AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

Active Directory Deployment Notes

Licensing

Enter the license code on one Domain controller where AuthLite is installed, and it will propagate to other DC's via replication. Member servers and workstations will read the license value from the directory as well.

Due to replication delays, some servers may temporarily still believe they are unlicensed.

Software Installation

In order to authenticate AuthLite users, a Domain Controller must have the AuthLite infrastructure software installed. If a workstation (or member server) connects to a DC where AuthLite is not  installed, all the AuthLite operations will fail on that machine, and AuthLite users will not be required to use two-factor authentication, since this enforcement is done at the domain controller.

Domain Controllers with AuthLite software installed will still function normally for all their normal roles, including authentication of non-AuthLite users. AuthLite does not replace or remove built-in Microsoft components or behaviors.

Application Partition (database)

AuthLite takes advantage of the robust, multi-master replication offered by Active Directory by using an Application Partition to store all its user data and domain-wide settings. This is the same method that Microsoft's own DNS server uses to manage its data.

The first installation of AuthLite on a Domain Controller in your enterprise will automatically create this partition, and the schema additions necessary to support it. Thus, the first DC you install AuthLite on will be a replication host for the partition, by default.

AuthLite does not add or change any schema properties on the "user" or other built-in objects in Active Directory. All AuthLite data is stored separately in the AuthLite Application Partition. Adding the AuthLite schema elements will have no performance impact on user object replication since we don't touch those objects at all.

Replication hosts

By design, AD Application Partitions do not automatically replicate to every DC in your enterprise, because it is assumed that the data they contain may only be needed by a subset of the enterprise. If a DC receives a directory query for a partition that's not stored locally, it will refer the request to a remote DC that stores the partition.

This referred connection can be slow if the remote DC is in another site. Since AuthLite requires access to its partition in order to operate, any AD site where AuthLite is used should have at least one DC that hosts a replica of the AuthLite data partition.

Also, to support redundancy if the first partition host goes offline, you may wish to host the partition on more than one Domain Controller in the same site. (Without access to the AuthLite partition, all AuthLite operations will not function.)

You can easily specify whether a DC should host a replica the AuthLite partition at install time, by enabling or disabling the installer feature “Create a Data Store Replica on this DC”. This feature is selected by default when installing AuthLite onto a DC. Thus if you do not change the selection, every Domain Controller where AuthLite is installed will also have a replica of its data partition, which is a reasonable default.

This option in the AuthLite installer doesn't perform any proprietary operations when making a replica, it is just a convenience. You can also use the Microsoft command ntdsutil to control the replication hosts for Application Partitions. The partition's distinguished name will be

DC=AuthLite,[your-domain's-dn]

Content

Although not necessary for normal operation, you can browse and change the partition content with the Microsoft MMC plugin adsiedit.

To browse the AuthLite key data, you can use the AuthLite Token Manager application installed on the domain controllers.

Deletion

Uninstalling AuthLite does not remove the data partition or affect which DC's host its replicas. This way, if AuthLite is reinstalled, all the existing data can be used again, and users can continue to authenticate. If removal of the partition is desired, this can be accomplished with the Microsoft ntdsutil command.