FTP Site Over SSL In IIS

In this article, we will create an FTP Site with Basic Authentication over SSL in IIS.

Refresher:

Authentication: Is the process of proving that you are who you say you are.

Authorization: Is the act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data.

Explicit FTPS: FTP sites and clients use port 21 for the control channel, and the server and client will negotiate secondary ports for data channel connections. In a typical FTP request, an FTP client will connect to an FTP site over the control channel, and then the client can negotiate SSL/TLS with the server for either the control channel or the data channel.

Implicit FTPS: FTP sites and clients use port 21 for the control channel, and the server and client will negotiate secondary ports for data channel connections. In a typical FTP request, an FTP client will connect to an FTP site over the control channel, and then the client can negotiate SSL/TLS with the server for either the control channel or the data channel.

Our first goal is to create an FTP Site with Anonymous Authentication.

First you will need to install FTP Server, and the Extensibility if you do require it.

Go to your IIS Manager

Right click in “Sites” and “Add FTP Site…”

Give it a name and set the Physical path:

Add the IP and select “No SSL” for now.

This is what I have at that path:

It is not a good idea to use hostname in FTP protocol. If not used correctly, it can cause a lot of issues.

As for Authentication let us use “Anonymous” and for Authorization “Anonymous users”.

We will change this later on, but we need to make sure that the ftp site is working.

Open Command Prompt and enter as:

User: anonymous

Password: anonymous

Our basic FTP Site is working fine.

Now let us remove Anonymous Authentication and enable Basic authentication.

Before doing this, I will create “FTP_Users” group and add my account to that group. This is optional.

Go to FTP Authentication module and disabled Anonymous while enabling Basic.

Go to FTP Authorization Rules, remove the rule that allows anonymous users.

Add a new rule to allow “FTP_Users”

Test

It is now working with Basic Authentication.

Our next task is to enable FTPS functionality

Go to FTP SSL Settings

Select your certificate and the Policy. I will allow both SSL and non SSL connections. If you only want to allow SSL connections select the second option and if you want to customize it go with third option.

For testing purposes for SSL we need some software like WinSCP or FileZilla.

I will test both of them.

WinSCP

However this will give us an error:

This is because FTPS has two “modes”. We have explicit FTPS (ftpes://) and implicit FTPS (ftps://).

When we actually configured FTP Site and SSL settings, as we just did with no additional configuration, we are good to go with “ftpes://” but not with “ftps://”

Testing for Explicit FTPS (ftpes://)

Testing for Implicit FTPS (ftps://)

Create an ftp binding on port 990

FileZilla

“ftpes://10.0.0.5” => Explicit FTPS

And with this, we configured our FTP Site with Basic Authentication over SSL. Our site is working with implicit and explicit SSL.

Conclusions:

  • Authentication is the process of proving that you are who you say you are.
  • Authorization is the act of granting an authenticated party permission to do something.
  • FTPS has two forms: explicit FTPS (ftpes://) and implicit FTPS (ftps://).
  • Implicit FTPS requires TCP Port 990.

Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store