Configure Client Authentication using Windows Credentials
If the server host computer and client users are members of the same Windows domain, you can use GSSAPI to authenticate client users. With this configuration, the user authenticates using his or her Windows domain credentials, and therefore doesn't need to enter a password to connect to the server. If the domain accounts are configured to be trusted for delegation, the user can access other domain resources as well, such as printers and file servers.
Note: This procedure describes how to configure just client authentication using Windows credentials — server authentication still requires the server host key. To use GSSAPI and Windows credentials for mutual authentication, see Configure GSSAPI Server and Client Authentication.
To configure Windows domain accounts
- Add the server computer and client computers to the Windows domain.
- Launch the Active Directory Users and Computers console and add the client users to the domain.
- (Optional) If you want to use delegation of authentication, configure user account to be trusted for delegation (Account > Account options > User is Trusted for delegation).
- (Optional) If you want to use delegation of authentication, configure the server computer properties to trust this computer for delegation (General > Trust computer for delegation).
To configure the Reflection for Secure IT server
- Start the server console, and then click Configuration.
- Go to Authentication > GSSAPI / Kerberos V5, and then select Allow or Require.
Click File > Save.
To configure the Reflection for Secure IT client
- Open Reflection for Secure IT Windows Client.
- Open the Reflection Secure Shell Settings dialog box (Connection > Connection Setup > Security).
- From the General tab, under Authentication, select GSSAPI/Kerberos.
- From the GSSAPI tab:
- Select SSPI (the default).
- (Optional) If you don't want the client to forward the Kerberos ticket to the server, clear Delegate credentials.
- Click OK.
The Reflection Secure Shell Settings dialog box closes.
- When you configure the user for your client connection, you may need to include both the domain and user name using the format domain\user. This is required if the server computer has a local account name that matches your domain account. For example, if the local computer has a "joe" account and you log on using a domain account for "joe", you need to connect from the client as:
Note: Depending on your operating system, you may need to modify your system security settings to allow access to a terminal shell to users who authenticate using domain credentials. For more information, see Command Shell Access in Windows.