changing the default FTP site to Isolate Users using Active Directory

Chris Crowe — Thu, 14 Sep 2006 11:15:00 GMT

If you have installed the FTP server for IIS 6 you will notice that it is not configured to isolate users either locally or by using Active Directory and that there is no UI to enable this!

There are two ways to change user isolation:

Create a new FTP site and configure it then.
Adjust the IIS Metabase properties using a script

Option #1 above is quite simply and does not really need any explaining. Just create a new FTP site and follow the promtps.

Option #2 is where this article is going to concentrate on.

We can either write a simple ADSI/WMI script or we can use the adsutil.VBS script - we are going to concentrate on the adsutil.VBS script.

First things is how does IIS determine the user isolation mode?

IIS uses a metabase property called UserIsolationMode to control user isolation in association with ADConnectionsUserName, ADConnectionsPassword and DefaultLogonDomain properties.

UserIsolationMode

The UserIsolationMode can only be one of the following values.

0 = Not Isolated

1 = Isolated (Locally)

2 = Isolated using Active Directory

When UserIsolationMode = 0

There is no user isolation in this mode, this is the default setting.

When UserIsolationMode = 1

When a client authenticates using local or domain accounts and is then sent to a folder under the root that matches the user name. This setting is called "Isolated (Locally)," and it supports users who do not want to use Active Directory.

When UserIsolationMode = 2

User isolation is dependent on Active Directory. This setting is called "Isolated (Active Directory)," and it is primarily used by Internet service providers (ISPs) and other customers who want to set up large numbers of FTP accounts.

When using this mode the following properties must also be configured.

ADConnectionsUserName

ADConnectionsPassword

DefaultLogonDomain.

The ADConnectionsUserName specifies the user account ( without Domain ) that will be used to communicate with Active Directory to read the ms-IIS-FTP-Dir and ms-IIS-FTP-Root Active Directory attributes. The ADConnectionsPassword simply specifies the Password for the Username and the DefaultLogonDomain is the domain for the user account.

Note: The UserIsolationMode key is by default not set in the IIS metabase for the default FTP site and defaults to a value of 0 (Not Isolated)

Using ADSUTIL.VBS to change to Active Directory User Isolation Mode

Adsutil.vbs is installed into c:\inetpub\adminscripts by default.

We will make the following assumptions for setting up User Isolation

We have backed up the IIS Metabase using the UI - if you have not DO IT NOW!
( Open IIS Manager, Right click Server Name, All Properties, Backup/Restore configuration)

We are going to change the default FTP site user isolation mode.

We are going to Isolate users using Active Directory.

We are going to use an account of TestDomain\TestUserName to gain access to Active Directory with a password of $Password_

To determine the current user isolation mode we will run the following command from a CMD.EXE prompt.

cscript adsutil.vbs get MSFTPSVC/1/UserIsolationMode

Note: In the above code we see that the value is not set! this is the default for the Default FTP Site

To set the UserIsolationMode to 2 which is Active Directory Isolation we issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 2

Note: The result is that we have now configured the default FTP site to use Active Directory Isolation (2)

But: We have not configured any credentials to be used to allow the server to talk to Active Directory yet!

We now need to configure the user account that will be used to communicate with Active Directory

The following commands will do this

cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsUserName TestUserName
cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsPassword $Password_
cscript adsutil.vbs set MSFTPSVC/1/DefaultLogonDomain TestDomain

If you now right clicked on the default FTP site in the IIS Manager and selected properties you would see that it is different.

Active Directory Isolation Default - No User Isolation

To restore the UserIsolationMode to the default, which is 0 we simply issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 0

A free FTP User Account Editor for Active Directory

The following application is free and comes with full source code written in c#. You can use this application to easily configure the ms-IIS-FTP-Root and ms-IIS-FTP-Dir Active Directory attributes for 1 or more users using a very simple UI.

