I'm designing a windows client application that will retrieve files from an SFTP server. I would like to avoid forcing users to supply credentials on the client application - rather, their Windows credentials would be supplied to the server which would then authenticate and provide access to the appropriate resources.
It seems that the SFTP servers on the market will allow either certificate authentication or password authentication. If a certificate is supplied, no password is necessary. Otherwise the user will need to enter a password.
The issue with using certificate authentication, as far as I can tell, is that we would need to manage users (create, delete, etc.) within the application itself, rather than relying on Active Directory. This adds additional administration complexity to our already complex environment.
Does anyone know of either:
A) An SFTP server solution that will meet my requirements
or
B) Another approach that I could use to centralize user management in AD while still allowing SSO on an SFTP server?
You can integrate OpenSSH with Kerberos if you want to run OpenSSH on a Linux box: http://port25.technet.com/archive/2008/06/06/technical-analysis-openssh-on-linux-using-windows-kerberos-for-authentication.aspx
I'm not finding good docs about Kerberos intergration with OpenSSH on Windows (via cygwin). I'd love to hear from somebody who might've done this.
While I am loathe to recommend it, Ipswitch's WS-FTP Server does exactly what you are asking for (on a windows machine). It has gotten much better, but the user interface is still pretty poor.
You could also go the Linux box route, but I would probably use LikeWise open combined with rssh for ease of management.
VShell, by VanDyke Software, does this.
Answer to your question A: you may want to try Syncplify.me Server!, an SFTP server for Windows that supports both PKI and Active Directory (depending on your needs) therefore you can easily integrate the auth process in your client software without requiring the user to type in a password.
Answer to your question B: as Syncplify.me Server! supports Active directory groups, users, as well as a "catch-all" virtual user, you can greatly simplify your user management by leveraging such functions (without the need to create/edit user profiles in the SFTP server every time).
Link: http://www.syncplify.me/syncplifyme-server.html
Old question but... We have used CrushFTP running on Windows servers. It works on other platforms as well and no client needed CrushFTP
Many features for secure access and integrates with AD. Many other great features, low cost and great support. Have not tried latest but earlier versions have been great. Support has been exception even during trial. Worth a look
Allowing your client application to authenticate to the SFTP server using their existing logged in credentials in a Windows domain environment ultimately means you're using Kerberos. Your SFTP server must have Kerberos support and be running on a machine that is a member of the same domain (or a trusted domain) as your client. Your SFTP client must also have Kerberos support. I'm not sure how you're accomplishing the client connection in your app, but you might want to check that.
There is an old closed question on What is a good SSH server to use on Windows?. Since SFTP is just a function of SSH, most of the answers in that question would be a good place to start. My personal preference is the top voted answer, Bitvise SSH Server. It's a Windows native SSH server as opposed to some variant of OpenSSH that has been hacked up to work on Windows. And it's relatively cheap compared to most of the other paid options.