Thanks your info. So it means we cannot use FreeIPA server if we require MFA 
under Windows 2012?

Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement 
forcing MFA on non-console access to servers. That's why we look for FreeIPA.

-----Original Message-----
From: Alexander Bokovoy []
Sent: Thursday, May 11, 2017 3:43 PM
To: Felix Chu
Cc: ''
Subject: Re: [Freeipa-users] Windows client authentication with OTP not 

On to, 11 touko 2017, Felix Chu wrote:
>Hi , I would like to implement SSO for my Linux+Windows2012 machines
>with MFA.
>I have installed FreeIPA, it works well  for my Linux client
>authentication with OTP enabled.  However, for Windows client, I can
>only make it works with FreeIPA without OTP.
>The Windows machines are 2012 R2 without AD(workgroup only). When I
>login Windows using FreeIPA user accounts enabled with OTP, it shows
>"An unsupported preauthentication mechanism was presented to the
>Kerberos package", is that not supported ? or something I configured
Windows does not support OTP in Kerberos the same way how MIT Kerberos does 
implement it.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to