SPS Usermapping is not working

Hello,

I'm trying to authenticate SPS users through Active Directory and restrict users to use just root user on target server using usermapping.

But SSH connections can't start using this way of authentication.

kindly check my configuration steps:

1- Added LDAP server

2- User and access control > settings> Authentication settings > added LDAP

3- added usermapping 

4- added username on the server > root user on target server

5- added group > added domain group

6- added usermapping in SSH connection

7- enabled required gateway authentication >  added domain group in groups

your help is very appreciated 

Parents
  • Hi Mahmoud,

    Please clarify more in details as to where some of the settings were added because for example, you stated in step 1. Added LDAP Server (Does this mean you added it under Policies > LDAP Server? and did you also add it under the SSH Connection > LDAP Server drop down?)

    Thanks!

  • Exactly, added LDAP server under policies then added through SSH connection

  • Hi Mahmoud,

    Thanks for the update.

    1. Does the SSH connection use the port 22 or a different port? Make sure the port is not conflicting with the SPS SSH Service port 

    2. Make sure the AD group name matches the case exactly as it appears in AD (is it all lower case or some uppercase letters?).

    3. Also when connecting using SSH Client  via SPS as a non-transparent connection, you are pointing the client to connect to SPS IP address with the port specified in the SSH connection then when prompted for login:

    Try the format: gu=ADuser@root@targetServerIP

    If the issue persists, check the logs under Basic Settings > Troubleshooting > View log files > Select SSH and click Tail for latest logs.

    Thanks!

  • Thanks Tawfiq for your reply,

    please find below logs:

    2021-01-28T22:09:12+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:24/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.6', client_hostname='', client_port='61459', server_ip='', server_hostname='', server_port='', gateway_username='Administrator', remote_username='root', verdict='ZV_REJECT', network_id=''
    2021-01-28T22:09:12+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:24): Ending proxy instance;
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.auth(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Authorization is timed out; session='svc/2sWKkgXpATm19GtHYngTiM/putty:25', authorization='ExternalAuthorization'
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Web based gateway authentication timed out


    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: ssh.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Could not resolve hostname or failed to connect to remote host; host='192.168.0.89', port='22'
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.6', client_hostname='', client_port='61467', server_ip='', server_hostname='', server_port='', gateway_username='', remote_username='memad', verdict='ZV_REJECT', network_id=''
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:25): Ending proxy instance;
    2021-01-28T22:12:26+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.auth(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:26/ssh): Authorization is timed out; session='svc/2sWKkgXpATm19GtHYngTiM/putty:26', authorization='ExternalAuthorization'
    2021-01-28T22:12:26+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:26/ssh): Web based gateway authentication timed out

  • Hi Mahmoud,

    It looks like the SSH connection is configured to "Require Gateway Authentication on the SPS Web Interface" - Do you have this option enabled in the SSH connection?

    There are two ways to authenticate against SPS as a Gateway for SSH connections:

     1. Out of band gateway which would be enabled using the check box option "Require Gateway Authentication on the SPS Web Interface"  > Adding the AD Group

    - Here , the user would have to login to the SPS web page using the AD user and click on Gateway authentication pane in left menu and assign the connection in order to allow the SSH connect to proceed to the target server.

    2. Inband gateway authentication: this is configured in the SSH Control > Authentication policies > Gateway authentication method: > here you can enable password and that way the AD user would authenticate against SPS in the SSH client itself instead of having to go the SPS web page.

    Which of the two gateway options are you looking to accomplish please?

  • Hi Tawfiq,

    we will use inband gateway.

    i have configured it as above, i see it works!

    but can't authenticate gateway username

    please find below terminal output:

    login as: Administrator@root@192.168.0.89
    Keyboard-interactive authentication prompts from server:
    | Gateway authentication and authorization
    | Please specify the requested information
    | Gateway username: Administrator@mm.com
    | Gateway password:
    | Gateway password:
    | Gateway password:

    logs:

    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error during processing LDAP service request; method='get_user', params='['Administrator@mm.com']', error='Error response received; error='{'code': 100, 'message': "get_user failed; filter='(|(samaccountname=Administrator@mm.com)(userprincipalname=Administrator@mm.com))', error='{'desc': 'Operations error', 'msg_id': 2, 'info': '000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'}'"}''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error looking up user in LDAP; username='Administrator@mm.com'
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.error(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error occurred during authentication, credential is not accepted;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: ssh.policy(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Gateway authentication failed;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.7', client_hostname='', client_port='62065', server_ip='', server_hostname='', server_port='', gateway_username='', remote_username='', verdict='ZV_REJECT', network_id=''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34): Ending proxy instance;

Reply
  • Hi Tawfiq,

    we will use inband gateway.

    i have configured it as above, i see it works!

    but can't authenticate gateway username

    please find below terminal output:

    login as: Administrator@root@192.168.0.89
    Keyboard-interactive authentication prompts from server:
    | Gateway authentication and authorization
    | Please specify the requested information
    | Gateway username: Administrator@mm.com
    | Gateway password:
    | Gateway password:
    | Gateway password:

    logs:

    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error during processing LDAP service request; method='get_user', params='['Administrator@mm.com']', error='Error response received; error='{'code': 100, 'message': "get_user failed; filter='(|(samaccountname=Administrator@mm.com)(userprincipalname=Administrator@mm.com))', error='{'desc': 'Operations error', 'msg_id': 2, 'info': '000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'}'"}''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error looking up user in LDAP; username='Administrator@mm.com'
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.error(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error occurred during authentication, credential is not accepted;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: ssh.policy(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Gateway authentication failed;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.7', client_hostname='', client_port='62065', server_ip='', server_hostname='', server_port='', gateway_username='', remote_username='', verdict='ZV_REJECT', network_id=''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34): Ending proxy instance;

Children