FTP Custom Authorization <customAuthorization>


The <customAuthorization> element specifies the settings for custom authorization of an FTP site. This form of authorization uses custom authorization providers to validate user access.

If you enable a custom authorization provider, the built-in authorization provider will not be used, and you will not be able to manually add an allow rule or a deny rule to the configuration.

For information about how to create a custom provider, see How to Use Managed Code (C#) to Create a Simple FTP Home Directory Provider.


Version Notes
IIS 10.0 The <customAuthorization> element was not modified in IIS 10.0.
IIS 8.5 The <customAuthorization> element was not modified in IIS 8.5.
IIS 8.0 The <customAuthorization> element was introduced in IIS 8.0.
IIS 7.5 N/A
IIS 7.0 N/A
IIS 6.0 N/A


To support FTP authorization using a custom provider on your FTP site, you must install the FTP Service with FTP Extensibity.

Windows Server 2012

  1. Press the Windows logo key, and then click Server Manager.
  2. In Server Manager, click Manage and then click Add Roles and Features.
  3. In the Add Roles and Features wizard:

    • On the Before You Begin page, click Next.
    • On the Installation Type page, select the installation type, and then click Next.
    • On the Server Selection page, select the appropriate server, and then click Next.
    • On the Server Roles page, ensure that Web Server (IIS) is selected, and then expand it.
    • Expand FTP Server, then select both FTP Service and FTP Extensibility, and then click Next.
    • On the Features page, click Next.
    • On the Confirm Installation Selections page, click Install.
    • On the Results page, click Close.

Windows 8

  1. Open the Windows Control Panel.
  2. In the Windows Control Panel, open Programs and Features.
  3. In Programs and Features, click Turn Windows features on or off.
  4. In the Windows Features dialog box, expand Internet Information Services, and then expand FTP Server.
  5. Under FTP Server, select FTP Service and FTP Extensibility, and then click OK.

How To

How to configure FTP authorization based upon a custom provider

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or later:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or later:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, select the server name, expand Sites, and then select an FTP site.
  3. In the Home pane, double-click the FTP Authorization Rules feature.
  4. In the Actions pane, click Edit Feature settings.
  5. In the Authorization Feature Settings dialog box, select Choose a custom authorization provider to enable FTP authorization by a custom provider. In the associated drop-down list, select a custom provider from the list.


    When a custom FTP authorization provider has been enabled, the FTP Authorization Rules feature is disabled.

  6. Click OK.




Child Elements

Element Description
provider Optional element.

Specifies the custom authorization provider.

Configuration Sample

The following sample displays a <customAuthorization> element:

         <provider name="MyProvider" enabled="true" />

The following sample displays a <providerDefinitions> element for the custom authorization provider in the preceding example:

      <add name="MyProvider" type="MyProvider, MyProvider, version=, Culture=neutral, PublicKeyToken=426f62526f636b73" />

Sample Code

The following code samples configure a custom authorization provider.


appcmd.exe set config -section:system.applicationHost/sites /[name='MyFTPSite'].ftpServer.security.customAuthorization.provider.name:"MyProvider" /commit:apphost

appcmd.exe set config -section:system.applicationHost/sites /[name='MyFTPSite'].ftpServer.security.customAuthorization.provider.enabled:"True" /commit:apphost


You must be sure to set the commit parameter to apphost when using AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample {

    private static void Main() {
        using(ServerManager serverManager = new ServerManager()) { 
            Configuration config = serverManager.GetApplicationHostConfiguration();
            ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
            ConfigurationElementCollection sitesCollection = sitesSection.GetCollection();
            ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"MyFTPSite");
            if (siteElement == null) throw new InvalidOperationException("Element not found!");
            ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer");
            ConfigurationElement securityElement = ftpServerElement.GetChildElement("security");
            ConfigurationElement customAuthorizationElement = securityElement.GetChildElement("customAuthorization");
            ConfigurationElement providerElement = customAuthorizationElement.GetChildElement("provider");
            providerElement["name"] = @"MyProvider";
            providerElement["enabled"] = true;
    private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues) {
        foreach (ConfigurationElement element in collection) {
            if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase)) {
                bool matches = true;
                for (int i = 0; i < keyValues.Length; i += 2) {
                    object o = element.GetAttributeValue(keyValues[i]);
                    string value = null;
                    if (o != null) {
                        value = o.ToString();
                    if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase)) {
                        matches = false;
                if (matches) {
                    return element;
        return null;


Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
     Sub Main()
         Dim serverManager As ServerManager = New ServerManager
         Dim config As Configuration = serverManager.GetApplicationHostConfiguration
         Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
         Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection
         Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "MyFTPSite")
         If (siteElement Is Nothing) Then
             Throw New InvalidOperationException("Element not found!")
         End If
         Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")
         Dim securityElement As ConfigurationElement = ftpServerElement.GetChildElement("security")
         Dim customAuthorizationElement As ConfigurationElement = securityElement.GetChildElement("customAuthorization")
         Dim providerElement As ConfigurationElement = customAuthorizationElement.GetChildElement("provider")
         providerElement("name") = "MyProvider"
         providerElement("enabled") = true
     End Sub
     Private Shared Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ParamArray ByVal keyValues() As String) As ConfigurationElement
         For Each element As ConfigurationElement In collection
             If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
                 Dim matches As Boolean = true
                 Dim i As Integer = 0
                 Do While (i < keyValues.Length)
                     Dim o As Object = element.GetAttributeValue(keyValues(i))
                     Dim value As String = Nothing
                     If (Not (o) Is Nothing) Then
                         value = o.ToString
                     End If
                     If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
                         matches = false
                         Exit For
                     End If
                     i = (i + 2)
                 If matches Then
                     Return element
                 End If
             End If
         Return Nothing
     End Function
 End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");

var sitesCollection = sitesSection.Collection;

var siteElementPos = FindElement(sitesCollection, "site", ["name", "MyFTPSite"]);
if (siteElementPos == -1) throw "Element not found!";
var siteElement = sitesCollection.Item(siteElementPos);

var ftpServerElement = siteElement.ChildElements.Item("ftpServer");
var securityElement = ftpServerElement.ChildElements.Item("security");
var customAuthorizationElement = securityElement.ChildElements.Item("customAuthorization");
var providerElement = customAuthorizationElement.ChildElements.Item("provider");
providerElement.Properties.Item("name").Value = "MyProvider";
providerElement.Properties.Item("enabled").Value = true;


function FindElement(collection, elementTagName, valuesToMatch) {
    for (var i = 0; i < collection.Count; i++) {
        var element = collection.Item(i);
        if (element.Name == elementTagName) {
            var matches = true;
            for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
                var property = element.GetPropertyByName(valuesToMatch[iVal]);
                var value = property.Value;
                if (value != null) {
                    value = value.toString();
                if (value != valuesToMatch[iVal + 1]) {
                    matches = false;
            if (matches) {
                return i;
    return -1;


Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"

Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")

Set sitesCollection = sitesSection.Collection
siteElementPos = FindElement(sitesCollection, "site", Array ("name", "MyFTP"))
if (siteElementPos = -1) THEN throw "Element not found!"
Set siteElement = sitesCollection.Item(siteElementPos)

Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")
Set securityElement = ftpServerElement.ChildElements.Item("security")
Set customAuthorizationElement = securityElement.ChildElements.Item("customAuthorization")
Set providerElement = customAuthorizationElement.ChildElements.Item("provider")
providerElement.Properties.Item("name").Value = "MyProvider1"
providerElement.Properties.Item("enabled").Value = true


Function FindElement(collection, elementTagName, valuesToMatch)
   For i = 0 To CInt(collection.Count) - 1
      Set element = collection.Item(i)
      If element.Name = elementTagName Then
         matches = True
         For iVal = 0 To UBound(valuesToMatch) Step 2
            Set property = element.GetPropertyByName(valuesToMatch(iVal))
            value = property.Value
            If Not IsNull(value) Then
               value = CStr(value)
            End If
            If Not value = CStr(valuesToMatch(iVal + 1)) Then
               matches = False
               Exit For
            End If
         If matches Then
            Exit For
         End If
      End If
   If matches Then
      FindElement = i
      FindElement = -1
   End If
End Function


Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/sites/site[@name='MyFTPSite']/ftpServer/security/customAuthorization/provider" -name "name" -value "MyProvider"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/sites/site[@name='MyFTPSite']/ftpServer/security/customAuthorization/provider" -name "enabled" -value "True"