Some Useful and Obscure FTP Configuration Settings
I get a lot of question about various configuration settings for the IIS FTP service, and most of the settings that I discuss with people can be configured through the FTP features in the IIS Manager. That being said, there are some useful configuration settings for the FTP service which I periodical send to people that have no user interface for setting them. With that in mind, I thought I would write a quick blog to point out a few of these obscure settings that I personally use the most-often or I send to other people.
Using Domain Name Syntax as an FTP Virtual Hostname
I use this setting on all of my FTP servers because it seems a little more natural to me. Here's the scenario: the IIS FTP service supports two kinds of hostnames:
- "Real" FTP hostnames - these are real FTP hostnames that are specified by using the FTP HOST command (as defined in RFC 7151)
- "Virtual" ftp hostnames - these are FTP hostnames that are specified as part of the FTP USER command
Real FTP hostnames are pretty straight-forward: an FTP client specifies the hostname with a HOST command when a user is connecting to the server. Once the IIS FTP service receives that command, the FTP service routes the FTP session to the correct FTP site.
That being said, the FTP HOST command is still rather new, so only a handful of FTP clients currently support it. Because of that, you can use FTP "virtual" hostnames with the IIS FTP service. By default that syntax uses the "vertical line" or "pipe" character to differentiate between the hostname and user name. For example:
- "
ftp.contoso.com|username" - "
ftp.fabrikam.com|username"
When you are specifying your FTP credentials in your FTP client, you would enter your username like the preceding examples. While this syntax is valid for both the IIS FTP service and the underlying FTP protocol, it seems a little odd to most users (including me). With that in mind, we added a configuration setting for the FTP service that will allow you to use the more-familiar domain\username syntax like the following examples:
- "
ftp.contoso.com\username" - "
ftp.fabrikam.com\username"
To enable this feature, use the following steps:
- Open a command prompt as an administrator.
- Type the following commands:
cd /d "%SystemRoot%\System32\Inetsrv"
appcmd.exe set config -section:system.ftpServer/serverRuntime /hostNameSupport.useDomainNameAsHostName:"True" /commit:apphost
net.exe stop FTPSVC
net.exe start FTPSVC - Close the command prompt.
More information about this feature is available in the IIS configuration reference at the following URL:
- FTP Host Name Support <hostNameSupport>
http://www.iis.net/ConfigReference/system.ftpServer/serverRuntime/hostNameSupport
FTP Credential Caching
The FTP service caches user credentials for successfully-authenticated user sessions in order to help improve login performance, and I wrote the following detailed blog about this a couple of years ago:
Credential Caching in FTP 7.0 and FTP 7.5
I don't want to re-post an old blog, but I have sent several people to that blog over the years, so I thought that it was worth mentioning here since it seems to be referenced quite often. The problem that people seem to run into the most is that their old password is still valid for FTP after they have changed it, and this is caused by the FTP service caching their user credentials.
This is especially annoying for me personally when I am working on a development computer where I am creating an authentication provider. Unless I disable credential caching on my development computer, I can never seem to get any work done. To resolve this issue, I disable credential caching for the FTP service by using the following steps:
- Open a command prompt as an administrator.
- Type the following commands:
cd /d "%SystemRoot%\System32\Inetsrv"
appcmd.exe set config -section:system.ftpServer/caching /credentialsCache.enabled:"False" /commit:apphost
net.exe stop FTPSVC
net.exe start FTPSVC - Close the command prompt.
The blog which I mentioned earlier goes into more detail about setting a custom timeout interval for credential caching instead of disabling the feature entirely, and all of the settings for FTP credential caching are in the IIS configuration reference at the following URLs:
- FTP Caching <caching>
http://www.iis.net/ConfigReference/system.ftpServer/caching - FTP Credentials Cache <credentialsCache>
http://www.iis.net/ConfigReference/system.ftpServer/caching/credentialsCache
FTP Client Certificate Authentication
FTP Client Certificate Authentication is an often-overlooked feature of the IIS FTP service, and I think that this is due to two reasons:
- There is no user interface to configure the required settings
- Configuring the required settings is very difficult
My second reason cannot be understated; I usually have to set up FTP Client Certificate Authentication once or twice a year in order to test various scenarios, and each time I do so I am reminded of just how difficult it can be to get everything right, and equally how easy it is to get something wrong.
Fortunately I took the time a couple of years ago to write a blog which documents everything that it takes to configure the FTP service, and I have used my notes in that blog several times. In complement to my blog on the subject, Vivek Kumbhar wrote an excellent blog series with additional steps to configure your Active Directory for certificate authentication. With that in mind, here are all of the requisite blog posts that you would need to set up this feature:
- Configuring FTP Client Certificate Authentication in FTP 7
Describes how to configure your FTP server for FTP Client Certificate Authentication. - Configure Client Certificate Mapping in FTP 7.5 - Part 1
Describes how to set up your Active Directory server, IIS server, and FTP client systems. - Configure Client Certificate Mapping in FTP 7.5 - Part 2
Walks you through obtaining and installing a server certificate, which you will use later for your FTP site. - Configure Client Certificate Mapping in FTP 7.5 - Part 3
Walks you through setting up an FTP site with SSL. - Configure Client Certificate Mapping in FTP 7.5 - Part 4
Describes how to configure Active Directory mapping for a user account.
As I have mentioned before, configuring this feature is not for the faint-of-heart, but it can be very beneficial from a security standpoint.
For more information about the settings that are required for FTP Client Certificate Authentication, see the following articles in the IIS configuration reference:
- FTP Client Certificate Authentication <clientCertAuthentication>
http://www.iis.net/ConfigReference/system.applicationHost/sites/site/ftpServer/security/authentication/clientCertAuthentication - FTP over SSL <ssl>
http://www.iis.net/ConfigReference/system.applicationHost/sites/site/ftpServer/security/ssl - FTP SSL Client Certificates <sslClientCertificates>
http://www.iis.net/ConfigReference/system.applicationHost/sites/site/ftpServer/security/sslClientCertificates
That wraps it up for today's post. ;-]
(Cross-posted from http://blogs.msdn.com/robert_mcmurray/)