How to enable Windows authentication in Rebex Buru SFTP Server
In this blog post we'll guide you through the process of enabling Windows authentication in Rebex Buru SFTP Server ('Buru').
Windows authentication is supported by Buru, Professional Edition since version 2.0 and can be enabled by assigning Windows account to new or existing Buru accounts. This can be done either using the console or using Web administration - we will focus on the console way which is better suited for automation.
Assigning Windows account to new users
In this scenario you have a list of users that need SSH access to your server and will authenticate using their Windows password. Use burusftp user add
command:
burusftp user add <user> --win-account <windows_account> --root-dir <rootdir> ...
# Example: user 'elaine' will use password associated with Windows user 'DOMAIN\elaine' with root directory mapped to 'C:\Users\elaine'
burusftp user add elaine --win-account DOMAIN\elaine --root-dir C:\Users\elaine
Assigning Windows account to existing users
The scenario assumes already existing users who use either local passwords or public keys to authenticate. Use burusftp user update
command:
burusftp user update <user> --win-account <windows_account> --password-auth required
# Example: user 'elaine' will switch from local password to Windows authentication
burusftp user update elaine --win-account DOMAIN\elaine --password-auth required
Impersonation
By default, file system access for users using Windows authentication is impersonated, that is, performed as if they were actually logged in to the computer. It is therefore possible to fine-tune the access using Windows' directory security settings tailored for each user, taking use of user groups, etc.
Impersonation can be explicitly turned off using --impersonate off
option (both available for user add
and user update
commands). Note that impersonation requires password authentication to be set as required
- this is default for user add
command when Windows account is set. For user update
, enforce the requirement by adding password-auth required
(as in the example above).
Troubleshooting
There are several ways to authenticate Windows users, most common of which are "network" and "interactive" (see documentation for more details). By default, windowsNetwork
is used. If you encounter issues (e.g. when network authentication is disabled on the server), try switching to windowsInteractive
, such as:
burusftp user update elaine --win-account DOMAIN\elaine --password-auth required --password-auth-mode windowsInteractive