Special Considerations on Microsoft Windows Server 2003

When GSSAPI authentication is used on SSH Tectia Server running on Windows 2003, you need to make additional configurations for users who do not have administrator privileges. For instructions on enabling the command prompt for GSSAPI users, see Enable Shell Access for Non-privileged GSSAPI Users; and on enabling SFTP service, see Enable SFTP Service for Non-privileged GSSAPI Users

Enable Shell Access for Non-privileged GSSAPI Users

Windows Server 2003 has more restrictive permission settings. Because of that, non-privileged domain users, who are authenticated using GSSAPI, do not by default have permissions to the command prompt executable (cmd.exe) that provides the users with shell access.

In this environment, additional steps need to be taken to allow shell access for non-privileged users:

Go to the %WINDIR%\system32 folder (typically C:\WINDOWS\system32).
Right-click the cmd.exe program, and select Properties from the shortcut menu. The cmd.exe Properties dialog box opens.
On the Security tab, click Add to add Read & Execute rights to those domain users you want to allow to authenticate using GSSAPI.
You can do one of the following:
- Add each user separately (for example, add Domainname\username).
- Add the NETWORK group. This will allow all users with valid domain accounts to authenticate using GSSAPI.
- Add your own group that is a member of NETWORK and contains all users that you want to allow to authenticate using GSSAPI.
Click OK when finished.

See also the general considerations on username handling in Special Considerations on Windows.

Enable SFTP Service for Non-privileged GSSAPI Users

Non-privileged domain users, who use the GSSAPI authentication on Windows Server 2003, cannot use the SFTP service automatically. In this environment, the SFTP application is not allowed to write into the event log before the relevant user group, or the users individually, have been added to the Windows access control list (ACL). To edit the ACL, follow the instructions below:

	Caution
This means modifying the registry! Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, refer to the Microsoft Knowledge Base (for example article 256986). Serious problems might occur if you modify the registry incorrectly. Such problems might require that you reinstall the operating system! You modify the registry at your own risk.

Caution

This means modifying the registry! Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, refer to the Microsoft Knowledge Base (for example article 256986).

Serious problems might occur if you modify the registry incorrectly. Such problems might require that you reinstall the operating system!

You modify the registry at your own risk.

On Windows, open the registry editor by clicking Start, and Run. Then type regedit, and click OK.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\CustomSD

Add a new entry for the relevant users. In the entry, replace custom_SID with the user ID or group ID of an existing user group:
```
(A;;0x2;;;custom_SID)
```
To cover all users using groups you can use for example (A;;0x2;;;AU) where AU means all authenticated users, or (A;;0x2;;;NU) where NU means network users.
Exit Registry Editor, and restart the computer.