Setting up user isolation and folder structure for Microsoft IIS 7.5 FTP Server

I am trying to setup a new FTP server using IIS 7.5.  In this environment, there will be about 10 users which will need to remain separate and so I am planning to use user-isolation mode.  I also need to have one general/admin user that will have access to the LocalUser root and am not sure how to do this.  

The proposed folder structure would look something like this:

\inetpub\LocalUser
  \user1
  \user2
  \user3
  \Public  (for anonymous users)

What steps do I need to do in order to provide the admin user with access to the LocalUser root with user isolation mode active?  Would setting up a hard link work (e.g. MKLINK /D /H /J adminuser \inetpub\LocalUser)?  

Note, this is not an active directory environment.

Also, on a related note, when I attempt to test what I have setup now, my FTP client connects then the session is immediately dropped by the remote host.  Is there any way to turn up the logging level so I can see why sessions are getting dropped?

Thanks for the help here!
AltaSensAsked:
Who is Participating?
 
Brad HoweConnect With a Mentor DevOps ManagerCommented:
Hi,

Here is just an example from previous posts i have answerwed.

First, In FTP Authentication. Do you have Basic Authaurization enabled?

Secondly, In FTP Authorization Rules, Did you specify all the users as

Mode:Allow Users:administraotr  Permissions:Read,Write
Mode:Allow Users:clientA        Permissions:Read
Mode:Allow Users:clientB        Permissions:Read

Are these domain users or locally craeted users? See physical directory path below for this question :)

IIS user isolation required that the phyiscal root directories be setup like such matching the user ID.

D:\FTP Sites\LocalUser\administrator
D:\FTP Sites\LocalUser\ClientA
D:\FTP Sites\LocalUser\ClientB
D:\FTP Sites\LocalUser\ClientC

The KEY folder here is "LocalUser".

Don't forget to restrict permissions so that only administrators or the Machine\Client(A|B|C) can read/write to the specified phsical folders.

USER ISOLATION:
Select the option "User name directory (disable global virtual directories) " in the FTP user isolation feature.

Now for the administrator. Here is the trick - Create a virtual Directory in IIS Manager under the D:\FTP Sites\LocalUser\administrator\<call it Root or --Toplevel--> and have it point to the D:\FTP Sites\.  Now your admin can login and go thorugh all folders with isolation setup.

User Account Types                    Physical Home Directory Syntax
  Anonymous users                        %FtpRoot%\LocalUser\Public
  Local Windows user accounts     %FtpRoot%\LocalUser\%UserName%
  Windows domain accounts          %FtpRoot%\%UserDomain%\%UserName%
  IIS Manager or ASP.NET custom  %FtpRoot%\LocalUser\%UserName%
 

Let me know if you have any issues,

Hades666
0
 
imanushinCommented:
If you want to use IIS 7.5 in Windows 7, you can only bind directory to window user/group and user Windows Authentication.
If you want to user IIS 7.5 in Windows Server 2008 R2, you can add custom users in IIS and don`t user Windows Authntication

If you want to use ftp and auth with non-windows users, I agree you user FileZilla FTP Server. It can do it and it is free.
0
 
AltaSensAuthor Commented:
this is Windows Server 2008R2, server is not a member of the domain.

I am not sure how to add custom users in IIS, is this straightforward?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AltaSensAuthor Commented:
Hades -  you da man, that worked great!  Would it also work to use a file-system hard link?  I thought I had seen this before.
0
 
Brad HoweDevOps ManagerCommented:
Glad it works for you.

I am not understandind what you mean about file-system hardlink?

Hades666
0
 
AltaSensAuthor Commented:
Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Windows.

Well, it seemed like a good idea but it didn't work so I'm going with the virtual directory idea.
0
 
AltaSensAuthor Commented:
THANK YOU!
0
 
Brad HoweDevOps ManagerCommented:
Hm... Like the mklink feature of Vista/Win7.

I'll have to give this a shot. If i get it working, I'll let you know.

Cheers,
Hades666
0
 
NicoNLCommented:
#Hades666 Did you get mklink to work?

I have a Server 2008 FTP server with user isolation and domain user accounts. Two different accounts must write to one and the same folder. I wonder if I could solve this using a hardlink / mklink. I don't have a test lab at the moment to test this, so I was wondering if you got this to work.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.