SSH Host Keys unavailable with NT Authentication

SSH Host Keys unavailable with NT Authentication

When using the Windows NT/SAM or Windows ADSI Authentication connectors in Titan FTP Server 2019 or Cornerstone MFT Server 2019, you may notice that the Public Host Key feature of SFTP/SSH is not available for use.

User Authentication Settings


SSH/SFTP Settings


This scenario will occur when the "Impersonate NT User After Login" option on the NT/SAM Authentication connector is enabled.

The reason for this is that in order for Titan/Cornerstone to be able to Impersonate the Windows NT/AD user context after login, Titan/Cornerstone needs to log in to the Windows NT/AD server to acquire an impersonation token which allows Titan/Cornerstone to operate under the context of the user. Since Windows NT/AD logins require both a username and a password, the server needs to acquire that information from the SFTP client user during login. This means that Password authentication must be used by the SFTP client to receive the credentials to pass along to the NT server for login. Since Password authentication is required, Host Key authentication cannot be enabled as Windows NT will not accept an SSH Host Key in lieu of the Windows Password.

Administrators will want to keep this in mind when designing their authentication strategy. If Public Host Key access from SFTP clients will be a requirement, even if it's just for one user, then the Impersonate NT User After Login option cannot be used.







    • Related Articles

    • How To: Setup Key Authentication for SFTP in Titan

      Question How do I setup key authentication for SFTP in Titan. Reasoning I have a requirement from end users that need to add an extra layer of security by connecting to Titan via SFTP with key authentication.  Answer You have the option in Titan to ...
    • Cornerstone SSH Host Keys

      Cornerstone MFT Server can use Secure File Transfer Protocol (SFTP), a Host Key Authentication method which adds Secure Shell (SSH) protection to your data transfers. This is Public Key Infrastructure (PKI), which is the use of a key pair made up of ...
    • Titan SSH Host Keys

      Titan FTP Server can use Secure File Transfer Protocol (SFTP), a Host Key Authentication method which adds Secure Shell (SSH) protection to your data transfers. This is Public Key Infrastructure (PKI), which is the use of a key pair made up of a ...
    • How To: Create a Server With Windows Authentication In Titan

      Question How do I create a server within Titan that utilizes Windows authentication? Reasoning I already have a database of users stored on a local windows server or an Active Directory server and would like to import these users into Titan and use ...
    • Can I use Windows NT SAM Authentication with Cornerstone MFT?

      Yes. Cornerstone supports Windows NT Authentication against Windows servers running Active Directory. The PC on which Cornerstone is installed must either be the Primary Domain Controller, or it must be a member of the domain. For more information, ...