Our Domain users always need to authenticate first with password and only then with another authentication method. Is there a problem?
asked Dec 14 '10 at 20:56
SSH KB ♦
Due to the Windows domain controller architecture, password authentication is always required for domain users - even if some other authentication method, for example public-key authentication, is used.
The SSH Tectia Client will also need to perform these authentication methods in an exceptional order for a domain user - first password and only then public-key.
In SSH Tectia Server (Windows) public-key only authentication is supported for local users.
When domain user accounts are used it is recommended to use GSSAPI authentication method for non-interactive authentication.
However if it is not possible to use GSSAPI authentication method, it is possible to use sub-configurations to have different server configurations depending on the username or host. For example, using these sub-configuration files, local users can be permitted to login using public-key only authentication, but domain users can be required to use both public-key and password.
This makes it possible for the administrator of the server to allow only specific users to authenticate to local accounts using public-key only authentication - for example, users who need to run batch or scripted tasks - while other users are required to authenticate to the Windows domain.
Upgrade to 4.3.4 or higher in the 4.x version series. Domain users using this version can get local access tokens using public key only authentication. This means domain users can authenticate, but then only have access to local resources on the server. GSSAPI or password authentication are still required to obtain the domain access tokens that are needed to access domain resources.
answered Dec 14 '10 at 20:58
Dave Rivard ♦