On pe, 12 touko 2017, Felix Chu wrote:
Thanks your info. So it means we cannot use FreeIPA server if we
require MFA under Windows 2012?
Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new
requirement forcing MFA on non-console access to servers. That's why we
look for FreeIPA.
: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, May 11, 2017 3:43 PM
To: Felix Chu
Cc: 'freeipa-users@redhat.com'
Subject: Re: [Freeipa-users] Windows client authentication with OTP not
supported
On to, 11 touko 2017, Felix Chu wrote:
>Hi , I would like to implement SSO for my Li
On to, 11 touko 2017, Felix Chu wrote:
Hi , I would like to implement SSO for my Linux+Windows2012 machines
with MFA.
I have installed FreeIPA, it works well for my Linux client
authentication with OTP enabled. However, for Windows client, I can
only make it works with FreeIPA without OTP.
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer Name/Domain Changes-DNS Suffix and
netbios computer name) even though ipconfig would report it properly.
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer Name/Domain Changes-DNS Suffix and
On 19.2.2014 19:44, Simo Sorce wrote:
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote:
On 19.2.2014 19:44, Simo Sorce wrote:
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
When I added a windows 7 client (let's call it
On 19.2.2014 20:10, Mauricio Tavares wrote:
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote:
On 19.2.2014 19:44, Simo Sorce wrote:
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
When I added a windows 7
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote:
I have verified that the password set for the workstation in the
kerberos host principal(using ipa-getkeytab) and the password on the
host (using ksetup) are the same. I'm still getting the Decrypt
integrity check failed errors. I have also
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote:
I think you're on to something here. I just reset the user's password
on IPA and get the password expired message but I get that
regardless of what I enter for the user's password. I'm confused as to
why I can make the user auth work with a
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
I wonder if changing the defaults to exclude the use of AES would help
in your case.
Not ideal, but apparently something funny is going on there.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the
What error exactly do you get on the client side ?
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not
support AES. The user is getting authenticated, just
Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.
You should probably just use arcfour only for WinXP as that client only
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere
are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info):
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
there are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and
maybe that will fix it, too.
___
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks
again.
On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote:
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
I can't find the technet article right now, but here's what I did that
makes Win7 work. Run gpedit.msc. Under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options open the key called “Network Security:
Configure encryption types allowed for Kerberos” unselect
I tried that but still cannot successfully log in as a IPA user. The same
system can be configured as a Kerberos client(non-IPA) defined in MIT
Kerberos, and authenticate against MIT Kerberos. The system uses AES when
authenticating to MIT Kerberos so those are the only encryption types I
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
krb5.keytab
-P[entering into the main keytab /etc/krb5.keytab]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
krb5.keytab.sys1 -P [entering into a new
When I do not specify the encryption type it does put them all in in a
single go. I just was attempting to eliminate the other types in case that
was creating a problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.
[root@csp-idm etc]# klist -kte
This was installed using yum. I need to be able to authenticate users
against Kerberos from a Windows client machine and it fails at login saying
the username/password is incorrect. The krb5kdc.log shows:
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:
This was installed using yum. I need to be able to authenticate users
against Kerberos from a Windows client machine and it fails at login
saying the username/password is incorrect. The krb5kdc.log shows:
Sep 16 20:53:32 csp-idm.pdh.csp
I'm still working on this... I was reading this post in the archives:
http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's
statement There might be some MIT documentation about how to join a Windows
machine to MIT KDC. If this can be done I am sure the same can be done with
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote:
I'm still working on this... I was reading this post in the archives:
http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html
Dmitri's statement There might be some MIT documentation about how to
join a Windows machine to MIT KDC. If
Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:
http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html
Which is correct?
On Tue, Sep 13, 2011
Jimmy wrote:
Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:
http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html
Which is correct?
The
One thing that doesn't quite make sense about the windows config
instructions, we make a keytab, but there is no indication as to where the
keytab goes. I wouldn't think the IPA server would need the keytab as the
password is stored in the IPA server already.
On Wed, Sep 14, 2011 at 10:07 AM, Rob
Jimmy wrote:
I'm setting up a WinXP system to authenticate to FreeIPA. I followed the
directions listed here:
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step
I created the host account in FreeIPA, and the user, and I do get
prompted to
30 matches
Mail list logo
