Did you know: Configure Client Certificate Mapping in FTP 7.5 - Part 3

by Vivek 3/4/2010 9:06:00 AM

In this post, we will create FTP Site on IIS and configure it to use Client Certificate.

Create FTP Site:

  1. Open IIS Manager and right click on Sites Folder
  2. Click Add FTP Site…

  3. Enter the FTP site name: and select the Physical path for the site, click Next

  4. Select Binding and SSL settings as shown, I have selected the Server Certificate we requested above “newftpsite” under SSL Certificate. Click Next

  5. We won’t be selecting any Authentication methods here, under Authentication select All Users and select Read, Write permissions. Click Finish.


Create User home directory:

  1. Right click on the FTP Site (newftpsite), click Explore
  2. Create a folder with the domain name (in our case contoso)
  3. Create a folder with the user name (bmayer in our case)
  4. Right click on the folder (bmayer) and click Properties
  5. Click Security, click Advanced
  6. Click Change Permissions…
  7. Uncheck Include inheritable permissions from this object’s parent, click Add
  8. Select Users, CREATOR OWNER and TrustedInstaller and click Remove
  9. Click OK twice
  10. Click Edit…
  11. Click Add… and add user name (bmayer)
  12. Give Modify permission for the account
  13. Click OK twice

Let us now quickly verify FTP Settings:

FTP Authentication


FTP Authorization Rules


FTP SSL Settings


FTP User Isolation
We have selected User name directory (disable global virtual directories)


Let us now examine the applicationHost.config and enable Client Certificate for the FTP Site. There is no UI to enable Client Certificate, we will need to add the below mentioned text.

<sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" />
<clientCertAuthentication enabled="true" />

<site name="newftpsite" id="2">	<application path="/">		<virtualDirectory path="/" physicalPath="C:\inetpub\ftproot" />	</application>	<bindings>		<binding protocol="ftp" bindingInformation="*:21:" />	</bindings>	<ftpServer>		<security>			<ssl serverCertHash="1AB9D34BE5F01B3A213FFEAE1556E180B8BB7BAE" ssl128="true" 
			controlChannelPolicy="SslRequire" dataChannelPolicy="SslRequire" />			<sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" />			<authentication>				<anonymousAuthentication enabled="false" />				<basicAuthentication enabled="false" />				<clientCertAuthentication enabled="true" />			</authentication>		</security>		<userIsolation mode="IsolateAllDirectories">			<activeDirectory />		</userIsolation>	</ftpServer></site>

OK, so we are good for today. Next, we will Install a User Certificate, map it to an account and then test FTPS using a client. Stay tuned…

Hope this helps,
Vivek Kumbhar

Quote of the day:
I shot an arrow into the air, and it stuck. - Graffito

Tags: , , ,

Did you know | IIS | Tips and Tricks | Web Server

blog comments powered by Disqus