Enabling Active Directory Isolation mode for FTP to work for trusted domain users

Let's consider a scenario wherein we have an FTP site hosted on an IIS Server and we are trying to setup the site to work in Active Directory (AD) Isolation mode. Now things should work just fine if we have the setup done properly. I have talked about general setup and common issues with FTP […]

Let's consider a scenario wherein we have an FTP site hosted on an IIS Server and we are trying to setup the site to work in Active Directory (AD) Isolation mode. Now things should work just fine if we have the setup done properly. I have talked about general setup and common issues with FTP sites here.

This should ideally work fine for the domain users which are in same domain as IIS (Let's say Domain 1). We should know AD isolation mode is supported for domain users only and not local users. Now consider a scenario wherein you want to have FTP working for users from a different domain (Let's say Domain 2).This is not as simple as just running the iisftp.vbs script on the IIS server to set FTP Root and FTP directory properties for domain2 users.

When you try to set this up you will see something like this:

C:\WINDOWS\system32>cscript iisftp.vbs /setadprop test1 ftproot "C:\inetpub"
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

User test1 was not found in Active Directory.

[Here assuming test1 to be a domain 2 account and we are running this script on the IIS server which is in Domain 1]

This is expected since test1 is not a domain 1 account, and hence iisftp.vbs won't be able to find it in the Active Directory. By default, iisftp.vbs will look into the domain where it is running and since we are running this on IIS's domain (i.e. domain 1) it will fail. this is its limitation.

To ensure we can set the FTP root and FTP directories for different domain users (to which IIS doesn't belong), ensure this domain has a trust relationship with IIS's domain first.

Also to set the above properties we need to manually run iisftp.vbs on a machine which belongs to domain 2. You may see this error when you run the script:

Could not create an instance of the IIsScriptHelper object.
Please register the Microsoft.IIsScriptHelper component.

Full Article

Active Directory, FTP, IIS, Domain, Tips, Tricks, Knowldegebase