Link to home
Start Free TrialLog in
Avatar of Tessando
TessandoFlag for United States of America

asked on

Question about Authentication for SFTP on Windows Server 2016

This week I've got some great advice about setting up SFTP on Windows Server 2016.

I was able to get this setup using a decent set of directions I found online [2].

The challenge I'm having now has to do with Authentication. I am able to create a local user and login using SFTP on Port 22 (for a Private IP Address inside a VPN), however I cannot get SFTP to login using my Domain\User or even an AD Group.

Part of the reason I chose this recipe is because I wanted users to be able to authenticate against Active Directory.

Am I missing something or setup something wrong?

I'm using the SimpleAD Service from AWS (which is SAMBA) for Active Directory. Could that be a limitation in this regard?
      
[1] https://www.experts-exchange.com/questions/29170604/Why-Are-There-Random-Ports-When-Attempting-to-Connect-via-FTP-after-I-Bound-IIS-to-Port-21.html?anchorAnswerId=43019573#a43019573
[2] https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/
Avatar of arnold
arnold
Flag of United States of America image
It seems you are a version behind.
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse


Do you use hyper-v for virtualization, using a linux system with AD integration might achieve or get you closer to where you want to be.
AD integrated, minimize exposure of the sftp/ssh to the linux virtual system.....



What are you trying to get across. what are you trying to do?

I.e. what is the task before you where initially you considered using ftp and now looking to use SFTP?
Avatar of Tessando
Tessando
Flag of United States of America image

ASKER

I am setting up a way for users to be able to securely move files from their local computers to a networked system. Really, FTP would suffice and did for a long time, however after posting here on EE I was instructed that SFTP was much more secure.

That said, this is an EC2 Instance running Windows Server 2016.

Thanks for your help with these authentication suggestions.
Avatar of arnold
arnold
Flag of United States of America image
When dealing with internal users and internal shares. What is the purpose a user has to access files

From this ftp is unnecessary, why not use file shares?

Secure from whose point of view?
Avatar of Tessando
Tessando
Flag of United States of America image

ASKER

Use case one is that users are moving files to their local machines, adjusting data and then uploading.

Use case two is that Developers are pushing code.

I understand your suggestion of using File Shares, but I don't think that will work in this case.

Can anyone verify that the lightweight AD (e.g. SAMBA) will not be able to authenticate AD Users for SFTP?

Thanks!
Avatar of Tessando
Tessando
Flag of United States of America image

ASKER

Thank you for the directions and Kerberos suggestions. I found a forum post [1] that states that "WinSCP does not support Kerberos for FTP (for TLS/SSL in general)."

WinSCP is the client my users are using.

What is the name of the Client that your suggested directions are for?

Thanks!


[1] https://winscp.net/forum/viewtopic.php?t=27555
Avatar of Jackie Man
Jackie Man
Flag of Hong Kong image
Have you tried to enable "Attempt GSSAPI authentication"?

https://winscp.net/eng/docs/ui_login_authentication
Avatar of Tessando
Tessando
Flag of United States of America image

ASKER

Thank you, Jackie Man.

That selecting in WinSCP was already enabled. However, you did inspire me to attempt a different approach. In the config file I used the directive:

AllowUsers domain\*

Open in new window


and now I'm getting a different error in the logs.

Hopefully someone can see this and it will trigger a way to use Windows Authentication for my SFTP:

. 2020-01-31 06:50:15.535 Sent password
. 2020-01-31 06:50:15.777 Password authentication failed
! 2020-01-31 06:50:15.777 Access denied
. 2020-01-31 06:50:15.817 Server offered these authentication methods: password
. 2020-01-31 06:50:15.817 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:19.181 Sent password
. 2020-01-31 06:50:19.375 Password authentication failed
! 2020-01-31 06:50:19.375 Access denied
. 2020-01-31 06:50:19.426 Server offered these authentication methods: password
. 2020-01-31 06:50:19.426 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:28.278 Sent password
. 2020-01-31 06:50:28.482 Password authentication failed
! 2020-01-31 06:50:28.482 Access denied
. 2020-01-31 06:50:28.547 Server offered these authentication methods: password
. 2020-01-31 06:50:28.547 Prompt (password, "SSH password", <no instructions>, "&Password: ")

Open in new window


Any idea why it won't accept this User's AD password?
ASKER CERTIFIED SOLUTION
Avatar of Tessando
Tessando
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial