Enabling Active Directory Isolation mode for FTP to work for trusted domain users

Let's consider a scenario wherein we have an FTP site hosted on an IIS Server and we are trying to setup the site to work in Active Directory (AD) Isolation mode. Now things should work just fine if we have the setup done properly. I have talked about general setup and common issues with FTP sites here.

This should ideally work fine for the domain users which are in same domain as IIS (Let's say Domain 1). We should know AD isolation mode is supported for domain users only and not local users. Now consider a scenario wherein you want to have FTP working for users from a different domain (Let's say Domain 2).This is not as simple as just running the iisftp.vbs script on the IIS server to set FTP Root and FTP directory properties for domain2 users.

When you try to set this up you will see something like this:

C:\WINDOWS\system32>cscript iisftp.vbs /setadprop test1 ftproot "C:\inetpub"
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

User test1 was not found in Active Directory.

[Here assuming test1 to be a domain 2 account and we are running this script on the IIS server which is in Domain 1]

This is expected since test1 is not a domain 1 account, and hence iisftp.vbs won't be able to find it in the Active Directory. By default, iisftp.vbs will look into the domain where it is running and since we are running this on IIS's domain (i.e. domain 1) it will fail. this is its limitation.

To ensure we can set the FTP root and FTP directories for different domain users (to which IIS doesn't belong), ensure this domain has a trust relationship with IIS's domain first.

Also to set the above properties we need to manually run iisftp.vbs on a machine which belongs to domain 2. You may see this error when you run the script:

Could not create an instance of the IIsScriptHelper object.
Please register the Microsoft.IIsScriptHelper component.

We need to ensure we have these two files IIsScHlp.wsc and IIsFtp.vbs copied locally from a working machine (where iisftp.vbs works for e.g. the IIS server). So if IIS is not installed on a machine in domain 2 you can just copy these two files from the IIS server to the domain 2 machine and register the script IISScHlp.

C:\FTP>regsvr32 iisschlp.wsc

You will get an alert like this:

image

Once done you can run the iisftp script in there.

Now once we have the iisftp.vbs running fine on a domain 2 machine, using admin privilege you can set the FTP root and FTP directory for the domain 2 users. iisftp.vbs does the changes to the account in AD and has nothing to do with IIS metabase settings.

So after this you can follow the /setadprop and /getadprop to set/get the FTP root/directory settings for domain 2 users.

Remember that in this case the FTP root should be a network share like \\server1\... etc.

Reason being that FTP service which is running on IIS server in domain 1 should be able to access this location (or share). If we give a local path on a machine in domain 2, IIS FTP service has no way to access it since it is running on IIS server in domain 1.

Once done if you access the FTP site from any of the machine, let's say from anywhere on domain1 or domain 2 you should be able to access the site with your own domain credentials (could be a domain1 or domain2 account) provided there is an FTP root and FTP directory for your account set in either domain 1 or domain 2 as mentioned above.

Happy FTP' ing ;-)

Comments