Binding a host name in IIS 8.5 causes "Authentication Required" prompt

Question

In Windows Server 2012 R2 with IIS 8.5, I have an FTP site working fine with anonymous access, as long as no host name is specified in the site's bindings. As soon as I enter a value for the host name, the client browser (tested in Chrome) displays the "Authentication Required" prompt, asking for a user name and password.

I need to bind a host name because this server will host multiple FTP sites, but this issue is effectively preventing the use of a host name binding. I can't think of how the host name would affect authentication. Not using SSL.

To test for permissions problems I granted "Everyone" access to the physical path, with no change in behavior.

One setting I have that might be relevant is under the site's FTP Authentication > Anonymous Authentication > Edit > Anonymous user identity, I have a domain account specified. Using "View Effective Access" in Windows shows that this account has sufficient permissions in the physical path, and of course like I said it works fine without the host name specified.

How can I have anonymous access to an FTP site in IIS while also binding a host name for that site?

Answer 1

Referring the following blog here.

IIS FTP hosts provides two methods in which a client can tell the intended host.

1. By using a virtual FTP Host and passing user credentials in the following manner: host|username
2. By having a client that supports and is able to send the HOST command to let the FTP service know the host it intends to connect to.

For anonymous access with FTP host binding, I'd believe only option 2 is available to you. Otherwise, you can try binding to different ports or IP Addresses.

By using different ports, there would be no need for hosts and by using different IP addresses, you can make DNS entries map to each IP address.

Answer 2

I've discovered this same issue so started experimenting...

The problem with host bindings in FTP is that while it's been available in IIS since 7.5 it depends on the client having that functionality. So for instance using FTP Voyager I've found it works fine and lets me log straight into an FTP account setup in IIS 8.5 with a specific host binding.

Using cmd.exe to FTP or using Filezilla (v3.5.3) I get a 530 authentication error, which I imagine is the same error you're seeing.

Where you get that error you'll find there are no log entries in the log file for that specific FTP site (assuming you've configured per site logging) since IIS doesn't know which FTP site to route the connection to. If you have one FTP site which doesn't use a hostname binding you'll find there's a log entry there, but of course that FTP site probably won't have the user login you're trying to use configured on it, so you'll get an authentication failure there as well.

So if you have control over the people who will be connecting to those FTP sites, and the FTP software they'll be using, then you can ensure they're using software which is compatible.

If these are new connections, eg the users will be setting up these details from scratch based on what you send them, then you can use the methods described in the blog milope posted to force the hostname to be submitted as part of the login process.

If these are existing connections, for instance you're trying to consolidate multiple FTP servers with their existing login credentials into one server, then I don't think there's much you can do unfortunately in terms of rolling that out as a seamless replacement.