How to Enable Pass-Through Authentication for FTP UNC Virtual Directories (247970)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1
This article was previously published under Q247970
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

When you create a File Transfer Protocol (FTP) virtual directory that points to a Universal Naming Convention (UNC) share on a different server, the credentials that are supplied to create the virtual directory are used to grant access to the virtual directory. The credentials that are used to log on to the FTP server through an FTP client are ignored for this purpose. You can configure the Internet Information Services (IIS) FTP service to pass the credentials that are supplied at the FTP logon to the remote share by setting up the IIS FTP service to use pass-through authentication.

Note that whenever a user logs on to an FTP server, the domain name, user name, and password are sent over the network without data encryption.

MORE INFORMATION

Enable Pass-Through Authentication

  1. Create a virtual directory that points to a UNC share and specify valid account credentials to map to the UNC path. Verify that you can connect to the remote share and that you can locate the virtual directory without errors.
  2. Open a command prompt and change the directory to the location of Adsutil.vbs.

    Note By default, in IIS 5.0 and IIS 5.1, the file is located in the C:\Inetpub\Adminscripts folder. By default, in IIS 4.0, the file is located in the %systemroot%\System32\Inetsrv\Adminsamples folder.
  3. At the command prompt, type the following (where # is the number of the FTP site and vdir is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:

    adsutil set msftpsvc/#/root/vdir/UNCUserName ""

  4. At the command prompt, type the following (where # is the number of the FTP site and vdir is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:

    adsutil set msftpsvc/#/root/vdir/UNCPassword ""

  5. At the command prompt, type the following:

    net stop iisadmin /y

  6. At the command prompt, type the following:

    net start msftpsvc

The Internet Service Manager (ISM) now shows this virtual directory with the red error stop sign. This is typical because the ISM looks for a username and password on a UNC virtual directory, but none exists.

When your users connect and authenticate, the name that the users type is used to connect over the UNC connection to the remote share or content. The system administrator can now set share-level or NTFS-level permissions, and the user account that the client uses is the account that is used to check against the access control list (ACL) of these objects.

Note Any change to this virtual directory in the ISM changes the metabase settings back. If you change this virtual directory, you must perform the steps in this article again.
Modification Type:MinorLast Reviewed:6/23/2005
Keywords:kbhowto KB247970
©2004 Microsoft Corporation. All rights reserved.