We help IT Professionals succeed at work.

Question about Authentication for SFTP on Windows Server 2016

This week I've got some great advice about setting up SFTP on Windows Server 2016.

I was able to get this setup using a decent set of directions I found online [2].

The challenge I'm having now has to do with Authentication. I am able to create a local user and login using SFTP on Port 22 (for a Private IP Address inside a VPN), however I cannot get SFTP to login using my Domain\User or even an AD Group.

Part of the reason I chose this recipe is because I wanted users to be able to authenticate against Active Directory.

Am I missing something or setup something wrong?

I'm using the SimpleAD Service from AWS (which is SAMBA) for Active Directory. Could that be a limitation in this regard?
      
[1] https://www.experts-exchange.com/questions/29170604/Why-Are-There-Random-Ports-When-Attempting-to-Connect-via-FTP-after-I-Bound-IIS-to-Port-21.html#a43019573
[2] https://tech.xenit.se/installing-and-configuring-sftp-server-on-windows-server-2016/
Comment
Watch Question

SILVER EXPERT
Distinguished Expert 2019

Commented:
It seems you are a version behind.
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse


Do you use hyper-v for virtualization, using a linux system with AD integration might achieve or get you closer to where you want to be.
AD integrated, minimize exposure of the sftp/ssh to the linux virtual system.....



What are you trying to get across. what are you trying to do?

I.e. what is the task before you where initially you considered using ftp and now looking to use SFTP?
TessandoIT Administrator

Author

Commented:
I am setting up a way for users to be able to securely move files from their local computers to a networked system. Really, FTP would suffice and did for a long time, however after posting here on EE I was instructed that SFTP was much more secure.

That said, this is an EC2 Instance running Windows Server 2016.

Thanks for your help with these authentication suggestions.
SILVER EXPERT
Distinguished Expert 2019

Commented:
When dealing with internal users and internal shares. What is the purpose a user has to access files

From this ftp is unnecessary, why not use file shares?

Secure from whose point of view?
TessandoIT Administrator

Author

Commented:
Use case one is that users are moving files to their local machines, adjusting data and then uploading.

Use case two is that Developers are pushing code.

I understand your suggestion of using File Shares, but I don't think that will work in this case.

Can anyone verify that the lightweight AD (e.g. SAMBA) will not be able to authenticate AD Users for SFTP?

Thanks!
Jackie Man IT Manager
SILVER EXPERT
Distinguished Expert 2019

Commented:
TessandoIT Administrator

Author

Commented:
Thank you for the directions and Kerberos suggestions. I found a forum post [1] that states that "WinSCP does not support Kerberos for FTP (for TLS/SSL in general)."

WinSCP is the client my users are using.

What is the name of the Client that your suggested directions are for?

Thanks!


[1] https://winscp.net/forum/viewtopic.php?t=27555
Jackie Man IT Manager
SILVER EXPERT
Distinguished Expert 2019

Commented:
Have you tried to enable "Attempt GSSAPI authentication"?

https://winscp.net/eng/docs/ui_login_authentication
TessandoIT Administrator

Author

Commented:
Thank you, Jackie Man.

That selecting in WinSCP was already enabled. However, you did inspire me to attempt a different approach. In the config file I used the directive:

AllowUsers domain\*

Open in new window


and now I'm getting a different error in the logs.

Hopefully someone can see this and it will trigger a way to use Windows Authentication for my SFTP:

. 2020-01-31 06:50:15.535 Sent password
. 2020-01-31 06:50:15.777 Password authentication failed
! 2020-01-31 06:50:15.777 Access denied
. 2020-01-31 06:50:15.817 Server offered these authentication methods: password
. 2020-01-31 06:50:15.817 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:19.181 Sent password
. 2020-01-31 06:50:19.375 Password authentication failed
! 2020-01-31 06:50:19.375 Access denied
. 2020-01-31 06:50:19.426 Server offered these authentication methods: password
. 2020-01-31 06:50:19.426 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2020-01-31 06:50:28.278 Sent password
. 2020-01-31 06:50:28.482 Password authentication failed
! 2020-01-31 06:50:28.482 Access denied
. 2020-01-31 06:50:28.547 Server offered these authentication methods: password
. 2020-01-31 06:50:28.547 Prompt (password, "SSH password", <no instructions>, "&Password: ")

Open in new window


Any idea why it won't accept this User's AD password?
IT Administrator
Commented:
I was unable to resolve this and this posting has gone stale. I was able to get SFTP itself working with local logins, but not using Authentication. I'm going to create a new post. Thanks!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.