Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard
verified publisher icon PowerShell

Domain login doesn't work on Windows 11

Open a-gn opened this issue 2 years ago • 5 comments

Prerequisites

  • [X] Write a descriptive title.
  • [X] Make sure you are able to repro it on the latest version
  • [X] Search the existing issues.

Steps to reproduce

  • Enable OpenSSH server on a Windows 11 machine ($COMPUTER) jointed to an Active Directory domain ($DOMAIN).
  • Give $COMPUTER all permissions on the $DOMAIN\$USER user.
  • On a client, ssh $DOMAIN\$USER@$COMPUTER. This happens with both $DOMAIN\$USER and $USER@$DOMAIN.COM.
  • Type $USER's password.

Expected behavior

I get a shell on `$COMPUTER` as `$USER` because the password was correct.

Actual behavior

The client shows `Permission denied (publickey,password,keyboard-interactive).`

Error details

The client shows: `$USER@$DOMAIN@$COMPUTER: Permission denied (publickey,password,keyboard-interactive).`

`$COMPUTER`'s event viewer shows the following event:


An account failed to log on.

Subject:
	Security ID:		SYSTEM
	Account Name:		$COMPUTER$
	Account Domain:		$DOMAIN
	Logon ID:		0x3E7

Logon Type:			8

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		NOUSER
	Account Domain:		$COMPUTER

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC0000064

Process Information:
	Caller Process ID:	0x6f70
	Caller Process Name:	C:\Windows\System32\OpenSSH\sshd.exe

Network Information:
	Workstation Name:	$COMPUTER
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi  
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0



### Environment data

```PowerShell
Name                           Value
----                           -----
PSVersion                      7.3.8
PSEdition                      Core
GitCommitId                    7.3.8
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

OpenSSH_for_Windows_8.6p1

Visuals

No response

a-gn avatar Oct 24 '23 16:10 a-gn

I have the same issue, but instead of getting Permission denied, I am getting Connection reset by x.x.x.x port 22, and the sshd log shows below

0580 2023-10-27 14:58:10.263 error: lookup_principal_name: User principal name lookup failed for user 'test\\ad_user' (explicit: 5, implicit: 5)
10580 2023-10-27 14:58:10.263 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'test\\ad_user' Status: 0xC0000062 SubStatus 0.
10580 2023-10-27 14:58:10.263 error: get_user_token - unable to generate token on 2nd attempt for user test\\ad_user

Massukio avatar Oct 27 '23 07:10 Massukio

Can you try this on the latest release? @a-gn, can you provide the SSHD logs as well?

maertendMSFT avatar Oct 30 '23 16:10 maertendMSFT

I'm also experiencing the same bug, but only when authenticating through pubkey. My log looks exactly as @Massukio

When logging through pubkey:

10888 2024-04-07 15:58:18.845 Accepted publickey for domain/user from 192.168.1.227 port 35944 ssh2: ED25519 
...
10888 2024-04-07 15:58:27.966 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 1355, implicit: 1355)
10888 2024-04-07 15:58:27.966 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'domain\\user' Status: 0xC0000062 SubStatus 0.
10888 2024-04-07 15:58:27.966 debug3: get_user_token - unable to generate token for user domain\\user
10888 2024-04-07 15:58:37.057 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 1355, implicit: 1355)
10888 2024-04-07 15:58:37.057 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'domain\\user' Status: 0xC0000062 SubStatus 0.
10888 2024-04-07 15:58:37.057 error: get_user_token - unable to generate token on 2nd attempt for user domain\\user
10888 2024-04-07 15:58:37.057 error: unable to get security token for user domain\\user

when doing through password, same error, but it works:

13796 2024-04-07 16:03:06.319 error: lookup_principal_name: User principal name lookup failed for user 'domain\\user' (explicit: 1355, implicit: 1355)
13796 2024-04-07 16:03:06.319 debug3: mm_answer_authpassword: sending result 1
13796 2024-04-07 16:03:06.319 debug3: mm_request_send entering: type 13
13796 2024-04-07 16:03:06.319 Accepted password for domain/user from 192.168.XXX.XXX port 48914 ssh2

Mamiglia avatar Apr 07 '24 14:04 Mamiglia

I'm guessing more folks would be complaining about this if it were systemic, but error 1355 is basically "I can't find the domain". Does that make any sense in the circumstances where you are seeing the error?

NoMoreFood avatar Apr 07 '24 16:04 NoMoreFood

I'm guessing more folks would be complaining about this if it were systemic, but error 1355 is basically "I can't find the domain". Does that make any sense in the circumstances where you are seeing the error?

The domain controller is probably available through the domain name since I can't log into my machine when it's shut down for policy reasons.

(I didn't have time to look for SSHD logs since VSCode Tunnels are enough for my use.)

a-gn avatar Apr 07 '24 16:04 a-gn