Is it possible to 2FA in a mixed environment of Windows (AD) and Linux?

Active Directory does not support 2FA authentication over Kerberos. Using other tools like FreeIPA we couldn’t do 2FA for windows users (comnig from AD) on our Linux systems.
Is there any solution provided by privacyID3A?

Interesting question.

Did you actually try anything?

Note, that Kerberos - as a protocol - does not support or define authntication with OTP. Only with Certificates aka PKINIT.
FreeIPA uses MIT Kerberos and MIT Kerberos has the possibility to use an external RADIUS server, if the client does a PREAuthentication.
RFC6560 imho sucks, since it is RSA specific and noone has implemented it.

Bottom line: In my opinion it is not the responsibility of privacyIDEA to provide a solution for this but the resp. of the KDC.

But wait - what was actually your question?

OK, so currently you have Windows Domain users logging into linux machines (Servers?) using their Windows Domain accounts and passwords and you want to add a 2nd factor?

Exactly. We could let users to login to Linux servers by the account controled by AD in Windows Domain, but as I spoke with FreeIPA community on their IRC channel, it can not handle 2FA since not supported AD-side over Kerberos.

If you want to change this, you need to ask Microsoft for a Feature Request!

However, you can of course use the PAM stack to run one auth against Kerberos/AD and a further auth against RADIUS/privacyIDEA.

1 Like