Your browser does not allow storing cookies. We recommend enabling them.

SSH

Configuring User Authentication with Certificates on Windows

You can configure user authentication with X.509 certificates on Windows using Tectia Connections Configuration GUI. You also need to configure Tectia Server for user authentication with certificates, see Tectia Server Administrator Manual.

  1. Launch Tectia Connections Configuration GUI.

    Right-click in the notification area of the Windows taskbar and select Configuration.

  2. Under General, click Default Connection. Select the Authentication tab. Ensure that public-key authentication is enabled and it is the first or only method in the list. By default, it is enabled.

    Under Public-Key Authentication, you can select to use public keys or certificates or both in the authentication.

    Enabling public-key authentication

    Figure 4.7. Enabling public-key authentication


  3. If you are using connection profiles, select the profile name under Connection Profiles. Select the Authentication tab and ensure that public-key authentication is enabled.

  4. Tectia suggests installing the certificate into the Microsoft Certificate store that is a personal store for the user.

  5. Under User Authentication, select Key Providers. Enable Microsoft Crypto API and click Apply.

    Enabling Microsoft Crypto API as a certificate provider

    Figure 4.8. Enabling Microsoft Crypto API as a certificate provider


    You can also read certificate information from USB tokens or smartcards via Microsoft Crypto API if they are compatible with the API. Alternatively USB tokens or smartcards can be used by enabling PCKS#11.

  6. The certificate is now loaded into the client automatically. Under User Authentication, select Keys and Certificates. You can see the available certificates under Key and Certificate List.

    Viewing available certificates

    Figure 4.9. Viewing available certificates


    Tectia ConnectSecure can also read key and certificate information from the file system. These can be defined under Additional Directories and Files.

    [Note]Note

    Ensure that the client certificate is set up for client authentication only. It makes troubleshooting several certificates easier, for example, as server authentication certificates cannot be used as user certificates.

For more information about the key and certificate settings, see Managing Keys and Certificates.

Troubleshooting User Authentication with Certificates

If the certificate authentication does not succeed for some reason, running Tectia Server in the troubleshooting mode and viewing the troubleshooting log can provide a lot of information about the end-user connection. For more information, refer to Section Starting Tectia Server in Debug mode on Windows in the Tectia Server Administrator Manual.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more