Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes"
Sometimes Group Policy isn't granular enough to enforce what you need on a server. Consider an Exchange server which must support OWA and ActiveSync. You will (ideally) be using client certificates on each ActiveSync device for strong authentication, and in any event it would be impractical to supply an OTP each time ActiveSync runs on the user's phone.
So we need a way to enforce only some processes on a machine. This is accomplished by configuring the “Forced 2-Factor Processes” list on the server. Each string you enter will be matched against the command-line of the calling process. If there is a match, then two-factor authentication will be enforced for AuthLite users for that process.
Note: This feature is configured on each member server independently.
At the time of writing, the following process list causes all non-ActiveSync Exchange processes to require 2-factor for AuthLite users:
Note: IIS/Exchange caches logons for a period of time. Also, AuthLite only updates its knowledge of groups and settings every 20 minutes. So after you enable two-factor enforcement on OWA, you may still be able to log on with one-factor until these caches expire.
Note: You should use Group Policy instead of this feature, in most cases.
To enforce two-factor authentication for the server when Remote Desktop is used, select that checkbox.
Certain services may perform authentication inside the Windows kernel, thus there is a checkbox to force these processes to require 2-factor for AuthLite users.