Enabling MFA Posture Check

czopper · October 24, 2025, 9:18pm

Hi all, I’m new to OpenZiti so be kind

I have successfully setup and tested connectivity to an MS RDS Host.

I used the ZAC to create the service and policies. There are 4 policies that were created:

RDP-Server-bind-policy

RDP-Server-dial-policy

RDP-bind-policy

RDP-dial-policy

I have enabled MFA on the Ziti Desktop Edge Client and that works when I enable the service- I get prompted for MFA and am able to enter the MFA code.

I’m now trying to setup and test MFA using Posture Check but cannot get it to work.

I create a Posture check using MFA under Identities.

If I assign my MFA posture check to RDP-bind-policy I never get the RDP Host login prompt nor do I get the MFA prompt.

If I assign my MFA posture check to the other 3 policies above I can connect to the RDP Host without MFA.

Any thoughts? Thanks in advance.

czopper · October 27, 2025, 12:48pm

Could this be related to another post I found that described a potential bug with MFA?

TheLumberjack · October 28, 2025, 3:26pm

Hi @czopper, welcome to the community and to OpenZiti! Sorry for a slight delay in responding... We're always kind here!

Oh, I wonder if we have ever tested this for bind. That's an interesting use and one I've never tested myself. I almost exclusively use posture checks and MFA on dial policies. Never bind...

I assume that is intentional right? I'll have to test this myself...

czopper · October 29, 2025, 10:54pm

Hi thanks for the reply. I have tried Dial but nothing happens and my RDP connection works. When I enabled Posture Check on Bind that is when nothing happens and my RDP connection eventually times out.

TheLumberjack · October 30, 2025, 11:27am

FYI I'll get to this but it might take me a bit. If I (or someone) don't reply before say next tuesday, please bump this thread? cheers

czopper · November 7, 2025, 1:07am

Thanks. No rush, when you can, thanks.

czopper · November 15, 2025, 3:58pm

Saturday bump, thanks

TheLumberjack · November 17, 2025, 4:11pm

We were able to find and fix the problem in development branches and it's working its way through a deployment. Should be getting fixed "pretty soon". I'll post back here when I push out the latest zssh code and works for zssh and any changes that are necessary (which I don't think any would be but I don't exactly remember at the moment)

czopper · November 17, 2025, 4:29pm

Awesome and thanks for the find!

TheLumberjack · November 18, 2025, 5:21pm

Oh no... My bad, I see now I posted my reply here but that was the wrong thread I'll have to have a look at this again. Sorry to get your hopes up.

czopper · November 18, 2025, 6:09pm

No worries. Hope to here back soon

TheLumberjack · November 20, 2025, 2:15pm

FYI I've filed this bug to track MFA on Bind services never prompt · Issue #886 · openziti/desktop-edge-win · GitHub

czopper · December 15, 2025, 2:43pm

Hi any progress on this issue?

scareything · December 15, 2025, 6:40pm

Hello and thanks for the bump. Unfortunately we haven’t gotten started on this issue yet!

Topic		Replies	Views
Question regarding MFA	5	141	March 18, 2024
Invoking MFA with ZDBC (or SDKs in general) SDK Questions	14	497	June 24, 2022
Enforce MFA on Ziti Desktop? Tunneler Apps	16	178	June 24, 2025
MFA Posture check questions Ziti Desktop Edge for Windows	3	258	February 5, 2023
Posture-Check domain	10	72	July 30, 2025

Enabling MFA Posture Check

Related topics