Re: [Freeipa-users] Windows client authentication with OTP not supported
On pe, 12 touko 2017, Felix Chu wrote: Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012? Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. We do not even support the mode you are operating in -- we do not support using Windows machines as clients to FreeIPA, as clearly stated on the wiki page you have used to configure. OTP in Kerberos supportability in Windows is not related to FreeIPA. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows client authentication with OTP not supported
Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012? Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Thursday, May 11, 2017 3:43 PM To: Felix Chu Cc: 'freeipa-users@redhat.com' Subject: Re: [Freeipa-users] Windows client authentication with OTP not supported On to, 11 touko 2017, Felix Chu wrote: >Hi , I would like to implement SSO for my Linux+Windows2012 machines >with MFA. > >I have installed FreeIPA, it works well for my Linux client >authentication with OTP enabled. However, for Windows client, I can >only make it works with FreeIPA without OTP. > >The Windows machines are 2012 R2 without AD(workgroup only). When I >login Windows using FreeIPA user accounts enabled with OTP, it shows >"An unsupported preauthentication mechanism was presented to the >Kerberos package", is that not supported ? or something I configured >wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy [http://www.bbpos.com/images/marketing/signature_banner.jpg]<http://bbpos.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows client authentication with OTP not supported
On to, 11 touko 2017, Felix Chu wrote: Hi , I would like to implement SSO for my Linux+Windows2012 machines with MFA. I have installed FreeIPA, it works well for my Linux client authentication with OTP enabled. However, for Windows client, I can only make it works with FreeIPA without OTP. The Windows machines are 2012 R2 without AD(workgroup only). When I login Windows using FreeIPA user accounts enabled with OTP, it shows "An unsupported preauthentication mechanism was presented to the Kerberos package", is that not supported ? or something I configured wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project