I’m trying to setup a simple authentication chain with Kerberos authentication (Windows Desktop SSO) + Forgerock Authenticator HOTP (OATH), but I’m unable to do so.
Datastore (or AD) + Forgerock Authenticator works fine (first time the user is prompted to register the device, and once this is done the user can use the Forgerock app to provide the OTP and login), but using Kerberos instead of a simple login/password seems to break something.
I’m wondering if the problem isn’t with the way AM retrieves the profile of the user, to store or retrieve the HOTP secret. Maybe the Kerberos module doesn’t return something that AM can use to fetch the profile and read the HOTP secret, while the datastore module does…
I’m also thinking maybe the “Alias Search Attribute Name” parameter may be at fault here. I had to add “samAccountName” in the list for the Kerberos authentication to work (and I also had to add a attribut user mapping in my AD identity store “sAMAccountName=sAMAccountName”
Anybody has any indication on what configuration I could have a look at?
I’m using AD 2016 and AM 6.5 on an Windows Server 2016 machine.