Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Enable Windows User NT-SAM/Active Directory Support in Serv-U

Enable Windows User NT-SAM/Active Directory Support in Serv-U

Table of contents
Created by Dhalia Turiaga, last modified by MindTouch on Jun 23, 2016

Views: 99 Votes: 0 Revisions: 8

Overview

This article provides steps on how to enable Windows Authentication and how Serv-U can integrate it with no configuration changes. 

Environment

Serv-U version 12.x ++ with the supported operating system: 

  • Windows Vista/7/8, Server 2008/2012 - C:\ProgramData\RhinoSoft\Serv-U (Folder is Hidden in Windows by default)
  • Windows 2000/XP, Server 2000/2003 - C:\Program Files\RhinoSoft\Serv-U
  • Linux - /usr/local/Serv-U

Steps

Windows Authentication Prerequisites:

  • Serv-U must be installed on a member server of the target Active Directory Domain
  • Serv-U must not be firewalled from the Domain Controller, or located in a DMZ
  • If user Home Directories are located on a network location like a Distributed File Service (DFS) share, a NAS, or other network device, the Serv-U File Server service in the Windows Services menu should run under a network administrative account

 

Enabling Windows Authentication

  1. Open the Serv-U Management Console.
  2. Click Users | Windows Authentication Settings menu.
  3. Enable Windows Authentication by placing a check mark next to Enable Windows authentication.
  4. Enter the name of your Windows domain (the Fully Qualified Domain Name) and click Save.
  5. Click Configure Windows User Group to configure your Windows users Serv-U Windows Auth Config.

By default, when users log in to Serv-U, they are logged into their Home Folder as defined in Active Directory and have all applicable NTFS permissions applied to their FTP account. This way, no permissions or settings are required in Serv-U. However, for increased control these home directories, permissions, and more can be manually configured and overridden in the Windows User Group configuration page.

 

Manually Managing Home Directories

Serv-U allows AD users to be automatically assigned individual Home Directories based on the %USER% variable, which automatically generates home directories based on the User Principle Name of the user (such as user1@mydomain.com). To dynamically assign the Home Directory, open the "Windows User Group Configuration" menu and set the Home Directory to a path such as:

D:\ftproot\%USER%

or

\\fileshare\userfiles\%USER%

 

In this way, all user Home Directories are located under one parent folder and are maintained and easier to manage.

 

Troubleshooting Windows Active Directory Setup

As a general guideline, it is best to troubleshoot Active Directory login problems using the FTP or FTPS protocol, because these protocols provide more troubleshooting information. Common problems that can occur include:

  • Home Directory Not Found - A Home Directory Not Found error indicates that the user account in Active Directory does not have a "Home Folder" set for their user account. This value is set in Active Directory, not in Serv-U, and must be set before the user account will function. The folder is set in Active Directory Users & Computers in user properties, under the Profile tab, in the Connect option.
  • Permission Denied - Permission denied errors can occur for Windows users who have their Home Folders located on a network drive. This must be resolved by configuring the Serv-U File Server service to run under a Domain Admin account, and by making sure the permissions on the network path are correct. In addition, the Serv-U service must have at a minimum the List Folder / Read Data and Read Attributes permissions on the parent folder of any folder used by an Active Directory user. These permissions are typically granted by default.

 

Allowing Logon From Multiple Active Directory Domains

If users from multiple domains within the same Active Directory forest must be able to authenticate to the same Serv-U server, the following must be true:

  • The Windows Domain Name (Optional) field in the Users | Windows Authentication menu must be left blank
  • There must be trust between the domain of which the Serv-U server is a member and all other domains which Serv-U must be able to authenticate to
  • Users must log in using their User Principle Name (e.g., user@domain.com) instead of just their SAM account name (in the previous case, just "user")

Note: Windows User NT-SAM / Active Directory support is available in Serv-U MFT Server only.

 

Last modified
02:35, 23 Jun 2016

Tags

Classifications

Public