login about faq

Running SSH Tectia Server 6.1.4.83 on Windows 2008 R2. I can login using password authentication using a local account, but when I try to login using a Windows domain account, the following gets logged in the Application log on the Windows server:
"Cannot initialize user context: user `domainusername' doesn't exist or getting user info failed", "User does not exist, faking authentication.".

Any ideas what I am missing in the setup?

Thanks, TomP

asked Jul 07 '11 at 22:49

TomP's gravatar image

TomP
1111

Hi TomP,

Can you confirm if your domain is listed under "Domain Policy" - is your domain there?

Please review: http://www.tectia.com/manuals/server-admin/61/server-domainpolicy.html

Thanks, James Wright

(Jul 08 '11 at 16:40) jamesw ♦♦ jamesw's gravatar image

James, Yes, the domain is listed in the Domain Policy.

Sorry for the delayed response. My SSH project got trumped by another project but I am back on course now.

TomP

(Jul 28 '11 at 21:32) TomP TomP's gravatar image

Hi,

Are the user and the SSH server in the same domain, or different domains? (If different, is there a two-way trust between the domains?)

Do you have access to the domain controller logs? The security logs might show attempts to access user info, coming from the server host. If there are such log messages, then the connection from the server to the domain controller should be working and the issue would seem to be permissions related. If there are no access errors in the domain controller logs, originating from the server, then it could be that the server is having problems connecting to the domain controller. (This should also be visible in Tectia server's debug output. If you have support with Tectia, you could open a ticket and have the debug output analyzed.)

One thing to check is that the server machine is in the "Pre-Windows 2000 Compatible Access" domain group. If it is not part of the group, you can either add the individual host, or for instance the "Domain Computers" group, into the "Pre-Windows 2000 Compatible Access".

link

answered Aug 01 '11 at 23:15

Jan's gravatar image

Jan ♦
612

Yes, the user and server accounts are in the same domain.

I've emailed our domain admins and am waiting a response. The "netstat" command indictes the member server where SSH is running is connecting to the DCs, although I do see a connection to a high-end port (49156) that stays in a TIME_WAIT status during the authentication process.
FWIW - The account in question is able to login at the server console.

The "Pre-Windows 2000 Compatible Access" group contains "Authenticated Users" but that matches what is stated in Section 9.3.3 (page 215) of the SSHTectiaServer_AdminManual.pdf document.

(Aug 03 '11 at 21:18) TomP TomP's gravatar image

Could you check, just to be sure, that the server computer is in the "Authenticated Users" group, possibly through some other subgroup.

Also, Windows 2008 R2 support was officially introduced in SSH Tectia Server version 6.1.7, so I would recommend upgrading to a newer version.

(Aug 04 '11 at 00:39) Jan ♦ Jan's gravatar image

To eliminate any compatibility issues I've recreated this on Windows 2008 SP2. The rights of the Authenticated Users group is something picked up after an account is authenticated. It's not a regular domain group that you can add accounts too. Our domain does restrict access to account info (for instance, "net user accountname /domain" fails with access denied for any accountname other than the currently authenticated accout). That and the debug log make me think the login is failing because of that. Can anyone confirm that a failed account query will result in a failed login for SSH? Tom

(Aug 22 '11 at 18:46) TomP TomP's gravatar image

Tom, that is correct, a failed account query will result in a failed login. I think the need for the "Pre-Windows 2000 Compatible Access" comes from the need to do the query. Note that the server is running as system, so the entity doing the account query is the server machine. Adding "Domain Computers" (or the individual server machine) to the "Pre-Windows 2000 Compatible Access" domain group might do the trick. (If not, I would suggest inspecting the log messages on the domain controller to see if there are some other permissions that need to be added.)

(Aug 29 '11 at 18:54) Jan ♦ Jan's gravatar image

I can login with a domain accout after having my server account added to the Windows Authentication Access group in Active Directory, BUT the call to NetGetUserInfo still fails. The problem with that is it makes four attempts at increasing intervals before giving up and that causes about a 15 second delay in the login.
I believe the server is picking up the rights of the ?Pre-Windows 2000 Compatible Access group and I will confirm that today. Since the call to NetGetUserInfo is not necessary for authentication is there a way to disable it from the login process?

(Aug 30 '11 at 18:32) TomP TomP's gravatar image

Adding the member machine to the Pre-Windows 2000 Compatible Access group made no difference. From a network capture it appears the SSH Server tries to access: -the IPC$ share, which member machines cannot do. -the SAMR interface (samr named pipe), which is rejected by the DC, (we think current practices have replaced this method by using a TCP endpoint). It sends a "Negotiate Protocol Request" which appears to be for an LM or NTLMv1 connection which is ignored by the DC. (The domain is restricted to using NTLMv2 only.)

So, I am evaluating other SSH products :-(.

(Sep 14 '11 at 18:59) TomP TomP's gravatar image
showing 5 of 6 show all

As noted above, I still get a very long delay while logging in with a domain account. I worked with my domain administrator to capture the communications between the server and the domain controllers. The queries for domain account information appear to us a very old unsupported method, accessing the IPC$ share (no client access allowed in our domain) and the SAMR interface. Our domain admin says "I believe this method was replaced using a TCP endpoint. The samr process is controlled by lsass.exe, and I can see where is process rejects the request." We also see what appears to be a request for LM or NTLMv1 and these are disabled in our domain so the domain controller simply ignores the requests.

It is all truly disheartening to find that a deprecated protocol has been added to a new version of the product. My old 4.x version does not behave in this manner.

We are currently evaluating other SSH Server products.

link

answered Oct 26 '11 at 21:27

TomP's gravatar image

TomP
1111

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×38
×2

Asked: Jul 07 '11 at 22:49

Seen: 13,796 times

Last updated: Oct 26 '11 at 21:27

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.