If you haven’t use Filezilla Server before it is a pretty decent and easy to manage FTP/FTPS solution. While I don’t care for the Filezilla client (for several reasons, one of them being that it stores saved passwords in plaintext on your machine), the server software is okay… it runs nicely on Windows Server 2012 R2 and it is significantly easier to manage vs. Microsoft’s FTP Server in IIS. It’s simplicity however is also its flaw.
By default, Filezilla server only supports user accounts local to the application itself. Which means -NO- Active Directory authentication and no SSO for your Windows users.
However, Filezilla is open-source and some enterprising users have a version of it released on source-forge which makes use of OpenLDAP to support Active Directory authentication. Before I jump into that though, a word of security caution…
You should ONLY enable Active Directory authentication if you are running FTPS and you should NEVER enabled Active Directory authentication if you are running FTP.
With FTP, user credentials are sent to the server in plain-text and anyone snooping would quickly see your users’ login credentials. Which means you are potentially sharing domain logins with the world; which is always a bad idea.
FTPS, on the other hand, encrypts all communication if setup correctly, including transmission of username and password during the authentication of a new session. If you are running Filezilla and making use of FTPS, then you are good to go.
Okay, that little warning aside…
Before you go any further, you need to make sure all of the proper ports are open between your Active Directory Domain Controller and your Filezilla server. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?
1. Jump to this site and download the executable installer file there:
2. Put that on your FTPS server.
3. Stop all running instances of Filezilla.
4. Optionally, create a new folder called “backup” under c:\Program Files (x86)\FileZilla Server\ and copy your “Filezilla Server Interface.exe” and “Filezilla Server.exe” and “FileZilla Server.xml” and “FileZilla Server Interface.xml” file to it.
5. Run the .exe file you downloaded from Sourceforge to install the LDAP enabled version of Filezilla, replacing your current install.
6. Navigate to your c:\Program Files (x86)\FileZilla Server\ folder and edit the “oldapcheck.ini” file with notepad. It should look something like this (assuming the computer name of our domain controller is domaincontroller1 and our domain is “contoso.local”):
That last bit is important to note. It means “don’t use TLS encryption to encrypt authentication traffic between Filezilla and your Domain Controller.” You can set that to “Y” to enable encryption but it requires additional setup of certificate files that I am not going to get into here. If your are on a secure internal LAN, this might be okay to leave as “N” depending on your security requirements.
7. Save and close the file when you are done. You should be able to start Filezilla server if it isn’t already running. If you installed over another copy of the server, it should have kept your settings.
8. Inside of the Filezilla server config console, click the button to bring up the USER management interface.
9. Setup a new user by clicking “Add”
10. The new username must match the domain login name for the user. For example, we are setting up an account for John Doe, with username “jdoe”, so you would create a new user with username “jdoe”.
11. Leave the “password” tick-box for this user “unchecked” and the password entry should be greyed out and empty.
12. Setup a home folder for them as normal.
13. Try logging in with the account to your FTPS server using their AD username (i.e. “jdoe”) and active directory password.
It should all work and now you can use AD accounts with FileZilla!
PS – If you need to check ldap connectivity with your settings, you can run the oldapcheck.exe file from a CMD prompt window and test with an account.
Try running a security check again this filezilla build. It supports SSLv3+TLSv1 protocol and it does not support TLSv1.1/1.2. Also, it supports RC4 ciphers and it is vulnerable to BEAST, POODLE etc… This build is too old.