AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting
Fig. 1) User Enrollment on a (possibly remote) workstation


  • AuthLite v2.4 or later on DCs and user's workstation
  • On workstation, select the Enroll in AuthLite shortcut to be available (or run SelfProvisionUI.exe from the AuthLite install folder)
  • To enroll a user, their workstation must currently be able to see the DCs on the LAN (being connected to a VPN is fine)
  • The workstation should be receiving a Group Policy that enforces 2F logon for AuthLite users

The "Enroll in AuthLite" tool allows the currently logged-in domain user to:

  • Bootstrap themselves into AuthLite, if they are not already in the group
  • Provision new YubiKey tokens (either un-programmed, or else already programmed and imported but not assigned yet)
  • Provision OATH soft tokens

It also automatically caches the user's offline data for YubiKeys (and Offline OATH tokens, if any) such that next time the user logs in they will be required to use their token.

Having all these features in one workstation tool ensures that all necessary steps are accomplished in the right order so that the user's offline cache is set up correctly no matter how they logged on, even if they are on a VPN and might be disconnected soon after.

Although not initially designed to be used this way, you can "Run as" this tool as a different domain user by shift-right-clicking its icon and saying "Run as a different user". It will require authentication to launch the app, and then the user will also have to authenticate again inside the app itself. 

This may be useful if the desktop logged-in user is not the same one you wish to provision. However if you are merely trying to provision users administratively, see this section instead.