Enabling Windows User NT-SAM / Active Directory Support in Serv-U - KB Article #1412Related Articles -- 1977
Serv-U MFT Server includes the ability to integrate directly with Windows User NT-SAM/Active Directory to allow users to access Serv-U directly without being configured manually in Serv-U. If you're supporting FTP transfers in an Active Directory environment (or using the local Windows SAM) you can use Serv-U to support your users with little or no configuration changes. Simply install Serv-U, enable Windows Authentication, and Serv-U will instantly integrate with your Windows users.
Windows Authentication Prerequisites
Before proceeding with Active Directory configuration in Serv-U, ensure the following requirements have been fulfilled:
- Serv-U must be installed on a member server of the target Active Directory Domain
- Serv-U must not be firewalled from the Domain Controller, or located in a DMZ
- If user Home Directories are located on a network location like a Distributed File Service (DFS) share, a NAS, or other network device, the Serv-U File Server service in the Windows Services menu should run under a network administrative account
Enabling Windows Authentication
To enable Windows Authentication in Serv-U, follow the steps below:
- Open the Serv-U Management Console
- Click on the Users | Windows Authentication Settings menu
- Enable Windows Authentication by placing a check mark next to "Enable Windows authentication"
- Enter the name of your Windows domain (the Fully Qualified Domain Name) and select "Save"
- Click "Configure Windows User Group" to configure your Windows users Serv-U Windows Auth Config
By default, when users log in to Serv-U, they are logged into their Home Folder as defined in Active Directory and have all applicable NTFS permissions applied to their FTP account. This way, no permissions or settings are required in Serv-U. However, for increased control these home directories, permissions, and more can be manually configured and overridden in the Windows User Group configuration page.
Manually Managing Home Directories
Serv-U allows AD users to be automatically assigned individual Home Directories based on the %USER% variable, which automatically generates home directories based on the User Principle Name of the user (such as firstname.lastname@example.org). To dynamically assign the Home Directory, open the "Windows User Group Configuration" menu and set the Home Directory to a path such as:
In this way, all user Home Directories are located under one parent folder and are maintained and easier to manage.
Troubleshooting Windows Active Directory Setup
As a general guideline, it is best to troubleshoot Active Directory login problems using the FTP or FTPS protocol, because these protocols provide more troubleshooting information. Common problems that can occur include:
- "Home Directory Not Found" - A "Home Directory Not Found" error indicates that the user account in Active Directory does not have a "Home Folder" set for their user account. This value is set in Active Directory, not in Serv-U, and must be set before the user account will function. The folder is set in "Active Directory Users & Computers" in user properties, under the "Profile" tab, in the "Connect" option.
- "Permission Denied" - Permission denied errors can occur for Windows users who have their Home Folders located on a network drive. This must be resolved by configuring the "Serv-U File Server" service to run under a Domain Admin account, and by making sure the permissions on the network path are correct. In addition, the Serv-U service must have at a minimum the "List Folder / Read Data" and "Read Attributes" permissions on the parent folder of any folder used by an Active Directory user. These permissions are typically granted by default.
Allowing Logon From Multiple Active Directory Domains
If users from multiple domains within the same Active Directory forest must be able to authenticate to the same Serv-U server, the following must be true:
- The "Windows Domain Name (Optional)" field in the Users | Windows Authentication menu must be left blank
- There must be trust between the domain of which the Serv-U server is a member and all other domains which Serv-U must be able to authenticate to
- Users must log in using their User Principle Name (e.g., email@example.com) instead of just their SAM account name (in the previous case, just "user")
NOTE 1: Windows User NT-SAM / Active Directory support is available in Serv-U MFT Server only.