Server!: more on Active Directory authentication

This article covers the interaction between the client and Server! in case of Active Directory authentication, and explains how auth-data sent by the client is interpreted by the server.

For the sake of our example we have set up a Windows Server 2012 R2 virtual machine, and created the “syncplify.local” domain (totally made up, you can use your own domain name of course). We have then created an AD group called “SFTP Users” (again you can create your own groups) and a couple users: “testuser” and “groupuser”. The testuser profile is only member of the “Domain Users” group, while the groupuser profile is member of “Domain Users” as well as of “SFTP Users”.

Important: if you’re using Server! v4.0 or greater, please make sure you also carefully read this article before you continue.

Then we have created the two virtual profiles in Server! with the usernames exactly as you see them in the picture here below:


Note: the @domain_name part is mandatory when configuring single user accounts, and it is always mandatory (both for user and group auth) on the client side.

Now let’s see how to log in using any FTP client. First, let’s try the testuser profile:


As you see, on the client side you have to specify the full username, including the domain part. In the screenshot here above your can see (highlighted by the red box) that our user is authenticating with the exact username as configured in Server!.

But what happens when we want to authenticate an AD user belonging to a certain authorized group? Let’s see:


As you can see the user groupuser@syncplify.local has to log in with the full username (including the domain part) as well. And even though there is no specific profile corresponding to such username in Server!, the user can still authenticate and log in because it belongs to the “SFTP Users” group, and therefore it falls into the cases covered by the *[SFTP Users] virtual user profile.

Same goes if you’re using a graphical FTP/SFTP client; the image below shows how to specify the username for an Active Directory user in FileZilla, but the concept is valid regardless of the client you choose.


Bottom line is that – on the client side – AD users always have to authenticate with their full username, including the domain part. Doing so will ensure that Server! knows which authentication path to take (as this is, internally, very complex).

Print Friendly
Bookmark the permalink.

Comments are closed