SSH Host Keys unavailable with NT Authentication

SSH Host Keys unavailable with NT Authentication

When using the Windows NT/SAM or Windows ADSI Authentication connectors in Titan FTP Server 2019 or Cornerstone MFT Server 2019, you may notice that the Public Host Key feature of SFTP/SSH is not available for use.

User Authentication Settings


SSH/SFTP Settings


This scenario will occur when the "Impersonate NT User After Login" option on the NT/SAM Authentication connector is enabled.

The reason for this is that in order for Titan/Cornerstone to be able to Impersonate the Windows NT/AD user context after login, Titan/Cornerstone needs to log in to the Windows NT/AD server to acquire an impersonation token which allows Titan/Cornerstone to operate under the context of the user. Since Windows NT/AD logins require both a username and a password, the server needs to acquire that information from the SFTP client user during login. This means that Password authentication must be used by the SFTP client to receive the credentials to pass along to the NT server for login. Since Password authentication is required, Host Key authentication cannot be enabled as Windows NT will not accept an SSH Host Key in lieu of the Windows Password.

Administrators will want to keep this in mind when designing their authentication strategy. If Public Host Key access from SFTP clients will be a requirement, even if it's just for one user, then the Impersonate NT User After Login option cannot be used.







    • Related Articles

    • Cornerstone SSH Host Keys

      Cornerstone MFT Server can use Secure File Transfer Protocol (SFTP), a Host Key Authentication method which adds Secure Shell (SSH) protection to your data transfers. This is Public Key Infrastructure (PKI), which is the use of a key pair made up of ...
    • Titan SSH Host Keys

      Titan FTP Server can use Secure File Transfer Protocol (SFTP), a Host Key Authentication method which adds Secure Shell (SSH) protection to your data transfers. This is Public Key Infrastructure (PKI), which is the use of a key pair made up of a ...
    • Can I use Windows NT SAM Authentication with Cornerstone MFT?

      Yes. Cornerstone supports Windows NT Authentication against Windows servers running Active Directory. The PC on which Cornerstone is installed must either be the Primary Domain Controller, or it must be a member of the domain. For more information, ...
    • S-Key/OTP not available when using NT User Authentication

      When using the NT User Authentication option with Titan/Cornerstone Servers, the S-Key/OTP feature is not available. This is a limitation in the NT User Authentication subsystems of Windows NT/2K/XP. An alternative to using S-Key/OTP would be to ...
    • Error: "Server refused public-key signature despite accepting key"

      "Server refused public-key signature despite accepting key" error generated when trying to import/create a 2048 bit DSA key pair. Solution: To create a 2048 bit DSA host key pair for use in Cornerstone/Titan, use puttygen to generate the keys, export ...