Home
Products
     WinSSHD
          Users' guide
               Windows Domains
          Printable docs
          Usage FAQ
          Securing WinSSHD
          WinSSHD for SFTP
          History
          Pricing
          License
     Tunnelier
          Portable
          FTP bridge
          History
          Pricing
          License
          The 'log' utility
     Screenshots
     Download
          WRC
     Notifications
     Security
     Large scale
     Purchase
          Reseller list
          Reseller policy
     Customers
How-tos and tutorials
     About SSH
     SSH Features
     How the net works
     Port forwarding guide
     Tunnel Remote Desktop
     Tunnel Windows shares
     Tunnel WinVNC
     Tunnelier as service
Work at Bitvise
About us
Contact

Using WinSSHD in a domain

WinSSHD fully supports domain environments. However, WinSSHD does implement its own authentication layer on top of Windows authentication. In order to properly implement authentication, WinSSHD needs to be able to query information about domain groups and users.

If the WinSSHD log file reports errors which indicate that authentication is failing because WinSSHD is unable to obtain information from the domain, perform the following steps to make sure that WinSSHD can read domain user and group information:

  • On the Domain Controller, open 'Active Directory Users and Groups' under Administrative Tools.
  • In the View menu, enable 'Advanced Features'.
  • Right click on the Users container in the tree view, and click Properties.
  • In the Security tab of the new dialog, click Advanced.
  • In the Permissions tab of the new dialog, add the computer running WinSSHD with ApplyTo=ThisObjectAndAllChildObjects and ReadAllProperties=Allow.

Domain Order

Unless configured differently, WinSSHD will require all SSH clients to fully qualify a username if logging into a domain account. This means that a username of 'John' will work only for a local account named 'John'; if you wish to log into a domain account named 'Domain\John', the domain needs to specified in full.

To avoid the need to fully qualify domain usernames, add your domains to the Domain Order list in WinSSHD Settings. When an SSH client attempts to log in with a username that is not fully qualified, WinSSHD will then automatically search for the username in the configured domains, in the configured order. This ensures that non-qualified usernames will be resolved deterministically, which would not be guaranteed without this setting.

Loading Windows Profiles

When configuring WinSSHD to provide SFTP and SCP access for domain users, users may have large Windows profiles that will be loaded before the user's file transfer session can start. Very large profiles may delay session startup. If you wish to prevent WinSSHD from loading Windows profiles, please note that any of the following conditions will cause WinSSHD to load a user's Windows profile:

  • "Map remote home directory" is enabled for the user in WinSSHD Settings.
  • "Map remembered shares" is enabled for the user in WinSSHD Settings.
  • There is an on-logon or on-logoff command configured to run in the user's context, and the "Do not load profile" option in the settings for the command is disabled.
  • A terminal shell is opened by the client.
  • An exec request is executed by the client.
  • The client starts an SCP or SFTP session, and the "Load profile for SCP and SFTP" setting is enabled for the user in WinSSHD Settings. (WinSSHD 5.16 or higher)

If you wish to prevent WinSSHD from loading Windows profiles, you will need to make sure that none of the above conditions is true.