On Windows, the user name is generally handled similarly irrespective of which user authentication method you use: password, public keys, certificates, keyboard-interactive, or GSSAPI.
The user can define a prefix together with the user name. The prefix indicates whether it is a local or a domain user name. If the user provides the prefix, SSH Tectia Server always handles the user name according to that.
If no prefix is provided with the user name, SSH Tectia Server by default treats logon user names as user accounts of the default domain in case the computer belongs to a domain, but if no match is found, the user will be treated as a local user. This default policy can be overriden by defining a domain policy in the SSH Tectia Server configuration. If the user defines a prefix in the user name, that will override both the default policy and the domain policy.
The domain policy can be defined in the SSH Tectia Server configuration on the
Domain Policy page using the GUI configuration tool (see
Domain Policy) or with the domain
policy
setting in the XML configuration file (see description of
domain-policy).
Table 5.1. Principles of user name handling on Windows hosts in a domain
Situation | How the SSH Tectia Server treats user names |
---|---|
Prefix defined: | According to the prefix |
No prefix defined: | |
Domain policy defined in SSH Tectia Server configuration → | According to the domain policy |
No domain policy defined → | 1. Domain user name tried first |
2. Local user name tried only if domain name not found |
Normally when logging on to a server, you specify the target computer and optionally your user name, for example:
$ sshg3 win-server
OR
$ sshg3 user@win-server
In case the user does not specify the user name or a prefix for it indicating whether it is a local or a domain user name, and if the Windows server belongs to a domain for which no domain policy has been defined, the user name is assumed to be a domain user name and the name of the server's default domain is added as the prefix when checking the existence of a user account:
DOMAIN\user@win-server
If no prefix is specified by the user, and if no matching domain user name is found, the user will be treated as a local user and the local computer name is automatically added as the prefix when checking the existence of a user account:
win-server\user@win-server
If you want to make sure that the local user name is used to log on to
a Windows domain machine, you have to explicitly indicate that you are using
a local account. You can either specify the local machine name as the domain
part of the user name: win-server\user@win-server
; or you
can use shorthand notation / or \
as follows: /user@win-server
.
The shorthand notation with / or \ is applicable in case the user does not know the host names but connects using the IP address. The shorthand notation is also a quick way of avoiding repeating long host names.