This document provides information on how to configure Advanced Authentication for workstations that are not domain joined (e.g. meeting room laptops etc).
The solution allows (domain) users to login using 2-Factor authentication instead of login with the local account.
To configure you’ll have to perform the following configuration tasks:
discovery.host: AAFSERVERDNS or IP
Instead of specifying the discovery.host you may configure your DNS to discover the AAF server using the steps mentioned in the documentation:
In a non-DNS mode, it is recommended to disable the local accounts. For more information, see documentation:
Login with a domain user e.g. mydomain\bob
After the authentication you need to map the domain user account to the local account, this is done by login with the local account.
This step needs to be done for every domain user once, after that the users can login with their LDAP credentials and second factor (in this case Smartphone).
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.