SPS Usermapping is not working

Hello,

I'm trying to authenticate SPS users through Active Directory and restrict users to use just root user on target server using usermapping.

But SSH connections can't start using this way of authentication.

kindly check my configuration steps:

1- Added LDAP server

2- User and access control > settings> Authentication settings > added LDAP

3- added usermapping 

4- added username on the server > root user on target server

5- added group > added domain group

6- added usermapping in SSH connection

7- enabled required gateway authentication >  added domain group in groups

your help is very appreciated 

  • Hi Mahmoud,

    Please clarify more in details as to where some of the settings were added because for example, you stated in step 1. Added LDAP Server (Does this mean you added it under Policies > LDAP Server? and did you also add it under the SSH Connection > LDAP Server drop down?)

    Thanks!

  • Exactly, added LDAP server under policies then added through SSH connection

  • Hi Mahmoud,

    Thanks for the update.

    1. Does the SSH connection use the port 22 or a different port? Make sure the port is not conflicting with the SPS SSH Service port 

    2. Make sure the AD group name matches the case exactly as it appears in AD (is it all lower case or some uppercase letters?).

    3. Also when connecting using SSH Client  via SPS as a non-transparent connection, you are pointing the client to connect to SPS IP address with the port specified in the SSH connection then when prompted for login:

    Try the format: gu=ADuser@root@targetServerIP

    If the issue persists, check the logs under Basic Settings > Troubleshooting > View log files > Select SSH and click Tail for latest logs.

    Thanks!

  • Thanks Tawfiq for your reply,

    please find below logs:

    2021-01-28T22:09:12+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:24/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.6', client_hostname='', client_port='61459', server_ip='', server_hostname='', server_port='', gateway_username='Administrator', remote_username='root', verdict='ZV_REJECT', network_id=''
    2021-01-28T22:09:12+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:24): Ending proxy instance;
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.auth(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Authorization is timed out; session='svc/2sWKkgXpATm19GtHYngTiM/putty:25', authorization='ExternalAuthorization'
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Web based gateway authentication timed out


    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: ssh.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Could not resolve hostname or failed to connect to remote host; host='192.168.0.89', port='22'
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:25/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.6', client_hostname='', client_port='61467', server_ip='', server_hostname='', server_port='', gateway_username='', remote_username='memad', verdict='ZV_REJECT', network_id=''
    2021-01-28T22:10:39+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/2sWKkgXpATm19GtHYngTiM/putty:25): Ending proxy instance;
    2021-01-28T22:12:26+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.auth(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:26/ssh): Authorization is timed out; session='svc/2sWKkgXpATm19GtHYngTiM/putty:26', authorization='ExternalAuthorization'
    2021-01-28T22:12:26+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(2): (svc/2sWKkgXpATm19GtHYngTiM/putty:26/ssh): Web based gateway authentication timed out

  • Hi Mahmoud,

    It looks like the SSH connection is configured to "Require Gateway Authentication on the SPS Web Interface" - Do you have this option enabled in the SSH connection?

    There are two ways to authenticate against SPS as a Gateway for SSH connections:

     1. Out of band gateway which would be enabled using the check box option "Require Gateway Authentication on the SPS Web Interface"  > Adding the AD Group

    - Here , the user would have to login to the SPS web page using the AD user and click on Gateway authentication pane in left menu and assign the connection in order to allow the SSH connect to proceed to the target server.

    2. Inband gateway authentication: this is configured in the SSH Control > Authentication policies > Gateway authentication method: > here you can enable password and that way the AD user would authenticate against SPS in the SSH client itself instead of having to go the SPS web page.

    Which of the two gateway options are you looking to accomplish please?

  • Hi Tawfiq,

    we will use inband gateway.

    i have configured it as above, i see it works!

    but can't authenticate gateway username

    please find below terminal output:

    login as: Administrator@root@192.168.0.89
    Keyboard-interactive authentication prompts from server:
    | Gateway authentication and authorization
    | Please specify the requested information
    | Gateway username: Administrator@mm.com
    | Gateway password:
    | Gateway password:
    | Gateway password:

    logs:

    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error during processing LDAP service request; method='get_user', params='['Administrator@mm.com']', error='Error response received; error='{'code': 100, 'message': "get_user failed; filter='(|(samaccountname=Administrator@mm.com)(userprincipalname=Administrator@mm.com))', error='{'desc': 'Operations error', 'msg_id': 2, 'info': '000004DC: LdapErr: DSID-0C0909AF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839'}'"}''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.error(3): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error looking up user in LDAP; username='Administrator@mm.com'
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.error(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Error occurred during authentication, credential is not accepted;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: ssh.policy(2): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Gateway authentication failed;
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: scb.audit(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34/ssh): Closing connection; connection='putty', protocol='ssh', connection_id='1403761182600990fe39e45', client_ip='172.16.0.7', client_hostname='', client_port='62065', server_ip='', server_hostname='', server_port='', gateway_username='', remote_username='', verdict='ZV_REJECT', network_id=''
    2021-01-28T23:07:20+02:00 me-sps1.mm.com zorp/scb_ssh[2181]: core.session(4): (svc/uQh8uas1MQ5gg7Z9EXfTkj/putty:34): Ending proxy instance;

  • update:

    login as: Administrator
    Keyboard-interactive authentication prompts from server:
    | Gateway authentication and authorization
    | Please specify the requested information
    | Please enter server host name: 192.168.0.89
    | Gateway username: root
    | Gateway password:
    | Gateway password:

  • Hi Mahmoud,

    Try Login: gu=Administrator@root@192.168.0.89

    gu stands for gateway user which will be the AD user (Administrator) then (root) user is the remote user on the target server.

    Then you will get prompted for Gateway password: this is the AD user password

    then you should get another prompt for the root password like gu=administrator@root@192.168.0.89's password: this is for the root password.

    Thanks!

  • Dear Tawfiq,

    unfortunately, issue is still exists. i believe usermapping through AD group is not working well.

    how can i investigate this issue.  

  • Hi Mahmoud,

    Check the LDAP Server configurations please:

    - Under Policies > LDAP Server > Expand the name of your LDAP Server Policy > Check if the Bind DN: and Bind Password: were added correctly?

    Bind DN: can be in format of administrator@mm.com for example

    Bind Password: click on change button and add the password for the account that will communicate with the AD domain.

    Commit 

    and Test please.

    Thanks!