When GSSAPI authentication is used on Tectia Server running on Windows 2003, you need to make additional configurations for users who do not have administrator privileges. For instructions on enabling the command prompt for GSSAPI users, see Enable Shell Access for Non-privileged GSSAPI Users.
Windows Server 2003 has more restrictive permission settings. Because of that, non-privileged domain users, who are authenticated using GSSAPI, do not by default have permissions to the command prompt executable (cmd.exe) that provides the users with shell access.
In this environment, additional steps need to be taken to allow shell access for non-privileged users:
Go to the
%WINDIR%\system32 folder (typically
cmd.exe program, and select
Properties from the shortcut menu. The cmd.exe
Properties dialog box opens.
On the Security tab, click Add to add Read & Execute rights to those domain users you want to allow to authenticate using GSSAPI.
You can do one of the following actions:
Add each user separately (for example, add
NETWORK group. This will allow all
users with valid domain accounts to authenticate using GSSAPI.
Add your own group that is a member of
NETWORK and contains all users that you want to allow to
authenticate using GSSAPI.
Click OK when finished.
See also the general considerations on user name handling in User Logon Rights on Windows.