RhinoSoft.com - Newsletter Archive
Newsletter Archives
Back to Newsletter Archive homepage.
10-20-2009 - Serv-U Windows Network Resource Access and Windows Authentication
Hello,
Welcome to another installment of the RhinoSoft.com newsletter. You are getting this newsletter because you signed up on our web site. If you would like to stop receiving these newsletters, please visit: http://www.RhinoSoft.com/newsletter/unsubscribe.asp
The intent of this newsletter is to give you some pointers on our products. This newsletter highlights a few of the great new features we've added in the recently released Serv-U 9.0.
Serv-U Windows Service Network Resource Access
Windows Services requiring access to network shares all share an age-old problem: while running as a Windows Service, programs are running with local system credentials. This means that Windows Services, by default, can only access the local file system - not network resources - including network drives and UNC shares. Serv-U, like all other Windows Service programs, has this problem when trying to access network file systems.
The problem isn't always obvious to Serv-U customers, because it doesn't appear until attempting a login with an account. When this occurs, end-users cannot login if their home directory is a network share, or they do not see virtual paths pointing to network resources when they list directories.
The simplest solution is to run Serv-U as a regular application. But doing this eliminates the benefits of running Serv-U as a Service. For example, when logging off the computer, Serv-U exits and is unavailable until another user logs back in. This is usually very undesirable for a file server such as Serv-U.
Changing the Service "Log On" Account
The solution that we recommend most is to change the Windows Service "Log On" account to a Windows Domain administrator user. When the Serv-U Service starts, it is running in the context of the specified administrator account, which provides access to the entire server as well as all available network shares.
Our knowledge base article about this solution is one of our most
visited articles:
http://RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1156&prod=su
More information about network resource sharing is discussed in
this article:
http://RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1048&prod=su
Some network administrators view this as a potential security problem. Instead, they opt to use a specially created account just for network share access.
Using Windows Login
A second, often overlooked solution, is to provide access to your Serv-U server using Windows Authentication only. Starting with Serv-U 7.0, user group functionality has been greatly improved. Windows Authenticated users are given a single, shared user group through which Serv-U Administrators may adjust how Windows users are configured.
When a Windows User is authenticated in Serv-U, Serv-U actually "impersonates" that user as if that user was logged into Windows via the keyboard. For every operation that Serv-U performs on a user's behalf, Serv-U switches out of the service account context to the Windows authenticated user context. If a user has permission in Windows to perform an operation, the operation succeeds. If the user doesn't have permission to perform an operation, permission is denied. This method of checking permissions not only applies to accessing the file system or network resources, but also when making changes to the file system through uploads, deletions, or renames.
For more information about configuring Serv-U to use Windows
Authentication, visit KB article 1412:
http://RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1412&prod=su
Directory Access Rules Tied To A Windows Account
Serv-U 9.0 introduces one additional solution. All Directory Access rules now have an "Advanced" button that allows Serv-U Administrators to specify a Windows user account when accessing a particular rule. For example, a user whose home directory is "\\Server\User" could have a Windows user ID and password specified for the directory access rule. Simply edit the "%HOME%" directory access rule for the user, press the "Advanced" button, then enter the required Windows login information. Whenever Serv-U accesses "%HOME%", (i.e., the user's home directory), Serv-U impersonates the specified Windows user to ensure access.
The advantage to using this solution over changing the Windows Service Log On information is one of granularity. More than one Windows User account may be used to access different network resources. This feature also allows Serv-U Administrators to access network resources on more than one Windows Domain.
The main disadvantage is that each network resource requires Windows user account information. When the authentication details change, (i.e., the user's password changes), these directory access rules must also be changed. To simplify maintenance, we recommend using Groups for user accounts. When Windows user credentials change, simply change the directory access rules within the group and all group members automatically receive the change.
For more information about creating Serv-U User Groups, visit
knowledge base article 1697:
http://RhinoSoft.com/Knowledgebase/KBArticle.asp?RefNo=1697&prod=su
Try Serv-U Free for 30 Days
Download Serv-U:
http://www.Serv-U.com/download/
FREE SUPPORT OPTIONS
If you need technical or sales support, please use one of the following URLs. Our support turn-around time is very fast during normal working hours Central Time U.S.:
Technical Support:
http://www.RhinoSoft.com/support
Knowledge Base:
http://www.RhinoSoft.com/kb
Sales Support:
http://www.RhinoSoft.com/sales
ON-LINE CUSTOMER SERVICE
If you need to change any of your customer information, you can make
changes on-line. The RhinoSoft.com On-line Customer Service page
allows you to resend your registration ID, receipt, invoice, and
change your information in our database. To use visit:
http://www.RhinoSoft.com/customer
Thank you for taking the time to read.
Mark P. Peterson - Presidenthttp://www.RhinoSoft.com
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628
