Mapped Drives and Services
Mapped drives are established on a per-user basis and are only restored when a user logs in (also called an interactive login). Cerberus FTP Server runs as a Windows Service and persists outside of a logged in session. This allows Cerberus to run even when no users are logged into the system.
The default configuration for a Windows Service logs it in as the Local System account. While this account has broad access to the local machine it does not have permission to access resources on a network unless that resource requires no authentication. In addition, a Windows Service running under the Local System account cannot access the mapped drives you establish when you log in using your own account.
There are two solutions to this problem:
Solution #1
The first solution is to use the UNC path to access the network resource and to make sure the Windows Service account that Cerberus is running under has permission to access that share. By default, the Local System account can only access anonymous or null shares (shares that require no permissions). If the Local System account does not have permission to access the network share, the Cerberus log file will likely show an access denied error, or simply be unable to find the network path.
If you see an access denied error, you will probably need to change the Cerberus FTP Server Windows Service to use an account that has permission to access that share. You can change the service account that Cerberus runs under using the following instructions:
Changing the Cerberus Windows Service Account
You can manually change your service's account by viewing its properties in the Services system component.
To open Services, click Start, click Control Panel, click Administrative Tools, and then double-click Services.
- Open Services
- Right-click the service to which you want to assign a user or group account, and then click Properties.
- Click the Log On tab, and then do one of the following:
- To specify that the service use the LocalSystem account, click Local System account.
- To specify that the service use the LocalService account, click This account, and then type NT AUTHORITY\LocalService.
- To specify that the service use the NetworkService account, click This account, and then type NT AUTHORITY\NetworkService.
- To specify another account, click This account, click Browse, and then specify a user account in the Select User dialog box. When you are finished, click OK. This solution is useful if the Cerberus server and target server are not domain joined. Create an account on the shared resource and note the username and password. Create a matching account on your Cerberus server with the same password and use this account to run Cerberus. Please carefully note the caveats of doing this below!
- Type the password for the user account in the Password box and in the Confirm password box, and then click OK.
There are two caveats to changing the underlying service account.
One is that the existing Cerberus settings files were created under the Local System account, so switching the Cerberus Windows Service to another account will probably mean that the service will not be able to overwrite the existing Local System account-created settings files. This will lead to errors when the service tries to save and settings or user changes. The problem is relatively easy to fix. You just have to adjust the ownership of the Cerberus settings directory and all sub directories and files to the new account running the service.
The settings files are all in
C:\ProgramData\Cerberus LLC\Cerberus FTP Server
on Windows Vista, Windows 2008 and above
The second issue is that you will need to ensure the new service account has full read/write privileges for any local folders that users access to upload and download files.
UNC Paths and Services
Make sure that the user that the Cerberus FTP Server Windows Service is running as is able to access the path. This is particularly important when running Cerberus FTP Server as a local system service since the local service account will usually not have the necessary permissions to access a remote share.
Solution #2
We've mentioned before that the Local System account has very limited capabilities to access network resources. However, Cerberus also has the ability to impersonate an actual logged in user and access network resources as if they were that user for the duration of a connection. This feature is accomplished using Active Directory authentication.
When a user logs into the server (through FTP/S, SSH SFTP, or HTTP/S) using an Active Directory account, Cerberus uses the provided username and password to authenticate the user account with the configured Windows domain and can then carry out all file operations for that user as if they were the actual user. This ensures that Windows enforces the correct file permissions for that user and also allows the user to access any network resources that they would normally have access to.
You can learn more about configuring Active Directory Authentication in our online help
Comments
0 comments
Please sign in to leave a comment.