Running SSH Tectia Server 220.127.116.11 on Windows 2008 R2. I can login using password authentication using a local account, but when I try to login using a Windows domain account, the following gets logged in the Application log on the Windows server:
Any ideas what I am missing in the setup?
asked Jul 07 '11 at 22:49
Are the user and the SSH server in the same domain, or different domains? (If different, is there a two-way trust between the domains?)
Do you have access to the domain controller logs? The security logs might show attempts to access user info, coming from the server host. If there are such log messages, then the connection from the server to the domain controller should be working and the issue would seem to be permissions related. If there are no access errors in the domain controller logs, originating from the server, then it could be that the server is having problems connecting to the domain controller. (This should also be visible in Tectia server's debug output. If you have support with Tectia, you could open a ticket and have the debug output analyzed.)
One thing to check is that the server machine is in the "Pre-Windows 2000 Compatible Access" domain group. If it is not part of the group, you can either add the individual host, or for instance the "Domain Computers" group, into the "Pre-Windows 2000 Compatible Access".
answered Aug 01 '11 at 23:15
As noted above, I still get a very long delay while logging in with a domain account. I worked with my domain administrator to capture the communications between the server and the domain controllers. The queries for domain account information appear to us a very old unsupported method, accessing the IPC$ share (no client access allowed in our domain) and the SAMR interface. Our domain admin says "I believe this method was replaced using a TCP endpoint. The samr process is controlled by lsass.exe, and I can see where is process rejects the request." We also see what appears to be a request for LM or NTLMv1 and these are disabled in our domain so the domain controller simply ignores the requests.
It is all truly disheartening to find that a deprecated protocol has been added to a new version of the product. My old 4.x version does not behave in this manner.
We are currently evaluating other SSH Server products.
answered Oct 26 '11 at 21:27