Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 02-27-2013, 09:50 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
AD group auth not working

I am trying to setup vshell to allow auth via a AD group. This group is a member of the allow to logon locally policy and I can logon locally with this account to the server without any issues. If I add this account by itself outside the group to access control I can logon just fine. Can you please help me figure out what the secret is to get AD group auth working for my users?
Thanks.

Failure log when added to AD group:

2013-02-27 09:27:43 VShellSSH2 auth 4 - - HOME\ariffel_a - - 0 0 0 0 - - "00004: Client specified user name ariffel_a, resolved as HOME\ariffel_a"
2013-02-27 09:27:43 VShellSSH2 auth 4 10.132.2.20 55939 HOME\ariffel_a - - 0 0 0 0 - - "00004: none for user HOME\ariffel_a rejected because it is unavailable"
2013-02-27 09:27:43 VShellSSH2 auth 4 - - HOME\ariffel_a - - 0 0 0 0 - - "00004: Login access denied for user HOME\ariffel_a"
2013-02-27 09:27:43 VShellSSH2 conn 4 - - - - - 0 0 0 0 - - "00004: The transport was aborted with a disconnect packet: User authentication failed because all available authentication methods failed. No supported authentication methods available"


Success log when AD account is added to access control:

2013-02-27 09:47:33 VShellSSH2 auth 9 10.132.2.20 56076 HOME\ariffel_a - - 0 0 0 0 - - "00009: password for user HOME\ariffel_a accepted"
2013-02-27 09:47:33 VShellSSH2 conn 9 10.132.2.20 56076 HOME\ariffel_a - - 0 0 0 0 - - "00009: Session channel open request accepted"
2013-02-27 09:47:33 VShellSSH2 conn 9 10.132.2.20 56076 HOME\ariffel_a - - 0 0 0 0 - - "00009: Session channel failing unsupported simple@putty.projects.tartarus.org request"
2013-02-27 09:47:33 VShellSSH2 conn 9 10.132.2.20 56076 HOME\ariffel_a - - 0 0 0 0 - - "00009: Received request to start subsystem sftp (Built-in Subsystem)"
2013-02-27 09:47:33 VShellSSH2 sftp 9 10.132.2.20 56076 ariffel_a - - 0 0 0 0 129.237.25.167 22 "00009: SFTP subsystem initialized; remote version is 3"
2013-02-27 09:47:33 VShellSSH2 sftp 9 10.132.2.20 56076 ariffel_a - - 0 0 0 0 129.237.25.167 22 "00009: Sending VERSION packet to remote (3)"
2013-02-27 09:47:33 VShellSSH2 auth 9 - - HOME\ariffel_a - - 0 0 0 0 - - "00009: Using home directory 'XXXXXXXXXX

Last edited by ariffel; 02-27-2013 at 10:53 AM.
Reply With Quote
  #2  
Old 02-27-2013, 10:22 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
FYI I also just tried to enable the KPT registry option in VShell with no help as suggested in another post I found on the forum..
Reply With Quote
  #3  
Old 02-27-2013, 10:22 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi ariffel,
Quote:
2013-02-27 09:27:43 VShellSSH2 auth 4 - - HOME\ariffel_a - - 0 0 0 0 - - "00004: Login access denied for user HOME\ariffel_a"
The line above typically means that there is an explicit Deny defined for a user or group in the Common / Access Control category for the Logon option. It could also mean that there is an implicit deny resulting from removing the check-mark for Logon in the Allow column.

Does this help resolve the issue?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #4  
Old 02-27-2013, 10:26 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
No explicit deny is enabled.. I have Logon, Shell, SCP, and SFTP set to allow in the access control setting. I have not removed the logon right for this group. I have also rebooted the server several times as well.
Reply With Quote
  #5  
Old 02-27-2013, 10:40 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi ariffel,

Thanks for the confirmation. What is the version of VShell that you are using?

What operating system are you using and is the machine where VShell is installed a DC?

Is the machine where VShell is installed in the same domain as the user account/group?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #6  
Old 02-27-2013, 10:51 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
We are using version 3.9.1 (x64 build 494) No this server is not a DC. It is in the same domain as the group I am trying to grant access to. It is running on a virtual windows 2008 R2 64bit server.
Reply With Quote
  #7  
Old 02-27-2013, 11:05 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi ariffel,

What other users and groups do you have listed in the top portion of the Access Control category of the VShell control panel?

Is Logon denied for any of those users/groups?

If so, what is the relationship between the user/group that is denied and the account that you're trying to log on with?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #8  
Old 02-27-2013, 11:10 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
Quote:
Originally Posted by rtb View Post
Hi ariffel,

What other users and groups do you have listed in the top portion of the Access Control category of the VShell control panel?
This is the only group in the acess control list.

Quote:
Originally Posted by rtb View Post
Is Logon denied for any of those users/groups?
No

Quote:
Originally Posted by rtb View Post
If so, what is the relationship between the user/group that is denied and the account that you're trying to log on with?
As said above if I add only my account to the access control list I can attach to the server. Once I remove my account and add it to the group that is allowed and try to access again I get the error no available logon servers.
Reply With Quote
  #9  
Old 02-27-2013, 11:17 AM
ariffel ariffel is offline
Registered User
 
Join Date: Feb 2013
Posts: 6
Well I seemed to have fixed it.. I removed all groups from the access control list. restarted services then re-added them back. It appears to be working now..
Reply With Quote
  #10  
Old 02-27-2013, 12:09 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi ariffel,

Thanks for the update. I am glad to hear that this issue is resolved.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 04:14 PM.