Tessando
asked on
Question about Authentication for SFTP on Windows Server 2016
This week I've got some great advice about setting up SFTP on Windows Server 2016.
I was able to get this setup using a decent set of directions I found online [2].
The challenge I'm having now has to do with Authentication. I am able to create a local user and login using SFTP on Port 22 (for a Private IP Address inside a VPN), however I cannot get SFTP to login using my Domain\User or even an AD Group.
Part of the reason I chose this recipe is because I wanted users to be able to authenticate against Active Directory.
Am I missing something or setup something wrong?
I'm using the SimpleAD Service from AWS (which is SAMBA) for Active Directory. Could that be a limitation in this regard?
[1] https://www.experts-exchange.com/questions/29170604/Why-Are-There-Random-Ports-When-Attempting-to-Connect-via-FTP-after-I-Bound-IIS-to-Port-21.html?anchorAnswerId=43019573#a43019573
[2] https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/
I was able to get this setup using a decent set of directions I found online [2].
The challenge I'm having now has to do with Authentication. I am able to create a local user and login using SFTP on Port 22 (for a Private IP Address inside a VPN), however I cannot get SFTP to login using my Domain\User or even an AD Group.
Part of the reason I chose this recipe is because I wanted users to be able to authenticate against Active Directory.
Am I missing something or setup something wrong?
I'm using the SimpleAD Service from AWS (which is SAMBA) for Active Directory. Could that be a limitation in this regard?
[1] https://www.experts-exchange.com/questions/29170604/Why-Are-There-Random-Ports-When-Attempting-to-Connect-via-FTP-after-I-Bound-IIS-to-Port-21.html?anchorAnswerId=43019573#a43019573
[2] https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/
ASKER
I am setting up a way for users to be able to securely move files from their local computers to a networked system. Really, FTP would suffice and did for a long time, however after posting here on EE I was instructed that SFTP was much more secure.
That said, this is an EC2 Instance running Windows Server 2016.
Thanks for your help with these authentication suggestions.
That said, this is an EC2 Instance running Windows Server 2016.
Thanks for your help with these authentication suggestions.
When dealing with internal users and internal shares. What is the purpose a user has to access files
From this ftp is unnecessary, why not use file shares?
Secure from whose point of view?
From this ftp is unnecessary, why not use file shares?
Secure from whose point of view?
ASKER
Use case one is that users are moving files to their local machines, adjusting data and then uploading.
Use case two is that Developers are pushing code.
I understand your suggestion of using File Shares, but I don't think that will work in this case.
Can anyone verify that the lightweight AD (e.g. SAMBA) will not be able to authenticate AD Users for SFTP?
Thanks!
Use case two is that Developers are pushing code.
I understand your suggestion of using File Shares, but I don't think that will work in this case.
Can anyone verify that the lightweight AD (e.g. SAMBA) will not be able to authenticate AD Users for SFTP?
Thanks!
https://www.attachmate.com/documentation/reflection-desktop-v16-1/rdesktop-guide/data/t_6349.htm?view=print
You need to use Kerberos for authentication.
You need to use Kerberos for authentication.
ASKER
Thank you for the directions and Kerberos suggestions. I found a forum post [1] that states that "WinSCP does not support Kerberos for FTP (for TLS/SSL in general)."
WinSCP is the client my users are using.
What is the name of the Client that your suggested directions are for?
Thanks!
[1] https://winscp.net/forum/viewtopic.php?t=27555
WinSCP is the client my users are using.
What is the name of the Client that your suggested directions are for?
Thanks!
[1] https://winscp.net/forum/viewtopic.php?t=27555
Have you tried to enable "Attempt GSSAPI authentication"?
https://winscp.net/eng/docs/ui_login_authentication
https://winscp.net/eng/docs/ui_login_authentication
ASKER
Thank you, Jackie Man.
That selecting in WinSCP was already enabled. However, you did inspire me to attempt a different approach. In the config file I used the directive:
and now I'm getting a different error in the logs.
Hopefully someone can see this and it will trigger a way to use Windows Authentication for my SFTP:
Any idea why it won't accept this User's AD password?
That selecting in WinSCP was already enabled. However, you did inspire me to attempt a different approach. In the config file I used the directive:
AllowUsers domain\*
and now I'm getting a different error in the logs.
Hopefully someone can see this and it will trigger a way to use Windows Authentication for my SFTP:
. 2020-01-31 06:50:15.535 Sent password
. 2020-01-31 06:50:15.777 Password authentication failed
! 2020-01-31 06:50:15.777 Access denied
. 2020-01-31 06:50:15.817 Server offered these authentication methods: password
. 2020-01-31 06:50:15.817 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:19.181 Sent password
. 2020-01-31 06:50:19.375 Password authentication failed
! 2020-01-31 06:50:19.375 Access denied
. 2020-01-31 06:50:19.426 Server offered these authentication methods: password
. 2020-01-31 06:50:19.426 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:28.278 Sent password
. 2020-01-31 06:50:28.482 Password authentication failed
! 2020-01-31 06:50:28.482 Access denied
. 2020-01-31 06:50:28.547 Server offered these authentication methods: password
. 2020-01-31 06:50:28.547 Prompt (password, "SSH password", <no instructions>, "&Password: ")
Any idea why it won't accept this User's AD password?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
Do you use hyper-v for virtualization, using a linux system with AD integration might achieve or get you closer to where you want to be.
AD integrated, minimize exposure of the sftp/ssh to the linux virtual system.....
What are you trying to get across. what are you trying to do?
I.e. what is the task before you where initially you considered using ftp and now looking to use SFTP?