OTP with L2TP VPN and Kerberos

Hi !
I have setup PrivacyIDEA to authenticate users on Windows native L2TP VPN Client, using OTP (TOTP) and their Active Directory credentials (adusername / adpassword1234).
This works fine.

However, once authenticated, users cannot access resources that involve Kerberos (e.g : GPO mounted drives). They are prompted to provide a password to access the resource.

My guess is this is because real AD password and provided OTP password differ.

I have tried to setup a Windows NPS Server that forwards authentification request to privacyIDEA, following the concept described here : https://staging.netknights.it/en/nps-2012-for-two-factor-authentication-with-privacyidea
…Authentication still succed, but still no luck with Kerberos…

Any idea to have Kerberos working over an L2TP VPN using PrivacyIDEA OTP ?


Finally found a workaround.

Edit file %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk

Then replace UseRasCredentials=1 with UseRasCredentials=0

This way, OTP is only used to establish the VPN Connection
Then Windows session credentials are used to access resources.

1 Like