Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012?
Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. -----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Thursday, May 11, 2017 3:43 PM To: Felix Chu Cc: 'freeipa-users@redhat.com' Subject: Re: [Freeipa-users] Windows client authentication with OTP not supported On to, 11 touko 2017, Felix Chu wrote: >Hi , I would like to implement SSO for my Linux+Windows2012 machines >with MFA. > >I have installed FreeIPA, it works well for my Linux client >authentication with OTP enabled. However, for Windows client, I can >only make it works with FreeIPA without OTP. > >The Windows machines are 2012 R2 without AD(workgroup only). When I >login Windows using FreeIPA user accounts enabled with OTP, it shows >"An unsupported preauthentication mechanism was presented to the >Kerberos package", is that not supported ? or something I configured >wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy [http://www.bbpos.com/images/marketing/signature_banner.jpg]<http://bbpos.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
