0

I am trying to setup windows server for FAST encrypted channel support to test OTP pre authentication in kerberos.

I have already tested on linux machine by deploying KDC using krb5-1.12.1 source code, freeradius server and using keytab of service principal to receive armor ccache to be used to establish FAST encrypted channel between client and KDC.

I have setup windows server 2012 for kerberos, and added support for "KDC support for claims, compound authentication and Kerberos armoring" policy on it. I can receive TGT for service principal. But, when I execute the command "kinit -T ", KDC does not reply with any padata and no FAST encrypted channel is established (observed through wireshark and kerberos logs).

Is it possible to establish a FAST encrypted channel between linux client and Windows AD? Have I missed any setting?

Faisal Ali
  • 1
  • 1
  • Are you referring to RFC6560? To my latest knowledge windows DC does not support any OTP. The way Microsoft requests authenticating with OTP is to write your own Credential Provider and use the OTP to have a server impersonate your user and enroll a short living logon certificate and do a PKINIT with the certificate. – cornelinux Feb 22 '15 at 12:06
  • Yes, I am referring to RFC 6560. I am planning to use OTP preauthentication inside Kerberos authentication. By this - "use the OTP to have a server impersonate your user and enroll a short living logon certificate", expectation is to use OTP token as a key for certificate for PKINIT? – Faisal Ali Mar 02 '15 at 09:51
  • No. See this: https://technet.microsoft.com/de-de/library/gg637807%28v=ws.10%29.aspx Moreover Microsoft does not support RFC6560. You could use an additional credential provider that protects the logon process with OTP, but where OTP is not used to get the TGT. Like privacyIDEA Credential Provider. – cornelinux Mar 02 '15 at 13:52

0 Answers0