AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

LDAP logon support/enforcement

Test 2-factor support

In order to check whether your LDAP service can accept AuthLite 2-factor credentials, attempt the following tests.  We are not enforcing anything yet, just seeing whether the LDAP service can tolerate a 2-factor credential without erroring.

  1. First, attempt a logon by putting the OTP in the username field:
    • With a YubiKey, tap the OTP into the username field.  
    • Or with an OATH token user, type in the username followed by a dash “-” followed by the OTP from your OATH token app.
    • Enter the normal AD password in the password field.
  2. Next, attempt a logon by putting the OTP in the password field:
    • Enter the AD username as normal in the username field.
    • Type the AD password into the password field.
    • With a YubiKey, tap the OTP into the password field next, after the password characters.
    • Or with an OATH token user, enter a dash “-” after the password, followed by the OTP from your OATH token app.
    If either of these tests gives you a successful logon, then it is highly likely your LDAP service can be integrated as-is with AuthLite to enforce 2-factor logons.

Identify logon method

Find the DC which is being used for your LDAP authentication, and open the “AuthLite Security” Event Log.  You can search (using ctrl-F) for your LDAP user's username in the log right at the time you did the above logon tests.  There should be an Event ID 20 or 21 (the LDAP service on the DC initiating the authentication).  There should also be a nearby Event ID 1, 10 or 11 (the DC's authentication core processing the logon).  And there should be a nearby Event ID 0 with the same username and the details “OTP looked up successfully”.

The exact combination of these events will tell important details about how the LDAP service is authenticating.  Be sure to match the time of the events to the time of your testing.  Otherwise you might be looking at log items that refer to some other login somewhere else.

Turn on 2-factor enforcement and compatibility

  • If you see event 10 for your LDAP user, then the OTP is being passed to the logon.  To enforce 2-factor for AuthLite users, just add the LDAP server to the “Forced 2-factor Computers” list.
  • If you also see event 1 for your LDAP user, then the OTP is being passed multiple times (potentially, several logins in fast sequence).  Begin with putting the LDAP server in the “Forced 2-factor Computers” list to enforce 2-factor for AuthLite users.  Then, add a short Replay Window for the LDAP server so the same OTP can be used several times in a row to let the multiple logins work.
  • If you see events 1 and 11 for your LDAP user, then the OTP might be getting looked up and then thrown away before the logon.  Begin with putting the LDAP server in the “Forced 2-factor Computers” list to enforce 2-factor for AuthLite users.  Then add it to the “LDAP Permissions” list as well so the OTP lookup is allowed to be used during the next authentication from that machine for your username.  Then, if your authentications are failing, then add the LDAP server to “Sticky 2-Factor Computers” as well.  This lets subsequent authentications use the same OTP presented by the earlier one, even though the subsequent logons aren't passing the OTP.
  • If you see just an event ID 20 with “Status 0xc000006d 0xc0000064” or “Status 0xc000006d 0xc000006A”, then the LDAP server may be truncating the OTP or otherwise parsing the credentials strangely.  Please contact customer support for assistance.
  • Also if you see no events for your LDAP user matching the time you tried the 2-factor logons, then your service might be totally failing to pass the credentials containing the OTP.  Please contact customer support for assistance.