Forced 2-Factor Processes list
Forced 2-Factor Processes list

Sometimes Group Policy isn't granular enough to enforce what you need on a server.  Consider an Exchange server which must support OWA and ActiveSync. You will (ideally) be using client certificates on each ActiveSync device for strong authentication, and in any event it would be impractical to supply an OTP each time ActiveSync runs on the user's phone.

So we need a way to enforce only some processes on a machine.  This is accomplished by configuring the “Forced 2-Factor Processes” list on the server. Each string you enter will be matched against the command-line of the calling process. If there is a match, then two-factor authentication will be enforced for AuthLite users for that process.

Note: This feature is configured on each member server independently.

Exchange Settings

At the time of writing, the following process list causes all non-ActiveSync Exchange processes to require 2-factor for AuthLite users:

  • MSExchangeOWAAppPool

  • RPCClientAccess

  • MSExchangeRPCProxy

  • MSExchangeOABAppPool

  • MSExchangeServicesAppPool

Note: IIS/Exchange caches logons for a period of time. Also, AuthLite only updates its knowledge of groups and settings every 20 minutes. So after you enable two-factor enforcement on OWA, you may still be able to log on with one-factor until these caches expire. 

RDP Forcing

Note: You should use Group Policy instead of this feature, in most cases.

To enforce two-factor authentication for the server when Remote Desktop is used, select that checkbox.

System Forcing

Certain services may perform authentication inside the Windows kernel, thus there is a checkbox to force these processes to require 2-factor for AuthLite users.