AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Permit 1-factor Network Access to a Server Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Cached (Offline) Workstation logon with YubiKeys Cached (Offline) Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
2FA for File Shares Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Troubleshooting
CLOSE

Upgrading

Domain controllers' AuthLite MSI version must be newer or equal to the member machines. Upgrade DCs FIRST.  It is OK to continue to run older builds on the member machines, or you can update them to the same version as the DCs.

You can always install a new MSI over the existing one.  There is no need to remove the existing one first, unless the installer directs you to do so.

The same installation software is used for both workstations and servers:

  • AuthLite_installer_x64.msi for 64-bit platforms
  • AuthLite_installer_x86.msi for 32-bit platforms

You can get them from the Downloads page.

Adding new Domain Controllers

There is a specific order of operations you should use for bringing up a new DC for optimal carry-over of AuthLite functionality.

  1. Bring up new server OS
  2. Copy the AuthLite installer .exe or .msi to the new DC. In this example we assume it is copied to C:\TEMP
  3. Promote new server to Domain Controller. Note that you won't be able to log onto the new DC with a 2FA user after it restarts, because DCs authenticate to themselves, and this new DC doesn't understand AuthLite 2FA users yet.
  4. Install AuthLite on the new DC.  You can do this in two ways:
    • Install from an existing DC by using a remote powershell command. Don't forget to replace TheNewDC with the actual computer name of the new DC, and adjust the path from C:\TEMP to where you copied the AuthLite installer:

      invoke-command -computername TheNewDC {C:\TEMP\AuthLite_installer_x64.exe /qn }


      This action should automatically restart the DC after installation succeeds.
    • Or, create a 1-factor Domain Admin account on an existing DC.  Make it a member of the natural Domain Admins group, and not any AuthLite groups. Then log into the new DC directly using that account in order to run the installer. Don't forget to reboot the new DC after install completes.

      Delete the temporary account afterwards, or if you used your emergency break-glass account consider rotating its password afterwards.

    Decommissioning Domain Controllers

    Before retiring an old DC, do a trial shutdown of it, to make sure everything (including 2FA) runs fine with it off. This is a cheap way to prove there's nothing pointing to it exclusively.