To read more or to download the application see this blog post - http://blog.crowe.co.nz/archive/2006/03/09/594.aspx

Some additional references::

UserIsolationMode
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/bf5915f4-1f7b-4245-acc0-642920b9ef7b.mspx
ADConnectionsUserName
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f55728ba-08a1-4485-b9d0-ac08cf5f8a49.mspx
ADConnectionsPassword
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8b9cab5d-1a85-495b-b68f-1a5def1fd62e.mspx
DefaultLogonDomain
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8323c713-9d0d-4ea9-9069-5e2962bc2f77.mspx
ms-IIS-FTP-Dir
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_msiis_ftpdir.asp?frame=true
ms-IIS-FTP-Root
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_msiis_ftproot.asp

IIS Insider - June 2006 - Written by me....

Chris Crowe — Fri, 23 Jun 2006 09:04:00 GMT

I have had my first set of questions & answers on the Microsoft FTP Server published in June IIS Insider section on www.microsoft.com

IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS).

The questions I presented are:

Adding Virtual Directories to an FTP Server
Administering Physical Directories on an FTP Site
User Isolation Mode options

The article is up for the month of June (it only went up today June 22) at http://www.microsoft.com/technet/community/columns/insider/default.mspx

After June you can see the details on the IIS Insider column archives

FTP - Steve Schofield has written a couple of useful articles on Blind Drop & Blind Get FTP Server using IIS

Chris Crowe — Thu, 08 Jun 2006 19:50:00 GMT

Steve Schofield has written two artricles on how to setup an anonymous “blind drop” and “Blind Get“ FTP server using Microsoft Windows 2003

See these articles

You maybe wondering, what is a “blind drop” server? A “blind drop” FTP server provides individuals or companies a method to anonymously transfer files using FTP files without having permission to list files or retrieve files on the FTP site. In other words, you can “drop” files onto the server but not see what’s there or retrieve files if you did know what was there. There are benefits for both the end-user and FTP administrator. The end-user doesn’t have to remember a user id and password. The FTP administrator uses NTFS permissions so anonymous users can’t browse or retrieve files. The biggest benefit for the FTP administrator is that they don’t have to maintain user ids and passwords for everyone needing FTP access.

You maybe wondering, what is a “blind get” server? A “blind get” FTP server provides a method to anonymously transfer files using FTP without having permission to list files or add files on the FTP site. In other words, you can “get” files but not see what’s there or retrieve files unless the absolute path is known. There are benefits for both the end-user and FTP administrator. The end-user doesn’t have to remember a user id and password. The FTP administrator uses NTFS permissions so anonymous users can’t browse or add files.

FTP User Editor for Active Directory (Updated)

Chris Crowe — Thu, 09 Mar 2006 08:06:00 GMT

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.

Bugs

There was a limit of 1000 objects being returned from the Active Directory - increased to 32768.

You can download and install from:

Binary Version
http://blog.crowe.co.nz/Attachments/FTPUserEditor/1.10/setup.msi
Full Source
http://blog.crowe.co.nz/Attachments/FTPUserEditor/1.10/FTPADUserEditorv110.rar

For more details on the FTP User Editor please see the original post at http://blog.crowe.co.nz/archive/2006/02/15/556.aspx

FTP User Editor for Microsoft Active Directory (Updated)

Chris Crowe — Fri, 03 Mar 2006 14:39:00 GMT

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.

Bugs

The connect dialog did not hide the password as you typed it!
The Recent Users were lost after you shutdown due to a difference in implementation between the old and new controls.

New Features

You can now browse to find the path for the FTP Root directory.

You can download and install from:

Binary Version
http://blog.crowe.co.nz/Attachments/FTPUserEditor/1.09/setup.msi
Full Source
http://blog.crowe.co.nz/Attachments/FTPUserEditor/1.09/FTPADUserEditorv109.rar

For more details on the FTP User Editor please see the original post at http://blog.crowe.co.nz/archive/2006/02/15/556.aspx

C# application to show the WWW and FTP Sites and their log file directories....

