FAST OTP Windows?

Christian M. Watts cmwatts at
Sat Jul 19 02:51:26 EDT 2014

For those interested, we were able to make this work at a level that is 
'good enough' for our purposes. Essentially, kinit can be used to obtain 
tickets from the command-line via OTP preauth from a Windows client, 
which is all we were looking to accomplish.

The Windows GUI components don't appear to support anonymous pkinit + 
FAST + OTP, but rather need a password until such time as they're 
updated ...

Essentially, the steps were:

1. Already have a working KRB5 realm with anonymous pkinit + FAST + OTP 
Radius. Not trivial, but better documented elsewhere than by me here.

2. Compile the windows sources (including the MSI) according to the 
directions supplied in the KRB5 1.12.1 source code under 
src/windows/README. The only thing we encountered was a problem with WiX 
looking for .pdb debug stuff after passing NODEBUG=1 on the nmakes. 
Doing a 'set NODEBUG=1' at the beginning of the documented build process 
(right after 'set CPU=i386') solves that issue.

3. Install the MSI.

4. Anonymous pkinit for FAST works, but have to pull the anonymous cert 
to an armor file to get the ccache going, it seems. This may be a 
configuration issue (as far as us not understanding how to do anon_fast 
the way the pam module does or maybe kinit just doesn't do that). In any 
case, though, it is possible to obtain tickets using anonymous FAST with:
kinit -n -c <armorfile>
kinit -T <armorfile> <principal>
Enter OTP Token Value:

Alternately, it is possible to use a local keytab if needed (say, if not 
using fully anonymous pkinit), like this:

kinit -k -t <local keytab file> -n -c <armorfile>
kinit -T <armorfile> <principal>
Enter OTP Token Value:

Hope that helps someone out!


On 7/17/2014 7:25 PM, Christian M. Watts wrote:
> Hi,
> We've deployed KRB5 1.12.1 here on the KDC side and gotten FAST OTP (via
> anonymous pkinit + Radius OTP) working for our UNIX clients. Looking for
> some information regarding getting FAST OTP working from a Windows
> client. I see that the current kfw (4.0.1) is based on 1.10, so it
> wouldn't have support for FAST OTP, is my understanding.
> My thoughts are:
> 1. Is there a client for windows out there that can 'do' this already?
> 2. If not, is the windows source that comes with the 1.12.1 tarball
> updated for FAST OTP support? If it is, we can work on building it, but
> would like to know if the support is there before we go down that road.
> Thanks in advance!
> Christian
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list