System FTP Authentication <authentication>


The <authentication> element enabes you to configure the user accounts that can access the sites on a server. Use authentication in combination with authorization to secure access to content on your server. Authentication confirms the identity of a user, while authorization determines which resources users can or cannot access.

IIS defines one type of authentication rule, Deny rules. Deny rules let you define the user accounts or user groups that cannot access the sites on a server.


Version Notes
IIS 10.0 The <authentication> element was not modified in IIS 10.0.
IIS 8.5 The <authentication> element was not modified in IIS 8.5.
IIS 8.0 The <authentication> element was introduced in IIS 8.0.
IIS 7.5 N/A
IIS 7.0 N/A
IIS 6.0 N/A


To support denying access through authentication on your FTP server, you must install the FTP Service role service.

Windows Server 2012

  1. Press the Windows logo key, and then click Server Manager.
  2. In Server Manager, click Manage and then click Add Roles and Features.
  3. In the Add Roles and Features wizard:

    • On the Before You Begin page, click Next.
    • On the Installation Type page, select the installation type, and then click Next.
    • On the Server Selection page, select the appropriate server, and then click Next.
    • On the Server Roles page, ensure that Web Server (IIS) is selected, and then expand it.
    • Expand FTP Server, then select both FTP Service and FTP Extensibility, and then click Next.
    • On the Features page, click Next.
    • On the Confirm Installation Selections page, click Install.
    • On the Results page, click Close.

Windows 8

  1. Open the Windows Control Panel.
  2. In the Windows Control Panel, open Programs and Features.
  3. In Programs and Features, click Turn Windows features on or off.
  4. In the Windows Features dialog box, expand Internet Information Services, and then expand FTP Server.
  5. Under FTP Server, select FTP Service and FTP Extensibility, and then click OK.

How To

How to deny access to the FTP server based upon the logon failure rate

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or later:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or later:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, select the server.
  3. In the Home pane, double-click the FTP Logon Attempt Restrictions feature.

  4. In the FTP Logon Attempt Restrictions dialog box, click Enable to enable the restrictions, and then enter the maximum number of failures and the time frame in which those failures will prompt access to the FTP service to be denied.
  5. Click Write to the log only to log that the condition has been met, but not to block logon attempts.
  6. Click Apply in the Actions pane.


The <authentication> element is configured at the server level.



Child Elements

Element Description
denyByFailure Optional element.

Configures the FTP service to deny access based upon the failure rate.

Configuration Sample

The following sample configures a <denyByFailure> element.

         <denyByFailure enabled="true" maxFailure="5" entryExpiration="00:00:45" loggingOnlyMode="false" />

Sample Code

The following code samples configure denying access to the FTP server based upon the logon failure rate.


appcmd.exe set config  -section:system.ftpServer/security/authentication /denyByFailure.enabled:"True" /denyByFailure.maxFailure:"10" /denyByFailure.entryExpiration:"00:00:35" /denyByFailure.loggingOnlyMode:"False"  /commit:apphost


You must be sure to set the commit parameter to apphost when using AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample {

    private static void Main() {
        using(ServerManager serverManager = new ServerManager()) { 
            Configuration config = serverManager.GetApplicationHostConfiguration();
            ConfigurationSection authenticationSection = config.GetSection("system.ftpServer/security/authentication");
            ConfigurationElement denyByFailureElement = authenticationSection.GetChildElement("denyByFailure");
            denyByFailureElement["enabled"] = true;
            denyByFailureElement["maxFailure"] = 10;
            denyByFailureElement["entryExpiration"] = TimeSpan.Parse("00:00:35");
            denyByFailureElement["loggingOnlyMode"] = false;


Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample

   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim authenticationSection As ConfigurationSection = config.GetSection ("system.ftpServer/security/authentication")
      Dim denyByFailureElement As ConfigurationElement = authenticationSection.GetChildElement("denyByFailure")
      denyByFailureElement("enabled") = true
      denyByFailureElement("maxFailure") = 10
      denyByFailureElement("entryExpiration") = TimeSpan.Parse("00:00:35")
      denyByFailureElement("loggingOnlyMode") = false
   End Sub
End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var authenticationSection = adminManager.GetAdminSection("system.ftpServer/security/authentication", "MACHINE/WEBROOT/APPHOST");
var denyByFailureElement = authenticationSection.ChildElements.Item("denyByFailure");
denyByFailureElement.Properties.Item("enabled").Value = true;
denyByFailureElement.Properties.Item("maxFailure").Value = 10;
denyByFailureElement.Properties.Item("entryExpiration").Value = "00:00:35";
denyByFailureElement.Properties.Item("loggingOnlyMode").Value = false;



Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"

Set authenticationSection = adminManager.GetAdminSection("system.ftpServer/security/authentication", "MACHINE/WEBROOT/APPHOST")
Set denyByFailureElement = authenticationSection.ChildElements.Item("denyByFailure")
denyByFailureElement.Properties.Item("enabled").Value = true
denyByFailureElement.Properties.Item("maxFailure").Value = 10
denyByFailureElement.Properties.Item("entryExpiration").Value = "00:00:35"
denyByFailureElement.Properties.Item("loggingOnlyMode").Value = false



Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.ftpServer/security/authentication/denyByFailure" -name "enabled" -value "True"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.ftpServer/security/authentication/denyByFailure" -name "maxFailure" -value 10
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.ftpServer/security/authentication/denyByFailure" -name "entryExpiration" -value "00:00:35"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.ftpServer/security/authentication/denyByFailure" -name "loggingOnlyMode" -value "False"