Providing a Default Domain for Microsoft FTP User Authentication
Jason Boche, MCSE NT4/2000/2003, MCSA 2000/2003, MCP, VCPx2, CCA, A+
As usual, I have a story behind most of my experiences. If you’re not interested in reading about it, skip to the section “How to do it”.
I’ve been using FTP servers since I learned how to write and publish web pages in HTML – about the early to mid 1990’s. I found using an FTP client to connect to an FTP server was pretty straight forward. The three required elements to provide are a host name, a user name, and a password. Sure, there are additional parameters that can be provided such as configuring a connection through a firewall, changing ports, or providing local and remote working directories, but let’s keep it simple, because that’s what this article is about – keeping it simple for end users who are not as technical, and would like to keep it that way.
Fast forward a few years. Now I’ve got fast ADSL broadband internet connectivity, as many static IP addresses as I want through my local ISP (static IPs still weren’t a hot commodity to be cherished back then), and servers in my spare bedroom running Microsoft IIS and FTP, as well as domain controllers. I decided that I’ve got more than enough bandwidth to host some websites for friends and small businesses in the area. These customers are not technically savvy. They’ve put together a website using some do-it-yourself WYSIWYG tool (usually consisting of a single home page containing some pictures, their favorite bands, animated GIFs up the wazoo, and the obligatory guestbook for everyone to sign, and that’s it).
So I’ve got the servers, the customers have the content. Now it’s time to teach each of them how to get their content to my servers using an FTP tool. To their credit, they “got” the file transferring concepts down relatively quickly, but I did have one consistent issue with most of them… troubleshooting the login process. With all that is involved in publishing web content, how could the logon process be the most troublesome? I could have mitigated the login process issues easily by maintaining an isolated security account database locally on the FTP server (usrmgr.exe or musrmgr.exe), but I was all about centralized user accounts with my NT master account and resource domains. I did not want to maintain separate SAM databases distributed across multiple servers. Microsoft FTP defaults to using the local SAM on the FTP server. If you want FTP users to utilize a centralized domain to authenticate with FTP, they need to prefix their login name with the domain name so their FTP login name would look like this: domain_name\user_name. The customers I was working with were having trouble grasping the domain_name\ prefix. With their previous ISP, they never had to enter the prefix and that slash thing. Of course not. At the time probably 98% or better of the servers on the internet were some flavor of Unix. Also factor in the probability that even if they remember the general syntax, they would use the wrong slash (domain_name/). This alone will add a 50% failure rate.
Wanting to have the best of all possible scenarios: 1) my central domain based SAM, 2) no local SAM on the FTP server, and 3) 100% customer satisfaction, I needed to figure out how to automatically add the domain prefix to the customer’s login name during the authentication process. An added benefit would be to make this transparent to the end user so as not to propagate any confusion. Fortunately, there is a solution, although the solution has changed across the subsequent releases of Microsoft FTP. In addition, I personally haven’t seen the solution for Windows Server 2003 FTP widely published. At latest count, the solution applicable to Microsoft IIS6 and FTP which ships with Windows Server 2003 is only found in one hit if you turn to Google, and even with that, you need to use the right combination of key words to dig it up.
At last, the moment you’ve been waiting for.
How to do it.
I’m going to provide the solution to the current version of Windows Server which is Windows Server 2003. By now, I hope that most would be on Windows Server 2003. I personally and professionally encourage the use of current operating systems. That is to say, I am against propagating the extended use of legacy versions of Windows (2000, NT, etc.) so I am not going to provide the solution for the older versions. The cost for supporting legacy versions of Windows is expensive. Case in point, ask anyone who had to obtain the Windows 2000 Daylight Savings Time hotfix how much they paid Microsoft for it; it was not freely available from the Microsoft website. By recommending Windows Server 2003, I’m trying to save people time and money in the long run. The increased costs for supporting legacy operating systems is one of Microsoft’s methods to encourage customers to migrate to current versions. The increased costs in turn provide the funds necessary for a vendor to maintain a support model for legacy software. If you do need the solution for legacy versions of Windows, they are much more frequent on the internet and I trust you will be able to find them easily with a Microsoft Technet or Google search. Trust me when I say that the solution I am going to provide for Windows Server 2003 does not work for Windows NT.
The first step is to identify the problem. What to look for:
1.
2.
Example:
3. 100 Source: MSFTPSVC is registered in the System event log on the FTP server.
Example:
4. 529 Source: Security is registered in the Security event log on the FTP server. By the way, every sleuthing administrator needs to have a copy of this web page handy: http://www.windowsecurity.com/articles/Logon-Types.html which identifies each of the 11 different Windows logon types.
Example:
5.
Example:
To specify a default logon domain so users do not have use the prefix of domain_name\ when logging on to the FTP server, use the Windows Script Host along with a script that was installed during the installation of Microsoft FTP Server (adsutil.vbs).
1. If you read my previous article on how to install and use cmdhere, that will quickly open a command prompt take you to the correct directory with just a few mouse clicks.
2.
cscript.exe Adsutil Set MSFTPSVC/DefaultLogonDomain “Domain Name”
3.
This solution, as well as many other solutions to common FTP logon problems can be found in the Microsoft Knowledgebase article ID 200475 (http://support.microsoft.com/kb/200475).