MIT Kerberos OTP with Windows

Charles Hedrick hedrick at
Wed Nov 1 14:06:23 EDT 2017

You could issue a machine-specific key table, and then use a script that does kinit from the key table, then kinit -T pointing to the resulting credentials cache. I have verified the KfW kinit -T works.

We use OTP on Linux. I can’t get FAST/PKINIT to work there either. I have a kerberized service (using the machine’s key table) that will generate a credentials cache on a server and return it. That’s used to bootstrap kinit -T.

Surely there was a better approach than getting X509 involved in kerberos. I look forward to any alternatives.

My problem with KfW is more serious: I can’t get putty to see the tickets. That makes it of no real use to me. I’m going to try installing Ubuntu on Windows.

> On Oct 30, 2017, at 5:25 AM, Oleksandr Yermolenko <aae at> wrote:
> Hi all,
> I'm trying to configure a Windows 7 workstation to do OTP preauth.
> I've installed MIT Kerberos for Windows 4.1, put krb5.ini as for linux
> and ... of course obtain the error "Generic preauthentication
> failure". FAST/PKINIT anonymous unsupported ...
> any ideas how to implement OTP for Windows with MIT kerberos client?
> possible?
> thanks a lot for your help
> Oleksandr Yermolenko
> I can use without any problem on the systems Debian/CentOS based
> according to [1] and [2]
> [1]
> [2]
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list