Am 02.12.22 um 13:17 schrieb Kees van Vloten via samba:> On 02-12-2022 13:12, Stefan Kania via samba wrote:
>> Hello everybody,
>> I'm looking for a solution to use 2FA on a user login on a Windows
>> client.
>> What I want:
>> Every time an AD-user is login on a windows system he must not only
>> give his password but also a second factor. The second factor should
>> be timebased. The way to generate the second factor can be the
>> googleauthenticator via a smartphone app or any USB-device that can
>> create a second factor.
>> I found an article in samba-wiki but it's with win7. Is there any
>> solution?
>> There are some third party tools for a Windows-AD to realize 2FA for
>> AD-users. Is there maybe a way to use this tools together with a
>> Samba-AD. I know those tool are not Opensource and I have to pay for
>> it, but this doesn't matters.
>> So any solution is welcome :-)
>>
>
> Have a look at Privacyidea.
> I use it for MFA web- and openvpn-login against Samba but it has a
> plugin for MFA windows login as well.
>
> - Kees
>
Thank's Kees,
I looked at it, but I think you can generate a 2FA for users located in
an AD to authenticate against web-application, but I can't find any hint
on how to set up the Windows-authentcation. I don't need a new
login-screen for Windows (what some commercial tools have) I could do
the 2FA like it's possible with OpenLDAP give the username and then the
password2fs combination. Protecting a web-application is no problem the
problem is always the userlogin to the workstation :-(. But that's what
I'm looking for.