Chris Crowe — Wed, 22 Feb 2006 14:44:00 GMT

I often look at the log files on my web server and with IIS 6 the folders are created with random numbers.

Correction from Tom regarding the “random numbers“:

In fact the log file names are generated from the site name so that in cases where a site is run on multiple servers the site id will be the same on each server. This helps with scripting and stuff. You can configure it in the registry to use the IIS5 type naming format if you want.

More details can be found below:

Microsoft IIS Insider - February 2005
http://www.microsoft.com/technet/community/columns/insider/iisi0205.mspx#ECE

Configure the Web Site Identification Number (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/fb7eb8d1-8862-497b-83d3-eee54a98a2de.mspx

This simple application will display the WWW and FTP sites along with the log file directory. Just compile
it up or download the executable and drop the executable into your c:\windows\system32\logfiles folder and
just dblclick on it when you need to view the sites to folders relationships.

using System;
using System.DirectoryServices;
using System.IO;
using System.Collections;
using System.Windows.Forms;
namespace IISHelpDir
{
    /// 
    /// Summary description for Class1.
    /// 
    class Class1
    {
        /// 
        /// The main entry point for the application.
        /// 
        [STAThread]
        static void Main(string[] args)
        {
            SortedList www = new SortedList();
            SortedList ftp = new SortedList();
            try
            {
                const string FtpServerSchema = "IIsFtpServer"; // Case Sensitive
                const string WebServerSchema = "IIsWebServer"; // Case Sensitive
                string ServerName = "LocalHost";
                DirectoryEntry W3SVC = new DirectoryEntry("IIS://" + ServerName + "/w3svc");
                foreach (DirectoryEntry Site in W3SVC.Children) 
                {
                    if (Site.SchemaClassName == WebServerSchema) 
                    {
                        string LogFilePath = System.IO.Path.Combine(
                            Site.Properties["LogFileDirectory"].Value.ToString(),
                            "W3CSVC"+Site.Name);
                        www.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                    }
                }
    
                DirectoryEntry MSFTPSVC = new DirectoryEntry("IIS://" + ServerName + "/msftpsvc");
                foreach (DirectoryEntry Site in MSFTPSVC.Children) 
                {
                    if (Site.SchemaClassName == FtpServerSchema) 
                    {
                        string LogFilePath = System.IO.Path.Combine(
                            Site.Properties["LogFileDirectory"].Value.ToString(), 
                            "MSFTPSVC"+Site.Name);
                        ftp.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                    }
                }
                int MaxWidth = 0;
                foreach(string Site in www.Keys)
                {
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                }
                foreach(string Site in ftp.Keys)
                {
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                }
                Console.WriteLine("Site Description".PadRight(MaxWidth)+"  Log File Directory");
                Console.WriteLine("".PadRight(79,'='));
                Console.WriteLine();
                Console.WriteLine("WWW Sites");
                Console.WriteLine("=========");
                foreach(string Site in www.Keys)
                {
                    Console.WriteLine(Site.PadRight(MaxWidth) + "  " + www[Site]);
                }                
                if (ftp.Keys.Count > 0)
                {
                    Console.WriteLine();
                    Console.WriteLine("FTP Sites");
                    Console.WriteLine("=========");
                    foreach(string Site in ftp.Keys)
                    {
                        Console.WriteLine(Site.PadRight(MaxWidth) + "  " + ftp[Site]);
                    }                
                }
            }
                // Catch any errors
            catch (Exception e) 
            {
                Console.WriteLine("Error: " + e.ToString());
            }
            finally
            {
                Console.WriteLine();
                Console.WriteLine("Press enter to close/exit....");
                Console.Read();
            }
        }
    }
}

To download a ZIP file containing the c# source and executable (.Net 1.1) please click here.

FTP User Account Editor for Active Directory

Chris Crowe — Wed, 15 Feb 2006 09:16:00 GMT

FTP User Editor for Microsoft Active Directory.....

