Library tutorials & articles
Mastering IIS FTP
- Managing multiple users with one IP Address
- Virtual Directories/Physical Directories
- The Doorway Folder Trick
The Doorway Folder Trick
In the previous two parts we learned how to leverage virtual directories and physical folders to offer a lot of control from IIS FTP. Now, what about when we want to have one site administrator have access to more than one, but not all, of the directories in a site? How is this accomplished from within IIS FTP?
Objective: To create a customized login with access to some of the folders in a site.
Note: For the purpose of Part 3 and Part 4, I've decided to standardize on the word “Folder” when referring to something at the disk level, and “Directory” when referring to something within IIS.
Let's view this visually so that it's easier to see where we are heading. Below is a picture of a fresh server build on Windows Server 2003 with the Default FTP Site.
I've changed the FTP root path to d:\domains which points to 7 sites that we'll pretend that I manage. You can see the site names below.
Now, in this illustration we have two different site administrators, Scott and Matt. Scott needs access to all 7 sites but Matt should only have access to microsoft.com and msn.com.
So, with that in mind, let's create an FTP account for Matt. We want one that only displays microsoft.com and msn.com in his FTP program.
It's actually quite simple really. The trick is to create what I'll call a doorway folder.
A doorway folder is simply a folder that will serve as the first step or the doorway for a particular user. The trick is to create a set of “physical” folders and “virtual” directories that will work together to display to Matt what we want him to see.
First: Create the users
Depending on your situation, you may have existing Windows users set up for Scott and Matt already. But, in case this is a new account for a new user, be sure to create a user called Matt and another called Scott . These can be Local users from within Local Users and Groups or Active Directory users, depending on your environment.
Second: Create the “physical” folders
Next we'll create a folder that holds the “physical”, but blank, sub-directory to match the real ones we want the user to have access to. This is simply so that the FTP client program displays the two folders. Let's call the root folder FTProot and the subfolder Matt, although either of these folders could be named anything. Now create two empty folders named microsoft.com and msn.com. (See Part 2 if you're not sure why) The security permissions on the folders need to give Matt at least List permissions.
Don't forget that Matt will need read and write permissions to d:\domains\microsoft.com and d:\domains\msn.com and he will need list permissions to d:\ftproot\dummyfolder and list permissions to d:\ftproot\matt.
Third: Create the “virtual” directories
Now we need to create the virtual directories that handle the redirecting. First, before we forget, if you remember from Part 1, I recommend pointing the root FTP directory to a dummy folder. So, let's create a folder in d:\ftproot called dummyfolder. Point the FTP root folder to this. Next, to handle the Scott user, create a virtual directory called Scott that point to d:\domains. Now, if Matt moves up a folder to the root folder, he won't have access to d:\domains. Instead he will be placed in d:\ftproot\dummyfolder which is a dead end. See Part 1 for more on this.
Back to the virtual directories . . .
- In IIS, create a virtual directory called Matt .
- This should point to
d:\ftproot\matt. - Off the Matt virtual directory, create 2 more virtual directories
- microsoft.com should point to
d:\domains\microsoft.com - msn.com should point to
d:\domains\microsoft.com - Spelling on these virtual directory names needs to be identical to the folders created in the second step above.
- Don't forget to check read and write when creating the virtual directories if you want Matt to be able to read and write to the FTP account.
That's it!! I told you it was easy. Let's test it now.
I'll use WS_FTP to log in as the Matt user. Here is what I see in the left column:
Likewise, when logging in as Scott , we see what he is supposed to see:
In this part we didn't bring anything new to the table but we've shown that yet again MS FTP has the ability to do more than what first meets the eye.
In Part 4 we'll cover User Isolation, a new feature of IIS6.0. (Coming soon!)
Related articles
Related discussion
-
Not able to launch the web application
by NaseemAhmed (0 replies)
-
ASP.NET Query. TO access a webpage from a network ( LAN ) computer
by Slicksim (1 replies)
-
Deploying a Powerbuilder 115 application on the net using IIS
by ruthmuse (0 replies)
Related podcasts
-
Developer's Guide to IIS7
Steve Schofield is an IIS expert working for webhost ORCS Web. Steve and his team are responsible for such sites as Channel9, ASP.NET, weblogs.asp.net and ASP Alliance. As a member ASP Insiders and a IIS MVP - Steve knows his way around a web server. Steve sheds light on how the new features in I...
Great article. Look forward to user isolation. I actually pointed to your article from my own blog. Thanks again.
Excellent how-to, thanks!
Regards
Matt
One question though, (Please note that I am a complete newby at this), Why does my servers performance drop (signifficantly!) every time a user uploads / downloads any item? On larger downloads this actually causes some of my sites to drop completely.
Obviously this must have something to do with the priorities on the server, but how do I adjust these priorities if indeed that is where the problem lies?
Nice! Cheers for those extra tips, Eric
I've been using these techniques since NT 4.0's Option Pack. People just don't know how powerful the built-in stuff is. And now with quota management and AD, it can be very powerful in an ISP hosted environment (it's what I use).
Another tip: You can create sub-Virtual directories, but they must be from within the FTP's VDs. I often create Unix-like links for users to get into certain directories of my domains. For example, say we have a domain called "domain.com". On my server, that would be:
E:\Users\eric.duncan\domain.com\www\default.aspx
Say I want to give Jim Bob access to this domain, but not to all of the domains under my username. But there's a problem, the user already has access to their own directory:
E:\Users\jim.bob\
This user accesses their account via the IIS FTP service's virtual directory called "jim.bob":
FTP Sites
-- Public FTP
------ jim.bob (which points to the user's Home directory above)
What I do is create an empty directory (described in this article) named the domain + lnk, but this directoy is in the user's normal Home directory:
E:\Users\jim.bob\domain.com.lnk
And then create a sub-virtual directory, named the same under the user:
FTP Sites
-- Public FTP
------ jim.bob
---------- domain.com.lnk
Now when the user logs in, they will see their home directory, with a new directory named domain.com.lnk. Changing directories to this location forces the FTP's virtual directory to change it's location to my directory:
E:\Users\eric.duncan\domain.com\www\
Just remember to give jim.bob access to that directory, else he will get an Access Denied.
Oh, that was another tip: To set permissions, do it at the physical-directory level (as I've done above). Mix it all with quotas, and there isn't a reason for me to use anything else.
This thread is for discussions of Mastering IIS FTP.