Native Client 2FA / MFA with IDM / FreeIPA Server and OTP code

jkohout · 10 January 2026 21:34

I have IDM / FreeIPA server setup for user authentication and trying to add 2FA with OTP code. I am trying to setup OTP with IDM server so that it covers all logins to servers and not just Thinlinc. (I have read the app note about adding google authenticator, and I can get that to work but it only covers one server).
It is working exactly as expected for the web client access, but does not work with the native client. (Version 4.19)

After the password, I get the “Second Factor:" prompt, and then after entering the OTP code, it get “Couldn’t set up secure tunnel to ThinnLinc Agent. (Login Failed! Wrong username or password).”

Where could I look to see what is different between the two logins, or determine the issue with the Native Client?

aaron · 11 January 2026 21:23

Hi @jkohout,

You could try starting the native client from the command line with the -d5 option, to enable verbose debugging. You can then check the contents of the resulting log file for clues.

Another place to check would be the system/sshd logs on your ThinLinc server. Judging from the error message, the ThinLinc client fails to establish the initial SSH tunnel for some reason, so you might find more info there.

Topic		Replies	Views
How to set up One-Time-Password (OTP) authentication in ThinLinc Knowledge Base linux , thinlinc , authentication , otp , tutorial	8	3536	16 February 2025
Master asks for 2FA but Agent asks again ThinLinc	23	1425	21 August 2023
A question for our users regarding two-factor authentication Blog 2fa , mfa , otp	19	1854	7 January 2025
SSH works, ThinLinc Client doesn't (same key) ThinLinc	3	649	12 September 2023
Did 3 server installation (all for personal use) and each had problems ThinLinc tlserver	3	154	13 February 2025

Native Client 2FA / MFA with IDM / FreeIPA Server and OTP code

Related topics