login about faq

Tectia Server troubleshooting log shows the following LSA Logon User error message when Tectia Server is run in debug mode:

LsaLogonUser() failed while authenticating using SSHDAP package

(WinError: 1385:“Logon failure: the user has not been granted the requested logon type at this computer. “) ; sub_status=0 (WinError: 0:“The operation completed successfully. “)

and Windows Event Log message shows Tectia Server authentication error, for example

708 Publickey_auth_error, Username: testuser, Algorithm: publickey, “Could not find the received public key in user’s public key authorization file or directory: Access token has not (yet) been created for user ‘testuser’. This usually means that either creating the access token failed or the SSHDAP authentication package was not installed correctly. The computer may require a restart. / Could not initialize userfile module”, Session-Id: 1

asked Jan 23 at 15:18

SSH%20KB's gravatar image

SSH KB ♦
509251249241


Ensure that Tectia Server is running the latest LTS version. For example the LSA protection mode on Windows requires Tectia Server version 6.4.16 or later.

When public key authentication (or other authentication method than password or keyboard-interactive password) is used to login to Windows via Tectia Server then Windows logon type "Network" is used. If this access right has been denied in Windows security policy, the login fails because access token cannot be obtained. The solution is either to grant the user network logon rights in Windows or use password cache feature of Tectia Server.

The same user might be able to obtain an access token when password authentication is used. If password (or password cache feature with public-key authentication) is used, then by default Tectia Server will attempt "Interactive" Windows Logon Type and the user needs to have Logon Locally access right or login fails.

In Tectia Server configuration the default behaviour for password/password-cache logins can be changed with Windows Logon Type, for example so that "Network" logon is attempted also for password authentication and the user does not need to have Logon Locally access right. However, with the Network logon type the user does not have access to domain resources, for instance network drives.

link

answered Jan 23 at 15:38

SSH%20KB's gravatar image

SSH KB ♦
509251249241

edited Jan 23 at 15:43

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6
×5
×2
×2
×1

Asked: Jan 23 at 15:18

Seen: 119 times

Last updated: Jan 23 at 15:43

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.