AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
ENFORCE 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Administer tokens
CONFIGURE Token Settings dialog SET UP New Tokens
Provisioning Tokens Administratively
YUBIKEYS: Provisioning Administratively (Soft) OATH Tokens: Set up Administratively (Hardware) OATH Token Provisioning
Self-Service Provisioning
SET UP the Self-Service Web Portal USING the Self-Service Web Portal
MANAGE Existing Tokens DELEGATE Rights to Manage Tokens RECOVERY Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Event Logging
CLOSE

2FA over Remote Desktop Protocol

This section assumes a direct RDP connection or publishing point. For Remote Desktop Gateway scenarios see the next section.

Prerequisites

The instructions below assume you have a working RDP configuration already. Please verify the following points:

  • Using a non-AuthLite user who has permissions to do this, verify you can connect and that your credentials log you in to the Terminal server / remote desktop system seamlessly.

  • If you don't have this working as above, then adding AuthLite will only make things harder to troubleshoot. If you contact us for support the first thing we will do is try a logon with a non-AuthLite user to confirm your end-to-end setup is configured properly.

AuthLite setup for RDP usage

  • Install AuthLite on the domain controllers.

  • Install AuthLite on the Terminal Servers / Remote desktop systems. These systems must be domain members. AuthLite is not needed here for authentication, but will make the password-change dialog work better in cases where the password is expired at logon.

  • Make sure all AuthLite users are represented in an AuthLite User Group and have tokens.

  • Use one of the methods of Requiring Two-factor Authentication. The best way is to assign Group Policy Allow/Deny permissions based on the AuthLite User Group Pairs feature. Or, add the Terminal Servers / Remote desktop systems (or groups containing them) into the Forced 2-Factor Computers list. Or, select “Remote Desktop Authentications” in the terminal server's Forced 2-Factor Processes section. This will make sure that AuthLite users can only connect if they enter a valid OTP and password.
    NOTE: Non-AuthLite users will not be blocked by this setting. To prevent certain non-AuthLite users from connecting, simply use group or local policy to restrict the users and groups allowed to log on.

  • An RDP connection using Network Layer Authentication requires two sequential authentication events to establish your session. You need to set a Replay window so one entered OTP can be used for both of the authentications needed to establish your session.

Using RDP with AuthLite

To log in to the remote desktop server:

  • Launch the mstsc.exe client and specify the terminal server you are connecting to

  • Tap your AuthLite key into the Username field. OATH token users should enter their username followed by a dash “-” followed by the OTP from their token.1

  • Enter your password into the password field

  • Connect

1   The password field is hashed by the NTLM protocol, so it cannot be used to enter OTPs.

Next Steps: