Getting Started With SFTP Server


SFTP Server is an easy-to-use solution for managing the server-side of secure file transfer. This guide will focus on the simple configuration steps needed to boot the server and the authentication mechanisms supported by the server.


  1. Setting up SFTP Server
  2. Authentication Details
  3. Additional Information

Setting up SFTP Server

Server Settings

The first time SFTP Server is run, first switch to the Server Settings tab to select the X.509 Digital Certificate to be used by the server to protect the SSH connections. By default, the setup will install and configure the application to use the included test certificate, testcert.pfx. Alternatively, a previously generated certificate can be selected or a new one generated.

From this tab the root directory can be configured for the server. By default the "windir" environmental variable will be used to determine the root directory.


The Authentication tab can be used to configure the client credentials required to connect to the server. For User/Password authentication, the Security Group should be set to the pre-configured group of Windows User accounts whose credentials will be accepted by the server. To use Public Key authentication, click to Enable Public Key Authentication and select the public key either from a Windows store or a file on disk.

Running as a Windows Service

If the Run as a Windows Service option in the Service tab is NOT selected, the SSH listener will be run in-process inside the SFTP Server application. This means that to be able to connect to the server, a user must be logged in and the SFTP Server application must be running (and the listener started). This mode of operation can be very convenient for desktop use.

However, for servers, it is better to enable the Run as a Windows Service option. In this mode of operation, the SSH listener (and any connected SFTP sessions) are not run on the desktop. Instead, a Windows Service is configured, which can run all the time, even if no users are logged on. When this option is enabled, the Start/Restart/Stop buttons in the SFTP user interface actually control the Windows Service.

The Windows Service can also be controlled from the command line by specifying the servicestart or servicestop command line parameters. For example, to start the service:

SFTPServer.exe /servicestart

And to stop the service:

SFTPServer.exe /servicestop

Starting the Server

Once the desired options have been configured, press the Save Changes button in the toolbar to save the changes. At this point, the server is ready to start and begin listening for SSH connections. The Start, Restart and Stop buttons can be used to control whether the server is listening or not.


SFTP Server supports three authentication mechanisms: Username/Password, GSSAPI, and Public Key Authentication.

Password Authentication

Clients connecting to the server need to provide a username and password combination. The credentials are then verified using Windows Authentication mechanisms to make sure they match a valid local account on the server or on a domain trusted by it.

Connecting clients are authorized by checking membership of the specified user in a Security Group. The local/domain Security Group used for authorization can be selected under the Connection tab.

GSSAPI Authentication (NTLM/Kerberos)

NTLM or Kerberos authentication can be enabled by checking Enable GSSAPI Authentication under the Authentication tab and choosing the desired Supported Mechanisms.

Note that when using Kerberos as an authentication mechanism, it is recommended that SFTP Server be run as a service. When not running as a service and instead running under a user account, the default SPN (Service Principal Name) format of host/machine@domain used may result in errors. In that case, a new SPN should be registered (for instance ssh/machine) with the domain controller, and the KerberosSPN registry setting for SFTP Server must be set. Additionally any connecting SSH client will need to be configured to use the newly defined SPN.

Public Key Authentication

If Public Key Authentication is enabled in the server user interface, connections to the server can also authenticate using the standard public key authentication mechanism supported by the SSH protocol instead of presenting a password.

SFTP Server supports file based public key authentication similar to OpenSSH. That is, a public key file can be specified that was generated using a tool such as PuTTYgen. This can be setup as follows:

  1. Check the Enable Public Key Authentication checkbox on the Security tab and select the File Based Public Key Authentication option.
  2. Select a key file that contains a list of SSH public keys. The file must contain one key per line, and should be formatted as follows:
    ssh-rsa AAAAB3NzaC1yc2EA...rPFBe7Pnc= rsa-key-20110822
  3. Connect using a private key that corresponds to one of the public keys in the specified file.

Windows Store based public key authentication is also supported by selecting the Windows Store Based Public Key Authentication option and choosing the desired store type and name.

With Public Key Authentication, connecting clients only need to present a username and demonstrate that they have a private key matching a public key known by the server.

Additional Information

Once the server is configured and clients can authenticate, files can be transferred freely. Additional configuration information is available in the SFTP Server Reference file, which can be accessed through the Contents option under the Help dropdown in the top right corner of the UI.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at