FTP Anonymous Authentication <anonymousAuthentication>

Overview

The <anonymousAuthentication> element specifies the settings for anonymous access. This form of authentication allows access to an FTP site without a user account on your server or domain, and is most often used for public FTP sites.

Anonymous users will typically log in by using a user name of ftp or anonymous, and most users will use their e-mail address as a password, although this is not required.

Compatibility

Version Notes
IIS 10.0 The <anonymousAuthentication> element was not modified in IIS 10.0.
IIS 8.5 The <anonymousAuthentication> element was not modified in IIS 8.5.
IIS 8.0 The <anonymousAuthentication> element was not modified in IIS 8.0.
IIS 7.5 The <anonymousAuthentication> element of the <authentication> element ships as a feature of IIS 7.5.
IIS 7.0 The <anonymousAuthentication> element of the <authentication> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 The <ftpServer> element and its child elements replace the IIS 6.0 FTP settings that were located in the LM/MSFTPSVC metabase path.

Note

The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

https://www.iis.net/expand/FTP

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.

  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.

  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.

  4. On the Server Roles page, expand Web Server (IIS), and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will need to select FTP Extensibility, in addition to FTP Service.
    Screenshot that shows F T P Extensibility selected for Windows Server 2012. .

  5. Click Next, and then on the Select features page, click Next again.

  6. On the Confirm installation selections page, click Install.

  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.

  3. Expand Internet Information Services, and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot that shows F T P Extensibility selected for Windows 8.

  4. Click OK.

  5. Click Close.

Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).

  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.

  5. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot that shows F T P Service selected for Windows Server 2008.

  6. Click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Results page, click Close.

Windows 7

  1. On the taskbar, click Start, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.

  3. Expand Internet Information Services, and then FTP Server.

  4. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot that shows F T P Extensibility selected for Windows 7

  5. Click OK.

Windows Server 2008 or Windows Vista

  1. Download the installation package from the following URL:

  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to enable or disable Anonymous authentication for an FTP site

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.

  3. In the site's Home pane, double-click the FTP Authentication feature.

  4. On the FTP Authentication page, select Anonymous Authentication.

  5. In the Actions pane, click Enable to enable Anonymous authentication or click Disable to disable Anonymous authentication.
    Screenshot that shows the F T P Authentication pane. Anonymous and Basic Authentication is listed under Mode.


How to use the FTP Site Wizard to Create an FTP Site with Anonymous Read Access

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the Sites node in the tree.

  3. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.

  4. When the Add FTP Site wizard appears:

    • Enter "My New FTP Site" in the FTP site name box.

    • For the Physical path box, you can use one of the following options to specify your content directory:

      • Click the ellipsis (...) button, and then navigate to the folder that contains the content for your FTP site.
      • Type in the path to your content folder in the box. Note that if you choose to type the path, you can use environment variables in your paths. For example, you can use "%SystemDrive%\inetpub\ftproot" for your content directory.
    • When you have completed these items, click Next.
      Screenshot that shows the Site Information page for the Add F T P Site dialog box.

  5. On the second page of the Add FTP Site wizard:

    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of "All Unassigned."

    • Enter the TCP/IP port for the FTP site in the Port box. By default, FTP sites and clients use port 21. (Note: To specify Implicit FTPS, you need to use port 990.)

    • To use an FTP virtual host name, select the box for Enable Virtual Host Names, then enter the virtual host name in the Virtual Host box.

    • For the SSL options, choose one of the following options:

      • Select No SSL to disable the SSL options.
      • Select Allow SSL to allow FTP clients to optionally use FTP over SSL when they connect with the FTP server.
      • Select Require SSL to allow FTP clients to always use FTP over SSL when they connect with the FTP server.
      • If you choose Allow SSL or Require SSL, choose a certificate from the SSL Certificate drop-down menu.
    • When you have completed these items, click Next.
      Screenshot that shows the Bindings and S S L Settings page for the Add F T P Site dialog box.

  6. On the next page of the wizard:

    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down.
    • Select Read for the Permissions option.
    • When you have completed these items, click Finish.
      Screenshot that shows the Authentication and Authorization page for the Add F T P Site dialog box.

Configuration

The <anonymousAuthentication> element is configured at the site level.

Attributes

Attribute Description
defaultLogonDomain Optional string attribute.

Specifies the default domain for anonymous user account lookups.

