SSH Tectia

User Name Handling on Windows

On Windows, the user name is generally handled similarly irrespective of which user authentication method you use: password, public keys, certificates, keyboard-interactive, or GSSAPI.

The user can define a prefix together with the user name. The prefix indicates whether it is a local or a domain user name. If the user provides the prefix, SSH Tectia Server always handles the user name according to that.

If no prefix is provided with the user name, SSH Tectia Server by default treats logon user names as user accounts of the default domain in case the computer belongs to a domain, but if no match is found, the user will be treated as a local user. This default policy can be overriden by defining a domain policy in the SSH Tectia Server configuration. If the user defines a prefix in the user name, that will override both the default policy and the domain policy.

The domain policy can be defined in the SSH Tectia Server configuration on the Domain Policy page using the GUI configuration tool (see Domain Policy) or with the domain policy setting in the XML configuration file (see description of domain-policy).

Table 5.1. Principles of user name handling on Windows hosts in a domain

SituationHow the SSH Tectia Server treats user names
Prefix defined:According to the prefix
No prefix defined:
Domain policy defined in SSH Tectia Server configuration →According to the domain policy

No domain policy defined →

1. Domain user name tried first
2. Local user name tried only if domain name not found

Normally when logging on to a server, you specify the target computer and optionally your user name, for example:

$ sshg3 win-server

OR

$ sshg3 user@win-server

In case the user does not specify the user name or a prefix for it indicating whether it is a local or a domain user name, and if the Windows server belongs to a domain for which no domain policy has been defined, the user name is assumed to be a domain user name and the name of the server's default domain is added as the prefix when checking the existence of a user account:

DOMAIN\user@win-server

If no prefix is specified by the user, and if no matching domain user name is found, the user will be treated as a local user and the local computer name is automatically added as the prefix when checking the existence of a user account:

win-server\user@win-server

If you want to make sure that the local user name is used to log on to a Windows domain machine, you have to explicitly indicate that you are using a local account. You can either specify the local machine name as the domain part of the user name: win-server\user@win-server; or you can use shorthand notation / or \ as follows: /user@win-server.

The shorthand notation with / or \ is applicable in case the user does not know the host names but connects using the IP address. The shorthand notation is also a quick way of avoiding repeating long host names.