What is this?

When you run the FTP server with Microsoft IIS 6.0 on the Windows 2003 Server Family of products you can have the FTP server isolate users to their own folders. This means that the user can not browse into another users folder.

There are three isolation modes:

Do not isolate users
Isolate Users
Isolate Users with Active Directory

This application is designed for option 3 and allows you to edit two attributes for a users account:

msIIS-FTPRoot
msIIS-FTPDir

For more details on these attributes see the following page.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_msiis_ftproot.asp

There is no Windows UI to perform this step but there is a way to edit these attributes using the IISFTP.vbs script that is installed when you install IIS with the FTP Service in IIS 6.

The IISFTP.vbs script works fine but sometimes it is nicer and simpler to have a UI to help perform these steps. You also can see potential problems easier with a Windows UI.

The Application

This application has been written to in c# and requires the .NET Framework 2.0 (the new framework) to function. Windows 2003 Server Family by default installs the .NET Framework 1.1.

The .NET Framework 2.0 redistributable can be downloaded from this page and is approx 22MB

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

You can then download and install this application from the URL below.

http://blog.crowe.co.nz/Attachments/FTPUserEditor/setup.msi

After you install the program a new item will be added to your Start - Programs folder called IIS Tools.

When you run the application it will prompt you for a Windows Active Directory domain to log onto. You can log on with the currently logged on user account or you can specify another account to log on with.

Once you log on you are then shown a tree of Folders and Organizational Units (OUs). Click on a node will display all user accounts in that folder or OU.

You can select one or more users and right click and select Edit which will bring up the User Editor dialog.

This dialog allows you to set or clear the attributes that are required for users to log on to the FTP server.

If you have any comments on this application ( or bug reports ) please let me know at iismvp2005@iisfaq.homeip.net

Cheers

Chris Crowe [ IIS MVP 1997 -> 2006 ]
http://www.microsoft.com/windows2000/community/mvp/bios/crowe.mspx

Additional references

Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b63de8ef-e3c5-456d-a8ca-7af4198819d4.mspx

FTP Error Status Codes

Chris Crowe — Wed, 19 Oct 2005 17:55:00 GMT

Code	Description
100 Codes	The requested action is being taken. Expect a reply before proceeding with a new command.
110	Restart marker reply.
120	Service ready in (n) minutes.
125	Data connection already open, transfer starting.
150	File status okay, about to open data connection.
200 Codes	The requested action has been successfully completed.
200	Command okay.
202	Command not implemented
211	System status, or system help reply.
212	Directory status.
213	File status.
214	Help message.
215	NAME system type. (NAME is an official system name from the list in the Assigned Numbers document.)
220	Service ready for new user.
221	Service closing control connection. (Logged out if appropriate.)
225	Data connection open, no transfer in progress.
226	Closing data connection. Requested file action successful (file transfer, abort, etc.).
227	Entering Passive Mode
230	User logged in, proceed.
250	Requested file action okay, completed.
257	"PATHNAME" created.
300 Codes	The command has been accepted, but the requested action is being held pending receipt of further information.
331	User name okay, need password.
332	Need account for login.
350	Requested file action pending further information.
400 Codes	The command was not accepted and the requested action did not take place. Tthe error condition is temporary, however, and the action may be requested again.
421	Service not available, closing control connection. (May be a reply to any command if the service knows it must shut down.)`
425	Can't open data connection.
426	Connection closed, transfer aborted.
450	Requested file action not taken. File unavailable (e.g., file busy).
451	Requested action aborted, local error in processing.
452	Requested action not taken. Insufficient storage space in system.
500 Codes	The command was not accepted and the requested action did not take place.
500	Syntax error, command unrecognized. This may include errors such as command line too long.
501	Syntax error in parameters or arguments.
502	Command not implemented.
503	Bad sequence of commands.
504	Command not implemented for that parameter.
530	User not logged in.
532	Need account for storing files.
550	Requested action not taken. File unavailable (e.g., file not found, no access).
552	Requested file action aborted, storage allocation exceeded
553	Requested action not taken. Illegal file name.

