Configure FTP with IIS Manager

Authentication in IIS 7
If you are using Windows Server 2008 you can download and install the FTP service from the
http://www.iis.net/ web site using one of the following links:
FTP 7.5 for IIS 7.0 (x64)

The "Network Service" account is used by the COM process that handles authentication
extensibility; therefore, you must grant the account specific permissions to certain folders to
enable this form of authentication. To grant the "Network Service" account "read" permissions to
the IIS "config" folder:
1. Open a command prompt.
2. Type the following command:
ICACLS "%SystemDrive%\Windows\System32\inetsrv\config" /Grant "Network
Service":R /T
ICACLS "%SystemDrive%\Windows\System32\inetsrv\config\administration.config"
/Grant "Network Service":R
ICACLS "%SystemDrive%\Windows\System32\inetsrv\config\redirection.config"
/Grant "Network Service":R

3. Close the command prompt.

Create a root folder for FTP publishing:

1. Create a folder at "%SystemDrive%\inetpub\ftproot" .
2. Set the permissions to allow access for the COM process that handles authentication
extensibility:
o Open a command prompt.
o Type the following command:
ICACLS "%SystemDrive%\inetpub\ftproot" /Grant "Network Service":M
/T
o

Close the command prompt.

Note: The settings listed in this walkthrough specify "%SystemDrive%\inetpub\ftproot" as the

path to your FTP site. You are not required to use this path; however, if you change the location
for your site you will have to change the site-related paths that are used throughout this
walkthrough.

Configuring the IIS 7 Management Service

IIS 7 offers an optional management service that allows remote administration using nonWindows accounts. The steps in this section lead you through the steps to install and configure
this service.
Note: The IIS 7 Management Service must be installed in order to use IIS 7 Manager
Authentication with FTP, but the service does not need to be started.
Step 1: Install the IIS Management Service
In this first step, you install the IIS 7 management service.
1. Click Server Manager in the Windows Start menu.

2. Click Roles in the tree view, locate the Web Server role and click Add Role Services.

3. If Management Service is not checked, check the box next to it and click Next. Otherwise, click
Cancel.

4. When prompted to confirm the service selections, click Install.

5. When the service installation is complete, click Close to exit the wizard and close Server
Manager.

Step 2: Configure the IIS Management Service and Add an IIS 7 Manager
In this second step, you configure the IIS 7 management service for IIS 7 Managers.

1. Go to the IIS 7 Manager. In the Connections pane, click the server-level node in the tree.
Double-click the Management Service icon.

2. Select the option for Windows credentials or IIS Manager credentials. Click Apply in the Actions
pane.

3. Go to the IIS 7 Manager. In the Connections pane, click the server-level node in the tree.
Double-click the IIS Manager Users icon.

4. In the IIS Manager Users feature, click Add User in the Actions pane.

5. When the Add User dialog appears, enter "ftpmanager" for User Name and "P@ssw0rd" for
Password. Click OK.

Summary

To recap the items that you completed in this section:

You installed the IIS 7 management Service.

You configured the IIS 7 management Service to use both Windows and IIS 7 Manager
Credentials.
You created an IIS 7 manager that you will use later.

Creating a New FTP Site and Configuring an IIS 7 Manager Account

This section of the document walks you through the steps required to create a new FTP site from
scratch and then configure the site to use the IIS 7 manager account that you created in the
previous section.
Step 1: Use the FTP Site Wizard to Create an FTP Site
In this first step, you create a new FTP site that can only be opened by the local administrator
account.
1. Go to the IIS 7 Manager. In the Connections pane, click the Sites node in the tree.

2. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions
pane.

3. When the Add FTP Site wizard appears:

o Enter "My New FTP Site" in the FTP site name box, then navigate to the
"%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section.
Note: If you choose to type in the path to your content folder, you can use environment
variables in your paths; for example: "%SystemDrive%\inetpub\ftproot"
o Click Next.

4. On the next page of the wizard:

o Choose an IP address for your FTP site from the IP Address drop-down, or choose to
accept the default selection of "All Unassigned." Because you will be using an IIS 7
manager account later in this walk-through, make sure that you restrict access to the
server -- enter the local loopback IP address for your computer by typing "127.0.0.1" in
the IP Address box.
o You would normally enter the TCP/IP port for the FTP site in the Port box. For this walkthrough, choose to accept the default port of 21.
o For this walk- through, you will not use a host name, so make sure that the Virtual Host
box is blank.
o Make sure that the SSL Certificate drop-down is set to "Not Selected" and that the
Require SSL option is not selected.
o Click Next.

5. On the next page of the wizard:

o In Authentication settings, select Basic.
o In Authorization settings, choose "Specified users" from the Allow access to drop-down.
Type "administrator" in the box, and select both Read and Write in Permissions options.
o Click Finish.

Step 2: Configure the FTP Site to Use IIS 7 Manager Authentication

This section walks you through the steps required to enable IIS 7 Manager Authentication for the
FTP site that you just created. Use the following steps:

1. Go to the IIS 7 Manager. Click the node for the FTP site that you created earlier. Double-click the
FTP Authentication icon to open the FTP authentication feature page.

2. When the FTP Authentication page displays, click Custom Providers in the Actions pane.

3. When the Custom Providers dialog displays, click the check box for IIS Manager Authentication.
Click OK.

4. Your FTP Authentication page should now show both Basic Authentication and IIS Manager
Authentication enabled. If desired, disable Basic Authentication by highlighting it and clicking

Disable in the Actions pane.

5. You now must enable access for the IIS 7 manager account. Click the node for the FTP site in the
tree view. Double-click the IIS Manager Permissions icon to open that feature.

6. On the IIS Manager Permissions page, click Allow User in the Actions pane.

7. When the Allow User dialog displays, choose the IIS Manager option. Click Select.

8. When the Users dialog box displays, select the "ftpmanager" user. Click OK.

9. Click OK to close the Allow User dialog box.

10. You must add an authorization rule so that the IIS 7 manager account can log in. Click the node
for the FTP site in the tree view. Double-click the FTP Authorization Rules icon to open the FTP

authorization rules feature page.

11. When the FTP Authorization Rules page displays, click Add Allow Rule in the Actions pane.

12. When the Add Allow Authorization Rule dialog box opens:
o Select Specified users, then type "ftpmanager" in the text box.
o For Permissions, select both Read and Write.
o Click OK.

Summary

To recap the items that you completed in this section:

1. You created a new FTP site named "My New FTP Site":
o You specified the site's content root at "%SystemDrive%\inetpub\ftproot".
o You bound the FTP site to the local loopback address for your computer on port 21,
choosing not to use Secure Sockets Layer (SSL) for the FTP site.
o You configured Basic Authentication to the FTP site, and created an authorization rule
that allows the administrator account both "Read" and "Write" permissions for the FTP
site.
2. You configured the FTP site to use an IIS 7 Manager account:
o You enabled IIS 7 Manager Authentication.
o You granted access to the site for an IIS 7 manager account.
o You created an authorization rule that allows the IIS 7 manager account both "Read"
and "Write" permissions for the FTP site.

Additional Information
After completing all of the steps in the Configuring the IIS 7 Management Service and
Creating a New FTP Site and Configuring an IIS Manager account sections of this
walkthrough, you are now able to log in using the "ftpmanager" account that you created. To use
the command-line FTP.EXE client on your IIS server:
1. Open a command prompt.

2. Type the following command:

FTP localhost
3. When prompted for your USER name, enter your user name and password. For example:
USER ftpmanager
PASS ********

4. The FTP service should log you into the FTP site using the IIS 7 Manager account.