Using Bitvise SSH Server in a domain

Bitvise SSH Server fully supports environments with domain, domain forest, and Unix realm authentication. Since version 5.50, changes to Active Directory settings are no longer necessary to authenticate against the SSH server, except when using:

  • domain accounts with public key authentication and without a password cache;
  • virtual accounts with backing Windows domain accounts and without a password cache.
In these cases, Active Directory permissions may still need to be modified, as described below.

Active Directory Permissions for Password-less Logon

If you would like to use Windows domain accounts with public key authentication, or as backing accounts for virtual accounts; and if you do not wish to configure passwords for these domain accounts in the SSH server's password cache; then you will instead need to ensure that the SSH server has read permissions to user data in the Active Directory.

A default Active Directory installation may grant the necessary read permissions through the Active Directory group named "Pre-Windows 2000 Compatible Access". If these default settings have been changed, a permissions issue might arise when trying to use domain accounts with password-less logon.

If the SSH server's log files indicate permission-related issues when trying to use domain accounts with password-less logon, grant the necessary read permissions as follows:

  1. On the Domain Controller, open 'Active Directory Users and Computers' under Administrative Tools.
  2. In the View menu, enable 'Advanced Features'.
  3. Right click on the Users container in the tree view, and click Properties.
  4. In the Security tab of the new dialog, click Advanced.
  5. In the Permissions tab of the new dialog, add the computer running Bitvise SSH Server with ApplyTo=ThisObjectAndAllChildObjects and ReadAllProperties=Allow.

Windows domain order

Since version 5.50, Bitvise SSH Server no longer requires the Domain Order setting to enable login with non-fully-qualified usernames. Domain users are now able to log in, without providing a domain name as part of their username, using default SSH server settings.

The Windows domain order feature is still supported for administrators who wish to explicitly configure the order in which non-fully-qualified usernames should be looked up, to ensure predictable results.

Loading Windows Profiles

When configuring Bitvise SSH Server to provide SFTP and SCP access for domain users, users may have large Windows profiles that will be loaded before the user's file transfer session can start. Very large profiles may delay session startup. If you wish to prevent the SSH server from loading Windows profiles, please note that any of the following conditions will cause Bitvise SSH Server to load a user's Windows profile:

  • "Map remote home directory" is enabled for the user in Advanced settings.
  • "Map remembered shares" is enabled for the user in Advanced settings.
  • There is an on-logon or on-logoff command configured to run in the user's context, and the "Do not load profile" option in the settings for the command is disabled.
  • A terminal shell is opened by the client.
  • An exec request is executed by the client.
  • The client starts an SCP or SFTP session, and the "Load profile for SCP and SFTP" setting is enabled for the user in Advanced settings.

If you wish to prevent the SSH server from loading Windows profiles, you will need to make sure that none of the above conditions apply.