With URA, the OTP function is based on the NCA (or DCA 2.0 with Windows 7 clients). When the user starts his/her computer and connects to the Internet, the computer establishes the first URA tunnel and then the NCA shows a prompt for the user to feed in his/her PIN. Assuming the PIN was entered correctly, the computer establishes the second tunnel, and everything is ready to go. Technically, the first tunnel serves as a communication channel to provide access to a designated Certificate Authority server, which provides a special certificate, which is used to establish the second tunnel. These certificates are short-lived, so they expire quickly (normally in one hour). If the user suspends his computer or restarts it, he has to repeat the OTP login process to get a new certificate, as the old one will have expired.
As you can imagine, the use of certificates in this scenario also means that the simplified Kerberos Proxy mechanism cannot be used and you have to deploy...