Using privacy idea for Windows logins


We are testing privacy idea as a 2FA solution for windows computer logins. It is connected and talking to our domain. How do we get it inserted into the login process?

Thank you for the assistance.

There are several restrictions with the “windows login”. So basically when you are logging in to the windows domain you are doing a kerberos authentication against the KDC/Domain Controller.
If you logged in to a computer, the windows client caches the whatever and you can unplug your laptop and login in the absense of the domain controller - for a certain time.
This is normal windows behaviour.

If you want to add 2FA, it get a bit more difficult, if you do not use smartcards which is directly supported in windows:

  1. The microsoft KDC a.k.a domain controller does not support any additional protocol. So adding 2FA with OTP on the kerberos level is simply not possible with the microsoft implementation! Thus you have to choose another apporach, which we have done with the privacyidea credential provider as a component to be installed on the client machine (not on the domain controller). THe 2nd factor authentication is done on the client side, the keberos ticket is still retrieved with the domain password from the domain controller.

  2. Having said this above, you will also see, that offline authentication is a bit of a problem. You can do it, but it will always be a technical crutch - even if it might seem smooth to the user. While privacyIDEA Server does support offline authentication, this component is currently not implemented in the privacyIDEA Credential Provider.

You can get a ready compiled and signed MSI here

@cornelinux Is this option only a paid option? Because the page you are referring to says:

Ask us for an evaluation copy of the privacyIDEA Credential Provider.

And it only talks about subscriptions.

It depends on the number of users.

Check the section “subscription”

You can get a demo subscription from github:

@cornelinux Thank you very much for the information. Now solving the user issue with LDAP lookup - perhaps I can take the next steps.