Microsoft KB Archive/247970

= How to Enable Pass-Through Authentication for FTP UNC Virtual Directories =

Article ID: 247970

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



This article was previously published under Q247970



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
When you create a File Transfer Protocol (FTP) virtual directory that points to a Universal Naming Convention (UNC) share on a different server, the credentials that are supplied to create the virtual directory are used to grant access to the virtual directory. The credentials that are used to log on to the FTP server through an FTP client are ignored for this purpose. You can configure the Internet Information Services (IIS) FTP service to pass the credentials that are supplied at the FTP logon to the remote share by setting up the IIS FTP service to use pass-through authentication.

Note that whenever a user logs on to an FTP server, the domain name, user name, and password are sent over the network without data encryption.



Enable Pass-Through Authentication
 Create a virtual directory that points to a UNC share and specify valid account credentials to map to the UNC path. Verify that you can connect to the remote share and that you can locate the virtual directory without errors. Open a command prompt and change the directory to the location of Adsutil.vbs.

Note By default, in IIS 5.0 and IIS 5.1, the file is located in the C:\Inetpub\Adminscripts folder. By default, in IIS 4.0, the file is located in the %systemroot%\System32\Inetsrv\Adminsamples folder. At the command prompt, type the following (where  is the number of the FTP site and   is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:

adsutil set msftpsvc/#/root/vdir/UNCUserName ""

 At the command prompt, type the following (where  is the number of the FTP site and   is the name of the virtual directory that you created in step 1). The quotation marks with nothing between them set that value to nothing:

adsutil set msftpsvc/#/root/vdir/UNCPassword ""

 At the command prompt, type the following:

net stop iisadmin /y

 At the command prompt, type the following:

net start msftpsvc

</li></ol>

The Internet Service Manager (ISM) now shows this virtual directory with the red error stop sign. This is typical because the ISM looks for a username and password on a UNC virtual directory, but none exists.

When your users connect and authenticate, the name that the users type is used to connect over the UNC connection to the remote share or content. The system administrator can now set share-level or NTFS-level permissions, and the user account that the client uses is the account that is used to check against the access control list (ACL) of these objects.

Note Any change to this virtual directory in the ISM changes the metabase settings back. If you change this virtual directory, you must perform the steps in this article again.

Keywords: kbhowto KB247970

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.