Using Active Directory domain accounts with CopSSH


If you’re like me, you have clients behind firewalls and special development environments configured to mirror the client’s environment for local testing. In my case a lot of my development environments have Microsoft CRM installed on them as a self-contained development environment replete with Active Directory. This means that the virtual machine does not have any local accounts, only domain accounts. When I log in, I’m logging into a domain.

This works out pretty well most of the time. However, recently I wanted to use my SSH backhaul trick to grab some data from a client’s site back through their firewall. In order to get this to work, I had to do some extra experimentation with CopSSH user accounts and my VirtualBox settings.

First off, let me recap exactly what we are trying to do. It might be worthwhile to look at my SSH backhaul article first, but what we are doing is running a secure shell server locally on the virtual machine and connecting to it from the remote server using Putty. This lets us access things like Microsoft CRM services on the remote machine for doing things like data dumps and schema upgrades.

I’m using VirtualBox as my virtualization environment. I happen to be using NAT (network address translation) instead of bridged network connection. This means that there is one extra step that I didn’t cover in my previous article, which I will outline here. The complete end-to-end scenario becomes:

Putty on remote server -> firewall on my local network -> VirtualBox NAT on my laptop -> VirtualBox VM -> CopSSH daemon

So I covered everything in the previous article except for setting up VirtualBox NAT. Fortunately it is very simple. We need to set up port forwarding across the NAT. To do this go into the network settings of the running virtual machine and look for the button that says “port forwarding”. This lets you set up the host and guest port. I had to set the IP addresses rather than leave them blank, but what I did was set both to, which means “all addresses”. Here is a screenshot:

I’m mapping the SSH port 22 to port 2222 to avoid conflicts with the native sshd daemon that is running on my Ubuntu laptop.

Once we have this set up, we can test the connection locally by using Putty to connect to localhost on port 2222. We should get a login prompt from CopSSH.

Once we know that CopSSH is working and reachable via the port forwarded over the VirtualBox NAT, we need to authorize the user accounts that can log in via SSH. This is where we have to pay close attention. The thing that caused me a lot of pain was that the domain and account names are case sensitive. When adding the user account put the domain name in all capitals and pay attention to the case. Check out the screenshots:

One last thing: the user accounts will need the right to log on locally. Double check using the Local Security Policy tool (look in Administrative Tools):

Test logging in with the domain account using domain\user:

If login works, set up the tunnel the same way as in my previous article and rock on!


No Responses Yet to “Using Active Directory domain accounts with CopSSH”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: