AuthLite Upgrade Advisory #2
On January 2. 2014, Collective Software identified a VPN configuration that could lead to 2-factor logons not being properly enforced. VPNs with a vulnerable configuration could allow users to log in even when the one-time passcode (OTP) supplied is incorrect.
To eliminate any potential for users authenticating without proper credentials, please check whether your configuration is affected, and deploy the new build or a configuration workaround (details below).
Affected AuthLite Versions
- AuthLite version 1.x: not affected. You don't need to do anything, apart from make sure you have already updated for the older Advisory #1.
- AuthLite version 2.0.18-2.0.38: potentially affected, see below for configuration details.
If your configuration matches all of the following points, then your VPN is potentially vulnerable, and AuthLite should be updated or its configuration changed.
- IAS/NPS plug-in is active
- IAS/NPS plug-in is set for 2-factor authentication
- "Replay Behavior" configuration is set to "Retry as 1-factor"
- Your IAS/NPS servers are not listed in the Forced 2-factor Computers list
What Should I Do?
If your configuration matches all the above points, you can eliminate the vulnerability by performing any one of the following options.
Option 1: Install an updated AuthLite version
- On your DCs and IAS/NPS servers, install v2.0.39 or later from AuthLite.com
- You must reboot the servers for the modification to become active. Prior to rebooting, the systems will still be running the old version of the software in memory.
-- or --
Option 2: Add VPN servers to Forced 2-factor Computers
If you cannot install a new AuthLite version at this time, you can work around the issue by adding all IAS/NPS servers into AuthLite's "Forced 2-Factor Computers" list.
- This will cause all AuthLite user accounts to require 2-factor credentials when they attempt to access the IAS/NPS servers over any protocol (console, RDP, etc.)
- Configuration updates take up to 20 minutes to apply, in addition to any inter-site replication delays.
-- or --
If you cannot install a new AuthLite version at this time, you can work around the issue by changing the "Replay Behavior" setting from "Retry" to "Fail".
- This may break the functionality of benign 1-factor software that is currently able to use stale/expired 2-factor credentials seamlessly. These credentials will be rejected instead of succeeding as if they were entered as 1-factor logons.
- For example: Outlook 2013 sends the same credentials used during desktop logon over to the Exchange server. You may be authenticating with 2-factor credentials at the desktop, but Exchange server sees the OTP as stale. Setting the Replay Behavior to "Fail" will cause Outlook single sign-on to fail, and a credential prompt to pop up. The same behavior will be observed for all software that attempts to use the NTLM "Windows Integrated" logons.
- Configuration changes take up to 20 minutes to apply, in addition to any inter-site replication delays.
Common Questions and Answers
Should I upgrade from v1.x to version 2?
No, you do not need to do this. Version 2 is a much more complex product and a proper upgrade requires a substantial amount of planning, configuration, and testing. We even offer professional support just to help with this. In short, it's not something to be undertaken lightly.
Where do I have to install the update?
Install the updated software on all Domain Controllers and IAS/NPS servers that currently have AuthLite installed.
If I change my configuration with Option 2 or 3, do I have to install the upgrade?
No, you can continue using your existing build 2.0.18-2.0.38 if you deploy a configuration change (option 2 or 3) to bypass the issue.
I need help with this, what should I do?
If you require further details, or assistance with installing the update or making configuration changes, please open a Support Request from our Support page and reference Upgrade Advisory #2