By default only Domain Admins are allowed to program split-mode AuthLite keys for other users. You can change a setting to allow other groups this access.

In AuthLite version 1.2 there is no user interface to set this permission, so it needs to be set manually via ADSI Edit.

  • Create or select a group you wish to use for key provisioning
  • Add a user account to that group
  • Log in with that user. If you are already logged in with the user, then LOG OUT and log in again to update your token.

  • Use the command "whoami /groups" to discover the SID of the group. You need this to construct the permission setting. To find the SID, locate the name of the group in the left hand column of the "whoami" print out, then scan to the right until you find the long string that has the form:

    S-1-n-nn-nnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnn

  • On a DC, open ADSI Edit and connect to the distinguished name of the AuthLite partition on your domain. This will be similar to:

    DC=AuthLite,DC=sandbox,DC=collectivesoftware,DC=com

    but everything after "DC=AuthLite," will be based on the FQDN of your domain instead:

    DC=AuthLite,DC=your,DC=actual,DC=domain,DC=com
  • Expand the main DC=AuthLite item and select the sub-item "CN=AuthLiteSettings"
  • Right-click in the right pane, and select New->Object
  • Select the item "collectiveAuthLiteSetting"

  • The value should be set to exactly:

    ProvisionSplitKeys

  • Click "More attributes"

  • Select the property "collectiveAuthLiteSettingValue

  • In the Edit attribute box, enter a value similar to:

    D:AI(A;;FR;;;DA)(A;;FR;;;S-1-n-nn-nnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnn)

    but replace the SID placeholder with the SID you found for your key provisioning group. If you want to add other groups you can append more (A;;FR;;;S-1-...) portions to the end.

  • Click Set, OK, and Finish
  • This setting will not be refreshed on client for up to 20 minutes.