IIS Insider - June 2006
By Chris Crowe, Database Administrator, Trimble Navigation New Zealand Ltd.
IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS).
.gif)
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real companies, organizations, products, domain names, e-mail addresses, logos, persons, places, or events are intended or should be inferred.
Adding Virtual Directories to an FTP Site
Fac1
Q. When I add a virtual directory to my FTP site, why do users say that they can not see it when they browse my FTP site?
A. The Microsoft FTP server has a "feature" where you can not see the virtual directory in a directory listing, and this confuses a lot of people because it is the opposite to the way that the IIS Web Server handles virtual directories.
The side effect of this is that you end up with a hidden directory, if you use the FTP CWD command you will be able to browse into the new virtual directory.
In order to view the directory as you browse the FTP site you must create a physical directory with the same name at the same level in the FTP site, once this is done the user will see the directory as they browse your site but when they CWD into that directory the actual details from the virtual directory settings will take precedence and the user will now go to that folder instead of the physical directory.
Note:* *I believe that this limitation will be resolved with the FTP server includes in IIS 7
Administering Physical Directories on an FTP Site
Fac2
Q. When I create a physical directory in my FTP site, I can not administer it within the FTP interface as it does not show up. Why does this happen " and what can I do about it?
A. The Microsoft FTP server has this "feature" where physical directories can not be administered within its FTP management interface, this is the opposite of how it works for a web site. This limitation can cause you problems if you are wanting to configure any settings for the directory such as Read/Wriite access or security accounts related to the directory.
The way to work around this issue is to create a virtual directory with the same name as the physical directory. Once this Virtual Directory is created you will then be able to adjust settings related to it in the FTP management tool.
As long as the Physical Directory and the Virtual Directory point to the same location then the users will be able to navigate your site without ever knowing that this "feature" is in place.
Note:* *I believe that this limitation will also be resolved with the FTP server includes in IIS 7
Understanding User Isolation Mode
Fac3
Q. I am trying to understand the user isolation mode in the Microsoft FTP Server that is included with IIS 6. I do not understand what folders I need to configure as all I get is "User Home Directory Inaccessible" when I try to log onto my FTP site. Can you help?
A. User isolation was added to Microsoft FTP Server with version 6.0 of IIS. This means that user isolation is available on the Windows Server 2003 family only. Future versions will also support this feature.
There are 3 different options for User Isolation when creating an FTP site. These settings can only be set when you are creating a new FTP site and if you want to change the mode you will need to delete the existing FTP site and create a new site, unless you write a script to edit the IIS configuration database.
The three user isolation modes available with IIS 6 are:
| Do not isolate users (default option) | Users can access the FTP home directory of other users. |
|---|---|
Isolate Users |
Users must be assigned an FTP home directory within the root of the FTP site. |
Isolate Users using Active Directory |
Users must be assigned an FTP home directory that is configured using their Active Directory user account. |
Do not isolate users
The default option of "do not isolate users" means that any user that logs onto the FTP site can access any folder on the FTP site (as long as their User Account has the correct NTFS permissions to access the folder). It also means that if a user logs in and there is a folder with the same name as their User Account in the Home Directory of the FTP site then they will be automatically placed into that directory. The user in this case can use an FTP command "CWD /" to move to the root of the FTP site. This automatic placing you into a folder when you log on can not be disabled.
Isolate Users
When you use the Isolate Users option the user will be placed into a folder and this folder becomes the root of the FTP site for their session. They can not back up to the real FTP site Home Directory, they are in effect Isolated.
There are a number of differences depending on the configuration of the server as shown below:
| FTP Server Name | User Account | Isolation Folder | User Folder |
|---|---|---|---|
FTP-SRV-01 |
Anonymous |
LocalUser |
Public |
FTP-SRV-01 |
FTP-SRV-01\User |
LocalUser |
User |
FTP-SRV-01 |
Domain\User |
Domain |
User |
The main points to take from the above is that:
If the user logs in Anonymously and Isolate Users is enabled then the Isolation Folder is called "LocalUser" and the users folder is called "Public".
If the User Account that the user is logging in with is an account on the local FTP Server computer then "LocalUser" is the name of the Isolation folder as long as the FTP server is not running on a Domain Controller.
If the User Account that the user is logging in with is a Domain Account then the "Domain" is the name of the Isolation folder.
Here is an example of the location of the folders:
| Directory | Description |
|---|---|
c:\inetpub\ftproot |
The FTP sites home directory |
c:\inetpub\ftproot\LocalUser |
The Isolation folder |
c:\inetpub\ftproot\LocalUser\Public |
The users folder if logging in anonymously |
c:\inetpub\ftproot\LocalUser\XYZ |
The user'�s folder if logging in as the Local Account "XYZ" |
c:\inetpub\ftproot\Domain\XYZ |
The user�s folder if logging in as the "Domain" Account "XYZ" |
Note:* *Where Domain is references above change it to the name of your Windows Domain.
Note:* *When you create an FTP site with Isolated users you need to create the LocalUser or the Domain folder as well as all user account folders.
Isolate Users using Active Directory
When you use the Isolate Users using Active Directory option the user will be placed into a folder that is defined by two attributes in Active Directory and this folder becomes the root of the FTP site for their session. They can not back up to the real FTP site Home Directory.
This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema which on a Windows 2000 Active Directory can not be reversed.
The two Active Directory attributes are:
msIIS-FTPRoot
msIIS-FTPDir
Active Directory-based user isolation is the recommended choice for hosting providers and companies that have to maintain a large amount of FTP user folders. Basically, the user's home folder is determined upon authentication by querying the msIIS-FTPRoot and msIIS-FTPDir attributes of the user object in Active Directory. The concatenation of the msIIS-FTPRoot and msIIS-FTPDir values results in the path to the user's home folder.
An example may look like this:
msIIS-FTPRoot = D:\FTP Users
msIIS-FTPDir = \JohnSmith
This will result in "D:\FTP Users\JohnSmith" as the home folder for the user.
Note:* *The drive letter refers to a drive on the FTP Server computer.
Note:* *It is also possible to specify a UNC path as the msIIS-FTPRoot value to connect to another server, e.g. a file server on the servers LAN.
This flexibility allows you to change the user's root folder at any time without having to touch the FTP server's configuration, just by changing the msIIS-FTPRoot attribute in Active Directory for the user in question. Since Active Directory manipulation is pretty simple using various technologies (VBScript, .NET Framework) it's possible to change the settings for various users in a fast way. As a result, it's relatively simple to move the FTP folders of the users to another location, just by updating their msIIS-FTPRoot attribute in Active Directory.
An application FTP User Editor with c# source code can be downloaded from Chris Crowe's blog that will allow you to very easily control the msIIS-FTPRoot and msIIS-FTPDir attributes via a very simple GUI front end. See the Related Links section in the top right-hand column for the download link.
Note :* *The information that is retrieved from Active Directory is cached by the FTP service for 10 minutes by default.
Note:* *Where Domain is references above change it to the name of your Windows Domain.
Note:* *Make sure that the user has the right to log onto the server hosting the FTP service if the server is also a Domain Controller such as Microsoft Small Business Server.
For More Information
Submit your questions to IIS Insider. A response is not guaranteed; however, selected questions along with the answers will be posted in a future IIS Insider column.
Visit IIS Insider column archives for a list of previous months' questions and answers.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported, or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental, or consequential, even if it has been advised of the possibility of such damages.
Related Links
Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)
Setting Active Directory User Isolation Using Iisftp.vbs (IIS 6.0)