Kerberos + Forgerock Authenticator

This topic has 0 replies, 1 voice, and was last updated 3 years, 1 month ago by robin.olivier.

  • Author
  • #25654


    I’m trying to setup a simple authentication chain with Kerberos authentication (Windows Desktop SSO) + Forgerock Authenticator HOTP (OATH), but I’m unable to do so.
    Datastore (or AD) + Forgerock Authenticator works fine (first time the user is prompted to register the device, and once this is done the user can use the Forgerock app to provide the OTP and login), but using Kerberos instead of a simple login/password seems to break something.

    I’m wondering if the problem isn’t with the way AM retrieves the profile of the user, to store or retrieve the HOTP secret. Maybe the Kerberos module doesn’t return something that AM can use to fetch the profile and read the HOTP secret, while the datastore module does…
    I’m also thinking maybe the “Alias Search Attribute Name” parameter may be at fault here. I had to add “samAccountName” in the list for the Kerberos authentication to work (and I also had to add a attribut user mapping in my AD identity store “sAMAccountName=sAMAccountName”

    Anybody has any indication on what configuration I could have a look at?

    I’m using AD 2016 and AM 6.5 on an Windows Server 2016 machine.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?