Getting started with Folderfay

The following technical guide explains how to configure access-denied assistance on your Windows file server, implement Folderfay and verify that everything is working properly.

The entire system can be set up in about 30 minutes.

Before following this guide, make sure a Folderfay account is created and your email address is validated.

Don't let the wall of text scare you. The set up is quite easy.

Step 1: Configure FSRM e-mail notifications
Step 2: Configure access-denied assistance
Step 3: Install and configure the Folderfay agent
Step 4: Define folder owners and protected folders
Step 5: Verify the setup

Step 1: Configure FSRM e-mail notifications

This part of the guide is based on the original access-denied knowledge base article by Microsoft.
You can configure access-denied assistance within a domain by using Group Policy, or you can configure the assistance individually on each file server by using the File Server Resource Manager console. Our guide will follow the easy road using FSRM.

If FSRM isn't installed yet on your server, please do so by opening Powershell as admin and entering the following cmdlet:

Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

Configure e-mail notifications using FSRM

  1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.

  2. Right-click File Server Resource Manager (Local), and then click Configure Options.

  3. Click the Email Notifications tab.

  4. Configure the following setting:

    1. In the SMTP server name or IP address box, type the name or IP address of the SMTP server in your organization.
    2. Enter an e-mail address you have access to as a default administrator recipient.
    3. The default 'from' e-mail address should be in line with your SMTP server config.

  5. Click Send test e-mail to make sure the SMTP configuration is working fine.

  6. Click OK.

FSRM does not support any form of e-mail authentication so configure your SMTP server accordingly.

The SMTP server role can be added to your file server if no SMTP server is currently available.
This Microsoft knowledge base article can help you set things up. Don't forget to open up TCP port 25 so the server can send mails to our systems.

We're currently working on providing our own SMTP service to simplify this part of the setup.
Customers with an active subscription can contact us for more info.

Step 2: Configure access-denied assistance

  1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.

  2. Right-click File Server Resource Manager (Local), and then click Configure Options.

  3. Click the Access-Denied Assistance tab.

  4. Select the Enable access-denied assistance check box.

  5. In the Display the following message to users who are denied access to a folder or file box, type a message that users will see when they are denied access to a folder. For example:

    Access to this folder is restricted. To request access, click the 'request assistance' button below and explain why you need access to this resource. The owner(s) of the folder will be notified and are then able to grant access.

  6. Click Configure email requests and configure the following settings:

    1. Select the Enable users to request assistance check box.
    2. Select the User information (including claims) check box.
    3. Select the Device state information check box.
    4. Copy/paste your unique Folderfay mailbox email address in the Recipient list.
      The address can be found under Configuration > Mail in our back-end.
    5. Deselect the Folder owner checkbox.
    6. Deselect the Administrator checkbox.
    7. Click OK.

  7. Click Preview if you want to see how the error message will look to the user.

  8. Click OK.

You can also specify a separate access-denied message for each shared folder on a file server using PowerShell:

Set-FSRMMgmtProperty -Namespace "folder path" -Name "AccessDeniedMessage_MS" -Value "Text the user will see in the error message dialog box."

Step 3: Install and configure the Folderfay agent

  1. Log in to your Folderfay account, click Servers and then click the Add new server button.

  2. Name your server in the dialog window and click Add server at the bottom. The dialog should still be displayed after saving. If it closed, open it again by selecting Edit from the Actions menu (•••).

  3. Click the download link in the dialog window to download the latest version of the Folderfay service installation.

  4. Make sure you have Microsoft .Net Core 2.1 Hosting Bundle installed on your file server.
    This is a lightweight stand-alone version of the .Net framework and has no effect on existing .Net installations. The installation does not require a server restart.

  5. Run the installer on the file server. During the installation a ServerId and ServerKey will be asked.
    Copy/paste these values from the dialog window and finish the installation. No need to restart the server.

  6. The service needs to run as a user (or service account) that has full control of the directory structure.
    By default it runs as LocalSystem and can then also look up additional user information in Active Directory as the machine AD account. This is for example used to display the persons full name instead of the logon name in the request emails.

    The service needs to run under a domain user that can also create security groups if you want to automatically create security groups per protected folder instead of adding users directly. (This is a setting per folder.)
    If this functionality is needed, create a specific account and do not use a domain admin account:

    1. Change the service account by running service.msc then search for and right-click Folderfay in the services list and select Properties
    2. On the Log On tab select This account and enter or browse for the specific account and password.
    3. Click OK to close the dialog.
    4. Right-click Folderfay again, select Restart and make sure the service is able to run under the new account.
    5. In the Folderfay back-end the status of your server should change to online after about five minutes.

The Folderfay agent uses a secure TLS connection over TCP port 443 to connect to our servers.
Please allow the connection to hostname folderfay-prod.servicebus.windows.net on firewall level if this would be blocked.

Step 4: Define folder owners and protected folders

  1. Define a root folder in the Folderfay back-end under Configuration > Servers then select Root folders from the Actions menu (•••) of your new server.
    The Shared path is the root network path your users can see e.g. \\FileServer\Projects
    The according Local server path is the absolute local path on the file server itself e.g. E:\Data\Projects

  2. Under Configuration > Folders click the Add new folder button, configure the settings as needed and add the folder you want to secure to the system. Make sure to check Initialize folder on file server if the folder is currently open to everyone. If the folder already has limited access, you need to make sure the Folderfay service account has full control rights. It needs to be able to add/remove users and groups.

  3. Select Authorizer(s) from the Actions menu (•••) of your new folder and add at least one authorizer who will then receive access requests.

Step 5: Verify the setup

  1. Browse to your file share in Windows Explorer as a regular user and try to open the protected folder.

  2. You should now be prompted to request assistance and after clicking the assistance button be able to enter a reason for access.

  3. The authorizer(s) should now receive your request and are able to use the buttons in the Folderfay request email.