using Rebex.Net;
// News, tips & tricks from Rebex developers

How to enable Windows authentication in Rebex Buru SFTP Server

  |   Lukas Paluzga
Buru SFTP Server SFTP

In this blog post we'll guide you through the process of enabling Windows authentication in Rebex Buru SFTP Server ('Buru').

Windows authentication is supported by Buru, Professional Edition since version 2.0 and can be enabled by assigning Windows account to new or existing Buru accounts. This can be done either using the console or using Web administration - we will focus on the console way which is better suited for automation.

Assigning Windows account to new users

In this scenario you have a list of users that need SSH access to your server and will authenticate using their Windows password. Use burusftp user add command:

burusftp user add <user> --win-account <windows_account> --root-dir <rootdir> ...

# Example: user 'elaine' will use password associated with Windows user 'DOMAIN\elaine' with root directory mapped to 'C:\Users\elaine'
burusftp user add elaine --win-account DOMAIN\elaine --root-dir C:\Users\elaine

Assigning Windows account to existing users

The scenario assumes already existing users who use either local passwords or public keys to authenticate. Use burusftp user update command:

burusftp user update <user> --win-account <windows_account> --password-auth required

# Example: user 'elaine' will switch from local password to Windows authentication
burusftp user update elaine --win-account DOMAIN\elaine --password-auth required

Impersonation

By default, file system access for users using Windows authentication is impersonated, that is, performed as if they were actually logged in to the computer. It is therefore possible to fine-tune the access using Windows' directory security settings tailored for each user, taking use of user groups, etc.

Impersonation can be explicitly turned off using --impersonate off option (both available for user add and user update commands). Note that impersonation requires password authentication to be set as required - this is default for user add command when Windows account is set. For user update, enforce the requirement by adding password-auth required (as in the example above).

Troubleshooting

There are several ways to authenticate Windows users, most common of which are "network" and "interactive" (see documentation for more details). By default, windowsNetwork is used. If you encounter issues (e.g. when network authentication is disabled on the server), try switching to windowsInteractive, such as:

burusftp user update elaine --win-account DOMAIN\elaine --password-auth required --password-auth-mode windowsInteractive