Home Back to Tutorial Online Help

How to run Xlight FTP System Service using non-admin account

Normally you should run Xlight FTP Server System Service using an account from "Local Administrators" group. But if you want to run it using a non-admin account, you need to setup the followings:

For example. if you have a "test" user who belongs to "Standard User" group, and you want "test" user to run Xlight FTP server System Service.

1. The "test" account must be able to read and write Xlight FTP configuration files. There are 5 files: "ftpd.hosts","ftpd.option","ftpd.password", "ftpd.rules"."ftpd.users", you must give "test" user Full Control to those files.

For security reason, from, Xlight FTP configuration files created can only be accessed by Administrators and the owner (user who modified those files).

If you configured Xlight FTP before, opened Xlight GUI and cannot see any old settings. It could be that the current user is not the owner of those files. You need to change the owner to those files.

When Xlight is running as System Service, configuration files will be modified only by Xlight FTP Service. The account running Xlight FTP service will be the owner of those files. The Xlight FTP GUI (Admin Console) needs Administrator right to run, but will not modify them.

You must also to give "test" user Full Control to the folder where Xlight FTP Server program resides, otherwise there will be error for Xlight GUI (Admin Console) talking to Xlight service program.

2. You need to modify Service Permission to allow "test" user start and stop service. You can use Sysinternals Process Explorer to modify Service Permissions.

3. If you use SSL function, you need give user "test" Read access to the private key of certificate. Launch MMC, and add/remove snapin and choose certificates. Find the correct certificate in "Local Computer" group. Select it, right-click and choose "Properties > Manage Private Keys…". Add read permission for "test" user.

If you are still using an old Windows Server OS, and cannot see the above menu. You may need to use "WinHttpCertCfg.exe" to allow user access private key of certificate. You can check Microsoft link for how to download and use it

4. If you use SFTP function, you need to give user "test" Read access to SSH host key. Goto folder "C:\ProgramData\Microsoft\Crypto" or "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto" or depending on the OS, the other place where Microsoft Crypto Machine key is stored.

For RSA SSH host key, goto sub-folder "RSA\MachineKeys", for DSS SSH host key, goto sub-folder "DSS\MachineKeys". There may have several files under it, each file is related to one machine key. You can not tell which file is the SSH host key used by Xlight FTP by its name.

You need find the file used by Xlight FTP Server and give "test" user Read permission. If you know the time Xlight SSH host key is created or imported, then you can use it as a hint to find the correct file. If you don't know the time SSH host key is created, you can try to give user "test" read permission to one file at a time, then make a SFTP connection to Xlight FTP Server and check if there is any error. If you can make SFTP connection without any error, then you find the correct file.