Authentication Integration for Windows

From zFTPServer Wiki
Jump to: navigation, search

This allows zFTPServer to authenticate users with a Windows SAM / Domain / Server / Active Directory making user management a breeze. In fact, a part from these few selected examples, for starters, this feature has awesome power waiting to get harnessed...

Overview

The following authentication methods are included:

  • Using an Active Directory / Domain
  • Using a Windows Server (Local or Remote)^

Additions to the Account management: With this extension, accounts in zFTPServer can be connected to Windows accounts. If applied to users, it specifies certain account settings like login limits, bandwidth management, and special home directory contents. If applied to groups, it specifies defaults to all users belonging to that Windows group, making management of thousands accounts a breeze.

Seamless authentication at login

Accounts and settings in zFTPServer always takes precedence and thus zFTPServer checks if the user...

  1. ...exist as a regular account in zFTPServer?
  2. ...exist as a Windows-connected account in zFTPServer?
  3. ...pass Windows authentication?

After aquiring the relevant user data a regular login-attempt to the ftp server is performed. This means that restrictions and security settings can be specified in zFTPServer on accounts (users and groups) that are connected to Windows-accounts and thus effectively enforce all these powerful features of zFTPServer onto the Windows-accounts trying to login to the FTP server.

Group management works transparently with Windows Integration

Group management with hierarchical structures and multiple group memberships still apply to both user- and group-accounts in zFTPServer while using Windows Integration. In the same way as zFTPServer accounts can me member of multiple groups, the integration with Windows has the same power: If a Windows-user is a member of several Windows-groups, that user will receive resources and security settings from all the Windows-integrated groups in zFTPServer, making for instance the home directory for users loggin in to the FTP server a composite of, for instance, "Management", "Economy", and personal data.

Actually, the power of this extension goes way beyond anything currently on the market for FTP servers. Despite all this power, it is still a very elegant and easy to use solution.

Enable all users to login through FTP

Once the general settings of zFTPServer is setup and the Windows server has been configured, there is basically just one thing to do: create a group-account that is integrated with Windows. Generally, the Windows-group "Users" is pre-installed and all new Windows-accounts are members of this group.

Step-by-step guide in zFTPServer

  1. Create a group called "Users".
  2. Integrate this account with Windows by checking the "Integrate with Windows group".
  3. Specify "Home Directory", "Restrictions", and "Security" as usual.

You might want to use the %USERNAME% token when defining the "Home Directory" to allow users to have their Windows directories as home directory in zFTPServer:

Aiw-users1.png

Or you can use the special tokens %AD_HOMEDIR%, %AD_COMMENT%, and %AD_SCRIPT% to access corresponding setup from your Active Directory for the current logged on user.

Enforce special restrictions on a user

The Windows-user "Alan" has access to very business-critical documents. If "Alan" is going to use FTP we must enforce him to use secure connections to make sure the documents are not intercepted during transmission.

  1. The user "Alan" already exist in Windows
  2. Create a user called "Alan" in zFTPServer and specify this account to "Use Windows permissions".
  3. Specify which service(s) should be allowed on the tab "Security".
Aiw-enforce1.png

Apply general FTP settings to a complete Windows-group

The existing Active Directory has been thoroughly setup with groups assigned to users as applicable. Among these groups there is a group "Economy" that has to have access to certain documents.

  1. Create a group called "Economy" in zFTPServer.
  2. Integrate this group with Windows by checking the "Integrate with Windows group".
  3. Add resources as necessary, effectively making Windows-users logging in having access to all these files.
Aiw-groups1.png

Implementation of multiple domains with trusts

To make zFTPServer work with multiple domains, a trust between domains have to be established, and all domain names need to be entered into the Authentication Integration settings seperated by pipes.

Multiple-domains.PNG

A trust is a relationship between domains, which makes it possible for users in one domain to be authenticated in the other domain. You can read more about trusts at Technet.

Example with two domains

In this example we have two domains where zFTPServer is installed on a server in the domain Extranet. Extranet trusts Intranet which means users from Intranet are able to access the FTP-server through their AD-accounts.

The zFTPServer service, which is installed on a server in the Extranet domain, has to be run as an admin from the domain Intranet (make sure the admin has enough permissions on the zFTPServer folder).

When the service is running as an admin from Intranet and both domains are added to the domain list (seperated by pipes("|")) users from both domains are able to access the server seamlessly!

One way trust.png