How to enable Windows authentication in Rebex Buru SFTP Server
In this blog post we'll guide you through the process of enabling Windows authentication in Rebex Buru SFTP Server ('Buru').
Windows authentication is supported by Buru, Professional Edition since version 2.0 and can be enabled by assigning Windows account to new or existing Buru accounts. This can be done either using the console or using Web administration - we will focus on the console way which is better suited for automation.
Assigning Windows account to new users
In this scenario you have a list of users that need SSH access to your server and will authenticate using their Windows password. Use
burusftp user add command:
burusftp user add <user> --win-account <windows_account> --root-dir <rootdir> ... # Example: user 'elaine' will use password associated with Windows user 'DOMAIN\elaine' with root directory mapped to 'C:\Users\elaine' burusftp user add elaine --win-account DOMAIN\elaine --root-dir C:\Users\elaine
Assigning Windows account to existing users
The scenario assumes already existing users who use either local passwords or public keys to authenticate. Use
burusftp user update command:
burusftp user update <user> --win-account <windows_account> --password-auth required # Example: user 'elaine' will switch from local password to Windows authentication burusftp user update elaine --win-account DOMAIN\elaine --password-auth required
By default, file system access for users using Windows authentication is impersonated, that is, performed as if they were actually logged in to the computer. It is therefore possible to fine-tune the access using Windows' directory security settings tailored for each user, taking use of user groups, etc.
Impersonation can be explicitly turned off using
--impersonate off option (both available for
user add and
user update commands). Note that impersonation requires password authentication to be set as
required - this is default for
user add command when Windows account is set. For
user update, enforce the requirement by adding
password-auth required (as in the example above).
There are several ways to authenticate Windows users, most common of which are "network" and "interactive" (see documentation for more details). By default,
windowsNetwork is used. If you encounter issues (e.g. when network authentication is disabled on the server), try switching to
windowsInteractive, such as:
burusftp user update elaine --win-account DOMAIN\elaine --password-auth required --password-auth-mode windowsInteractive