In this post, we will create FTP Site on IIS and configure it to use Client Certificate.
Create FTP Site:
- Open IIS Manager and right click on Sites Folder
- Click Add FTP Site…
Image may be NSFW.
Clik here to view.
- Enter the FTP site name: and select the Physical path for the site, click Next
Image may be NSFW.
Clik here to view. - Select Binding and SSL settings as shown, I have selected the Server Certificate we requested above “newftpsite” under SSL Certificate. Click Next
Image may be NSFW.
Clik here to view. - We won’t be selecting any Authentication methods here, under Authentication select All Users and select Read, Write permissions. Click Finish.
Image may be NSFW.
Clik here to view.
Create User home directory:
- Right click on the FTP Site (newftpsite), click Explore
- Create a folder with the domain name (in our case contoso)
- Create a folder with the user name (bmayer in our case)
- Right click on the folder (bmayer) and click Properties
- Click Security, click Advanced
- Click Change Permissions…
- Uncheck Include inheritable permissions from this object’s parent, click Add
- Select Users, CREATOR OWNER and TrustedInstaller and click Remove
- Click OK twice
- Click Edit…
- Click Add… and add user name (bmayer)
- Give Modify permission for the account
- Click OK twice
Let us now quickly verify FTP Settings:
FTP Authentication
Image may be NSFW.
Clik here to view.
FTP Authorization Rules
Image may be NSFW.
Clik here to view.
FTP SSL Settings
Image may be NSFW.
Clik here to view.
FTP User Isolation
We have selected User name directory (disable global virtual directories)
Image may be NSFW.
Clik here to view.
Let us now examine the applicationHost.config and enable Client Certificate for the FTP Site. There is no UI to enable Client Certificate, we will need to add the below mentioned text.
<sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" />
and
<clientCertAuthentication enabled="true" />
<site name="newftpsite" id="2"><application path="/"><virtualDirectory path="/" physicalPath="C:\inetpub\ftproot" /></application><bindings><binding protocol="ftp" bindingInformation="*:21:" /></bindings><ftpServer><security><ssl serverCertHash="1AB9D34BE5F01B3A213FFEAE1556E180B8BB7BAE" ssl128="true"
controlChannelPolicy="SslRequire" dataChannelPolicy="SslRequire" /><sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" /><authentication><anonymousAuthentication enabled="false" /><basicAuthentication enabled="false" /><clientCertAuthentication enabled="true" /></authentication></security><userIsolation mode="IsolateAllDirectories"><activeDirectory /></userIsolation></ftpServer></site>
OK, so we are good for today. Next, we will Install a User Certificate, map it to an account and then test FTPS using a client. Stay tuned…
Hope this helps,
Vivek Kumbhar
Quote of the day:
I shot an arrow into the air, and it stuck. - Graffito