AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
Figure 1: AuthLite Groups
Figure 1: AuthLite Groups

Creating AuthLite Groups

AuthLite uses specially chosen Active Directory Global Groups to tell what users it should care about.  It also uses these groups to track whether sessions were authenticated with 1-factor or 2-factor.

To make things easy for administrators to understand, we found the best practice is to make three groups for each type of AuthLite user (see Figure 1).  You place users into the "AuthLite Users" group, and this is nested into the AuthLite 1F Tag group.  The AuthLite 2F Tag group has no members.

The Tag groups are special and their membership should not be changed  after this initial setup.  Notice that the AuthLite Users group is a member of the 1F Tag group but not the 2F Tag group.  This is intentional.

You can name these groups whatever you want, and place them wherever you want in your directory OU structure.  They must be Global Groups, and in general they should not be nested into any other AD group, apart from "Domain Local" and "Builtin" groups.  We have a quick powershell script that makes these groups and sets permissions on them.

Next, we'll tell AuthLite about these groups and see how they work.