2FA over Remote Desktop Protocol
This section assumes a direct RDP connection or publishing point. For Remote Desktop Gateway scenarios see the next section.
The instructions below assume you have a working RDP configuration already. Please verify the following points:
Using a non-AuthLite user who has permissions to do this, verify you can connect and that your credentials log you in to the Terminal server / remote desktop system seamlessly.
If you don't have this working as above, then adding AuthLite will only make things harder to troubleshoot. If you contact us for support the first thing we will do is try a logon with a non-AuthLite user to confirm your end-to-end setup is configured properly.
Install AuthLite on the domain controllers.
Install AuthLite on the Terminal Servers / Remote desktop systems. These systems must be domain members. AuthLite is not needed here for authentication, but will make the unlock and password-change dialogs work better.
Make sure all AuthLite users are represented in an AuthLite User Group and have tokens.
Use one of the methods of Requiring Two-factor Authentication. The best way is to assign Group Policy Allow/Deny permissions based on the AuthLite User Group Pairs feature. Or, add the Terminal Servers / Remote desktop systems (or groups containing them) into the Forced 2-Factor Computers list. Or, select “Remote Desktop Authentications” in the terminal server's Forced 2-Factor Processes section. This will make sure that AuthLite users can only connect if they enter a valid OTP and password.
NOTE: Non-AuthLite users will not be blocked by this setting. To prevent certain non-AuthLite users from connecting, simply use group or local policy to restrict the users and groups allowed to log on.
An RDP connection using Network Layer Authentication requires two sequential authentication events to establish your session. You need to set a Replay window so one entered OTP can be used for both of the authentications needed to establish your session.
Using RDP with AuthLite
To log in to the remote desktop server:
Launch the mstsc.exe client and specify the terminal server you are connecting to
If AuthLite is not installed on your RDP client machine (workstation), then enter your username followed by a dash “-” followed by the OTP from your token.1
- If AuthLite is installed on your RDP client machine (workstation), then you can enter your username as normal, and enter the OTP in the one-time passcode field shown in the dialog.
Enter your password into the password field
1The password field is hashed by the NTLM protocol, so it cannot be used to enter OTPs.