IIS FTP - Shared Folders with FTP Isolated Users

Chris Crowe [IIS MVP] — Fri, 02 Sep 2005 23:30:00 GMT

I came across this question on the "microsoft.public.inetserver.ftp" newsgroup today

I am setting up a FTP site in User Isolation Mode.
I have FTPRoot as C:\Inetpub\ftproot.
Under this I have the following phsical directory structure:
LocalUser
    |- User1
    |- Public

Both User1 and anonymous can log in fine and are limited to their
directories (so far so good)

I have a directory c:\ftp\shared that I want User1 and anon to see under
their home directories, but I can't seem to setup the virtual directory
structure correctly.

I have tried the following in IIS:
WebSite
    |-LocalUser (VDIR to c:\Inetpub\ftproot\LocalUser)
        |-User1 (VDIR to c:\Inetpub\ftproot\LocalUser\User1)
            |-shared (VDIR to C:\ftp\shared)

and
WebSite
    |- User1 (VDIR to c:\Inetpub\ftproot\LocalUser)
        |- shared (VDIR to c:\ftp\shared)

neither has worked. I have also tried to setup the LocalUser as a virtual
directory pointing to some other location (moving the physical directories
too), but then no user was able to login.

What is the proper way to do this?

The following is one method to get this to work - I do not know of a better method but this does work

Lets start with a new FTP Site with nothing in it.

I start by creating a folder at the following location (you can use any path you want)

C:\Inetpub\FTPSites\LocalIsolatedShared

Now you create your FTP site and configure it to use FTP Isolated Users

So continue with the FTP Site Creation Wizard.

Now in the home directory folder you must create the following directory "LocalUser" so our path will be:

C:\Inetpub\FTPSites\LocalIsolatedShared\LocalUser

Note:

In my sample I am doing this on Small Business Server 2003 which is a Domain Controller - this means that instead of using LocalUser I must use the name of my domain which is called IISFAQ

Now you must create your directories for each user who will access the FTP site.

In this example I have created a user called XYZ

so I now create a folder called XYZ inside of the LocalUser or DOMAINNAME folder.

C:\Inetpub\FTPSites\LocalIsolatedShared\IISFAQ\XYZ

Create a file in the XYZ folder called XYZ.TXT just so we know we are in the correct place.

If you test this now with an FTP client you should be able to log on as user XYZ and see the file XYZ.TXT

We now need to create a folder for the shared documents or files.

We go back to out FTP home directory and create a folder called Shared

C:\Inetpub\FTPSites\LocalIsolatedShared\Shared

If this is all we do our Shared folder is not accessible so it does not have any use to us.

Create a file in the Shared file called Shared.TXT

We now need to add a virtual directory to the FTP Site.

Right click the FTP Site in IIS Manager and select New-Virtual Directory
Enter Shared as the Alias and click Next
Enter C:\Inetpub\FTPSites\LocalIsolatedShared\Shared as the path and click next
Click Next and then click Finish.

Now although the user will not be able to see this Shared folder they can actually change directory to it. So it is sort of like a hidden directory as can be shown below.

So we now have a problem because the Shared virtual directory is there but the user can not see it!

So how do we get the user to see this virtual directory?

The only way that I know of is to create a physical folder called "Shared" in the users area.

So we end up with this path:

C:\Inetpub\FTPSites\LocalIsolatedShared\IISFAQ\Shared

Now when the user issues a DIR command they will see a folder called Shared and if they change into the Shared folder they will see the contents not of the physical folder but of the virtual directory folder as can be shown below.

Note:

This means that we have to create a folder called Shared for every FTP user on your site which is not ideal and sort of defeats the purpose of virtual directories but I do not know of another way to perform this action.


Active Directory Isolation		Default - No User Isolation