Domain user authentication fails with Connection Reset by Peer

[oulman]

Please answer the following

"OpenSSH for Windows" version
7.7.2.1

Server OperatingSystem
Windows Server 2019 Datacenter

Client OperatingSystem
Windows Server 2019 Datacenter, Ubuntu 18.04

What is failing

When trying to authenticate using a domain account the remote server drops the connection with a 'Connection reset by peer' error.

When using a local account I am able to login successfully.

I've changed the user and hostnames in the log but have other details attached to a Premier support case: 119030426002038​.

Expected output

Successful authentication for domain accounts.

Actual output

The server returns a 'Connection reset by peer' error.

When I look in Event Viewer > Applications and Services logs > OpenSSH > Admin I see two events.

1. Level = Critical, Source = OpenSSH, EventId = 1, Text = "sshd: fatal: ga_init, unable to resolve user contoso\domainuser"
2. Level = Error, Source = OpenSSH, EventId = 2, Text = "sshd: error: get_user_token - unable to generate token on 2nd attempt for user contoso\domainuser"

I'm attaching the output of ssh -v from a client.
ssh-dash-v.txt

Thank you.

[oulman]

I found the issue. Due to regulatory requirements, we restrict general domain access to view group membership. I tracked down the event IDs to the following ga_init() which returns this error when it can't enumerate group membership. Adding the permissions to the computer object in our AD resolved the problem.

It would be great if the error message was more descriptive that its having trouble resolving groups, not just some generate 'user' error.

https://github.com/PowerShell/openssh-portable/blob/afe4880c3781dfe12ad3a51a57eecfbee8161c8a/contrib/win32/win32compat/win32_groupaccess.c#L214

[stefanisti]

I found the issue. Due to regulatory requirements, we restrict general domain access to view group membership. I tracked down the event IDs to the following ga_init() which returns this error when it can't enumerate group membership. Adding the permissions to the computer object in our AD resolved the problem.

It would be great if the error message was more descriptive that its having trouble resolving groups, not just some generate 'user' error.

https://github.com/PowerShell/openssh-portable/blob/afe4880c3781dfe12ad3a51a57eecfbee8161c8a/contrib/win32/win32compat/win32_groupaccess.c#L214

Thanks for this reply! It helped me solve the same issue (sshd: fatal: ga_init, unable to resolve user org\username where my client said "Connection reset by port 22"). After allowing a non-starting Windows 10 system to reinstall Windows and lose all my settings my user still had domain credential permission cached so I could log in as my domain user to Windows. I had put standard DNS servers (8.8.8.8, 4.2.2.4) in when I set my static IP instead of putting in my organization's domain controller IPs. Because of that even though my Windows domain login worked, the ssh login wouldn't. All I had to do was set my network settings so that the 2 DNS servers were correct for my organization's domain controllers and bingo, ssh login works. I wouldn't have figured that out without this post.

[adotka]

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.

Can you suggest how exactly do I add said permissions?

Many thanks in advance!

[oulman]

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.

Can you suggest how exactly do I add said permissions?

Many thanks in advance!

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

[adotka]

Thank you, James! You helped me a lot to move further, although my case seem to be different. Checking effective access shows that the computer account has right to "Read all properties" on OU, where all users and groups reside, and AD indeed can be contacted from the computer. It seems that the problem is caused by Samba4 that run my domain. It is built with default Heimdal Kerberos implementation, which does not support S4U and I am seeing "sshd: debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'simpsons\anton' Status: 0xC000009A SubStatus 0." errors in Debug log.

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

[xf6jx5fq]

@oulman
I have the same issue as you had. But the difference is I don't have access to AD to add the required permission : is there a way to just connect to my laptop using ssh and my AD login without having to modify and add that permission ?

[shawnz]

Same here, I am not able to change the problematic settings in AD. Is there any other workaround?

[I1eoThe0ne]

@oulman Thanks for providing a solution hint.
It seems we have the same issue (same messages in the log)

What is your solution - it seems you changed part of the OpenSSH-Server - since this pice of code is within the project.
On the other hand in the code I see searching for AD-Groups.

Can you clarify a bit more - for people who don't have a strong Active-Directory-Administration background?
Would be appreciated a lot ;)

[oulman]

@I1eoThe0ne check my response above. In our environment we effectively granted the computer object 'read all properties' on the users logging in with ssh. Others in the thread have indicated other issues talking to AD will generate similar errors.

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.
Can you suggest how exactly do I add said permissions?
Many thanks in advance!

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

#1363 (comment)

[I1eoThe0ne]

@oulman thank you for pointing again how to solve the issue.

**For all who like / need a detailed step-by-step how-to here is what you do :

Open ActiveDirectory > User > Properties > Add > (OpenSSH)Server > Read (is already checked after adding)**

In case a picture helps you also visit https://serverfault.com/questions/1067665/unable-to-ssh-into-windows-domain-server-using-domain-user/

[nedy13]

If you are not a company admin which can administer the AD, then you have lost?!

In my case I want to login to my company's personal computer with SSH with my domain user. You need the rights to read my user account in the AD? Who has the rights....me. So I used my user as service account for the "OpenSSH Server" service, but then I had the issue that the service is not starting.

Solution: #1824 (comment)

After adding my domain user to these two security policies, you can start the OpenSSH Server service.

login from other machine with: ssh -l user@domain 123.456.789.123
works...

Short hint for all, which have the same issue.