The default value is NT AUTHORITY.
enabled Optional Boolean attribute.

Specifies whether Anonymous authentication is enabled.

The default value is false.
logonMethod Optional enum attribute.

Specifies the logon type for the anonymous user as interpreted by LogonUser Win32 API.
Value Description
Interactive Specifies the interactive logon type.

The numeric value is 0.
Batch Specifies the batch logon type.

The numeric value is 1.
Network Specifies the network logon type.

The numeric value is 2.
ClearText Specifies the clear text logon type.

The numeric value is 3.
The default value is ClearText.
password Optional string attribute.

Specifies the password for the anonymous user account.

There is no default value.
userName Optional string attribute.

Specifies the user name for the anonymous user account.

The default value is IUSR.

Child Elements

None.

Configuration Sample

The following sample illustrates several configuration settings in the <ftpServer> element for an FTP site. More specifically, the <site> settings in this example demonstrate how to:

  • Create an FTP site and add the binding for the FTP protocol on port 21.
  • Configure the FTP SSL options to allow secure access on both the control and data channel using a certificate.
  • Disable Anonymous authentication and enable Basic authentication for FTP.
  • Deny access for FTP SYST command.
  • Specify the UNIX directory listing format.
  • Configure the logging options.
  • Specify a customized welcome message and enable local detailed error messages.
  • Specify that users will start in a home directory that is based on their login name, but only if that directory exists.
<site name="ftp.example.com" id="5">
  <application path="/">
    <virtualDirectory path="/" physicalPath="c:\inetpub\www.example.com" />
  </application>
  <bindings>
    <binding protocol="ftp" bindingInformation="*:21:" />
  </bindings>
  <ftpServer>
    <security>
      <ssl controlChannelPolicy="SslAllow"
         dataChannelPolicy="SslAllow"
         serverCertHash="57686f6120447564652c2049495320526f636b73" />
      <authentication>
        <basicAuthentication enabled="true" />
        <anonymousAuthentication enabled="false" />
      </authentication>
      <commandFiltering maxCommandLine="4096" allowUnlisted="true">
        <add command="SYST" allowed="false" />
      </commandFiltering>
    </security>
    <directoryBrowse showFlags="StyleUnix" />
    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, FtpStatus, Win32Status, ServerPort, FtpSubStatus, Session, FullPath, Info" />
    <messages expandVariables="true"
       greetingMessage="Welcome %UserName%!"
       allowLocalDetailedErrors="true" />
    <userIsolation mode="StartInUsersDirectory" />
  </ftpServer>
</site>

Sample Code

The following examples enable Anonymous authentication for an FTP site with the password attribute set to "PW", and the userName attribute set to "AUSR".

AppCmd.exe

appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.anonymousAuthentication.enabled:"TRUE" /commit:apphost

appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.anonymousAuthentication.password:"PW" /commit:apphost

appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.authentication.anonymousAuthentication.userName:"AUSR" /commit:apphost

Note

You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
    private static void Main()
    {
        using (ServerManager serverManager = new ServerManager())
        {
            Configuration config = serverManager.GetApplicationHostConfiguration();
            ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
            ConfigurationElementCollection sitesCollection = sitesSection.GetCollection();

            ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"ftp.example.com");
            if (siteElement == null) throw new InvalidOperationException("Element not found!");

            ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer");
            ConfigurationElement securityElement = ftpServerElement.GetChildElement("security");
            ConfigurationElement authenticationElement = securityElement.GetChildElement("authentication");
            ConfigurationElement anonymousAuthenticationElement = authenticationElement.GetChildElement("anonymousAuthentication");
            anonymousAuthenticationElement["enabled"] = true;
            anonymousAuthenticationElement["password"] = "PW";
            anonymousAuthenticationElement["userName"] = "AUSR";

            serverManager.CommitChanges();
        }
    }

   private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues)
   {
      foreach (ConfigurationElement element in collection)
      {
         if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase))
         {
            bool matches = true;
            for (int i = 0; i < keyValues.Length; i += 2)
            {
               object o = element.GetAttributeValue(keyValues[i]);
               string value = null;
               if (o != null)
               {
                  value = o.ToString();
               }
               if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase))
               {
                  matches = false;
                  break;
               }
            }
            if (matches)
            {
               return element;
            }
         }
      }
      return null;
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
    Sub Main()
        Dim serverManager As ServerManager = New ServerManager
        Dim config As Configuration = serverManager.GetApplicationHostConfiguration
        Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
        Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection

        Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "ftp.example.com")
        If (siteElement Is Nothing) Then
            Throw New InvalidOperationException("Element not found!")
        End If

        Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")
        Dim securityElement As ConfigurationElement = ftpServerElement.GetChildElement("security")
        Dim authenticationElement As ConfigurationElement = securityElement.GetChildElement("authentication")
        Dim anonymousAuthenticationElement As ConfigurationElement = authenticationElement.GetChildElement("anonymousAuthentication")
        anonymousAuthenticationElement("enabled") = True
        anonymousAuthenticationElement("password") = "PW"
        anonymousAuthenticationElement("userName") = "AUSR"

        serverManager.CommitChanges()
    End Sub

   Private Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ByVal ParamArray keyValues() As String) As ConfigurationElement
      For Each element As ConfigurationElement In collection
         If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
            Dim matches As Boolean = True
            Dim i As Integer
            For i = 0 To keyValues.Length - 1 Step 2
               Dim o As Object = element.GetAttributeValue(keyValues(i))
               Dim value As String = Nothing
               If (Not (o) Is Nothing) Then
                  value = o.ToString
               End If
               If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
                  matches = False
                  Exit For
               End If
            Next
            If matches Then
               Return element
            End If
         End If
      Next
      Return Nothing
   End Function


End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var sitesCollection = sitesSection.Collection;

var siteElementPos = FindElement(sitesCollection, "site", ["name", "ftp.example.com"]);
if (siteElementPos == -1) throw "Element not found!";
var siteElement = sitesCollection.Item(siteElementPos);

var ftpServerElement = siteElement.ChildElements.Item("ftpServer");
var securityElement = ftpServerElement.ChildElements.Item("security");
var authenticationElement = securityElement.ChildElements.Item("authentication");
var anonymousAuthenticationElement = authenticationElement.ChildElements.Item("anonymousAuthentication");
anonymousAuthenticationElement.Properties.Item("enabled").Value = true;
anonymousAuthenticationElement.Properties.Item("password").Value = "PW";
anonymousAuthenticationElement.Properties.Item("userName").Value = "AUSR";

adminManager.CommitChanges();

function FindElement(collection, elementTagName, valuesToMatch) {
   for (var i = 0; i < collection.Count; i++) {
      var element = collection.Item(i);
      if (element.Name == elementTagName) {
         var matches = true;
         for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
            var property = element.GetPropertyByName(valuesToMatch[iVal]);
            var value = property.Value;
            if (value != null) {
               value = value.toString();
            }
            if (value != valuesToMatch[iVal + 1]) {
               matches = false;
               break;
            }
         }
         if (matches) {
            return i;
         }
      }
   }
   return -1;
}

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set sitesCollection = sitesSection.Collection

siteElementPos = FindElement(sitesCollection, "site", Array("name", "ftp.example.com"))
If siteElementPos = -1 Then
WScript.Echo "Element not found!"
WScript.Quit
End If
Set siteElement = sitesCollection.Item(siteElementPos)

Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")
Set securityElement = ftpServerElement.ChildElements.Item("security")
Set authenticationElement = securityElement.ChildElements.Item("authentication")
Set anonymousAuthenticationElement = authenticationElement.ChildElements.Item("anonymousAuthentication")
anonymousAuthenticationElement.Properties.Item("enabled").Value = True
anonymousAuthenticationElement.Properties.Item("password").Value = "PW"
anonymousAuthenticationElement.Properties.Item("userName").Value = "AUSR"

adminManager.CommitChanges()

Function FindElement(collection, elementTagName, valuesToMatch)
   For i = 0 To CInt(collection.Count) - 1
      Set element = collection.Item(i)
      If element.Name = elementTagName Then
         matches = True
         For iVal = 0 To UBound(valuesToMatch) Step 2
            Set property = element.GetPropertyByName(valuesToMatch(iVal))
            value = property.Value
            If Not IsNull(value) Then
               value = CStr(value)
            End If
            If Not value = CStr(valuesToMatch(iVal + 1)) Then
               matches = False
               Exit For
            End If
         Next
         If matches Then
            Exit For
         End If
      End If
   Next
   If matches Then
      FindElement = i
   Else
      FindElement = -1
   End If
End Function