Tectia

Special Considerations on Microsoft Windows Server 2003

When GSSAPI authentication is used on Tectia Server running on Windows 2003, you need to make additional configurations for users who do not have administrator privileges. For instructions on enabling the command prompt for GSSAPI users, see Enable Shell Access for Non-privileged GSSAPI Users.

Enable Shell Access for Non-privileged GSSAPI Users

Windows Server 2003 has more restrictive permission settings. Because of that, non-privileged domain users, who are authenticated using GSSAPI, do not by default have permissions to the command prompt executable (cmd.exe) that provides the users with shell access.

In this environment, additional steps need to be taken to allow shell access for non-privileged users:

  1. Go to the %WINDIR%\system32 folder (typically C:\WINDOWS\system32).

  2. Right-click the cmd.exe program, and select Properties from the shortcut menu. The cmd.exe Properties dialog box opens.

  3. On the Security tab, click Add to add Read & Execute rights to those domain users you want to allow to authenticate using GSSAPI.

    You can do one of the following actions:

    • Add each user separately (for example, add Domainname\username).

    • Add the NETWORK group. This will allow all users with valid domain accounts to authenticate using GSSAPI.

    • Add your own group that is a member of NETWORK and contains all users that you want to allow to authenticate using GSSAPI.

    Click OK when finished.

See also the general considerations on user name handling in User Logon Rights on Windows.