Impersonation settings are used to specify Windows user accounts that WS_FTP Server uses in requesting access to folders and files on a specific computer.
The following information may be useful in determining what impersonation settings are in effect and have priority. For instance, you might ask, “I’ve entered these impersonation settings. Why aren’t they being used?”
Also, as part of your security planning and management, this information might be helpful in keeping track of the Windows users present on WS_FTP Server.
There are three kinds of impersonation settings that WS_FTP Server may use. In general, WS_FTP Server prefers them in the following order: Windows database users > Host Impersonation Settings > Web Client Impersonation Settings. But there are exceptions, which are described below.
The host impersonation specifies the Windows user account and credential at the WS_FTP Server host level.
When do I need to create or modify host impersonation settings?
In many cases, you will not need to. By default, when you install WS_FTP Server or create a new host, the system uses the local machine user to carry out tasks.
In cases where you do not want to use the local machine user, for security purposes, you may want to create a different account and an impersonation setting.
When you choose to enter new host impersonation settings, these settings apply to the WS_FTP Server Web Transfer Module as well (see below).
How do I find host impersonation settings in the WS_FTP Server Web Administration application?
On the “Host Detail Settings” page. You can find this page at: Host > Host Detail Settings.
Are there cases where host impersonation settings will not be used by the system?
Yes. If you use an external Windows database (see below), then the user for the database takes precedence over the both the host impersonation settings and the local machine user. Also, if you specified an executable to run in the “Rules and Notifications” feature, if an executable is triggered by WS_FTP Server Server, it will still run using the local machine user, regardless of what you entered in the Host Impersonation settings.
The WS_FTP Server Web Transfer Module impersonation account specifies a user for all WS_FTP Server hosts using the WS_FTP Server Web Transfer Module.
When do I need to modify WS_FTP Server Web Transfer Module impersonation settings?
You create WS_FTP Server Web Transfer Module impersonation settings during the WS_FTP Server Web Transfer Module install. Generally, these do not need to change, unless you want to create a different user for security purposes.
If for some reason you delete these impersonation settings, the system will use the Network Service account to access files and folders. The Network Service account has, by design, very limited privileges, and attempts to read or write files using this account will most likely fail.
How do I find WS_FTP Server Web Transfer Module impersonation settings?
In the “Web Access Settings” page. You can find this page by navigating to: Module > Web Access Settings.
Are there cases where WS_FTP Server Web Transfer Module impersonation settings are not used by the system?
Yes. If there are impersonation settings that you have configured for the host, or if you use an external Windows database, these take precedence over the WS_FTP Server Web Transfer Module impersonation settings.
The exception is if you have specified an executable to run in the “Rules and Notifications” feature. If the event was triggered by the WS_FTP Server Web Transfer Module, it will run using the WS_FTP Server Web Transfer Module impersonation settings, even if you have an external Windows database, or a host impersonation setting.
When you connect a host to a Microsoft Windows database, Microsoft Active Directory database, or LDAP database, the system employs the Windows user for the external database to access your file system. This user takes precedence over other impersonation settings in almost all cases. (See below.)
When do I need to modify external Windows database user settings?
In the Windows database software, you should be sure that the user accessing the host directory has adequate permissions to do so.
Are there cases where external Windows database user impersonation settings are not used by the system?
Yes. If you specified an executable to run in the “Rules and Notifications” feature, and if the executable was triggered by the WS_FTP Server Web Transfer Module, it will still run using the WS_FTP Server Web Transfer Module impersonation settings. If it was triggered by WS_FTP Server, it will run as the local machine user. The system handles executables this way regardless of whether or not you are using an external Windows database.