AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

Why does AuthLite want the OTP in the username field?

Entering 2-factor credentials into Remote Desktop Connection client (RDP)
Entering 2-factor credentials into Remote Desktop Connection client (RDP)

All authentication dialogs have a username and a password field, and AuthLite's design goal is to support all of them without replacing the client or server software.

Problems with using the password field

AuthLite authenticates at your Domain Controllers, so we need to get the OTP from your client to the DC.  But (by security design) many authentication protocols don't actually send the contents of your password field to the server.  Rather, they convert your password into a "password hash" and send that to the server, or otherwise use it with a challenge/response to authenticate you.

So for these protocols, putting anything in the password field except  for your password will simply result in a bad password hash.  The OTP won't get sent to the server, it will just get destroyed on the client, and the DC will see it as if you had entered the wrong password.

Username field to the rescue!

Pretty much all protocols send the username up to the server exactly as the user types it.  This means we can put the OTP in that field and it will reach the DC.  As long as AuthLite's running there and we have enough information to tell who you are, we can make this one-factor software send two-factor authentication!  We can tell who you are because either:

  • You use a YubiKey OTP, so AuthLite can see its static ID and map it to your user account. Or,
  • You enter your username, followed by a dash (minus), followed an OATH code.  So AuthLite can parse your username out of that and then validate the OTP.

Can I use the password field?

AuthLite supports password and OTP together in the same field, so long as the protocol being used doesn't hash the password before reaching the server!

Does the username field always work?

As long as the client software sends the username field (by RDP, LDAP, Windows authentication, etc.) and trusts the authenticated result from the DC, then it will work!  But this isn't always true:

  • Some systems use the text you enter in the username field to look up the user in a separate database of their own.  In this case, it won't match. Try OTP+password together.

  • Some systems log the text of the username field, so you'll see YubiKey OTPs in your logs (you can look these up by pasting into the Find field of the Token Manager app)
  • Linux-like SSSD systems will reject the OTP in the username because they have extra logic that verifies the user record returned from the domain equals the username originally entered.  So there is more work for Linux.

Let us know if you need help figuring out how to pass 2-factor credentials through a certain application, or how to enforce 2-factor.

Further Information: