Am 02.12.22 um 13:17 schrieb Kees van Vloten via samba:> On 02-12-2022 13:12, Stefan Kania via samba wrote: >> Hello everybody, >> I'm looking for a solution to use 2FA on a user login on a Windows >> client. >> What I want: >> Every time an AD-user is login on a windows system he must not only >> give his password but also a second factor. The second factor should >> be timebased. The way to generate the second factor can be the >> googleauthenticator via a smartphone app or any USB-device that can >> create a second factor. >> I found an article in samba-wiki but it's with win7. Is there any >> solution? >> There are some third party tools for a Windows-AD to realize 2FA for >> AD-users. Is there maybe a way to use this tools together with a >> Samba-AD. I know those tool are not Opensource and I have to pay for >> it, but this doesn't matters. >> So any solution is welcome :-) >> > > Have a look at Privacyidea. > I use it for MFA web- and openvpn-login against Samba but it has a > plugin for MFA windows login as well. > > - Kees >Thank's Kees, I looked at it, but I think you can generate a 2FA for users located in an AD to authenticate against web-application, but I can't find any hint on how to set up the Windows-authentcation. I don't need a new login-screen for Windows (what some commercial tools have) I could do the 2FA like it's possible with OpenLDAP give the username and then the password2fs combination. Protecting a web-application is no problem the problem is always the userlogin to the workstation :-(. But that's what I'm looking for.
Am 02.12.22 um 13:59 schrieb Stefan Kania via samba:> > > Am 02.12.22 um 13:17 schrieb Kees van Vloten via samba: >> On 02-12-2022 13:12, Stefan Kania via samba wrote: >>> Hello everybody, >>> I'm looking for a solution to use 2FA on a user login on a Windows >>> client. >>> What I want: >>> Every time an AD-user is login on a windows system he must not only >>> give his password but also a second factor. The second factor should >>> be timebased. The way to generate the second factor can be the >>> googleauthenticator via a smartphone app or any USB-device that can >>> create a second factor. >>> I found an article in samba-wiki but it's with win7. Is there any >>> solution? >>> There are some third party tools for a Windows-AD to realize 2FA for >>> AD-users. Is there maybe a way to use this tools together with a >>> Samba-AD. I know those tool are not Opensource and I have to pay for >>> it, but this doesn't matters. >>> So any solution is welcome :-) >>> >> >> Have a look at Privacyidea. >> I use it for MFA web- and openvpn-login against Samba but it has a >> plugin for MFA windows login as well. >> >> - Kees >> > Thank's Kees, > I looked at it, but I think you can generate a 2FA for users located in > an AD to authenticate against web-application, but I can't find any hint > on how to set up the Windows-authentcation. I don't need a new > login-screen for Windows (what some commercial tools have) I could do > the 2FA like it's possible with OpenLDAP give the username and then the > password2fs combination. Protecting a web-application is no problem the > problem is always the userlogin to the workstation :-(. But that's what > I'm looking for. > > >I found it :-) but up to now it only shows how it works with an Microsoft-AD. I contacted a company which provides solutions for PrivacyIDEA if it would work with Samba-AD. Let's wait and see ;-)