How do I use OTPs with AD-integrated accounts in vSphere
Some issues with vSphere we need to address for AuthLite 2-factor enforcement:
- vSphere is not affected by logon group policies applied to its server, because it uses its own LDAP connection to authenticate to the DCs.
- It also does a static lookup of group membership over LDAP, so we cannot ask it to check for the AuthLite 2-factor Tag groups to do enforcement.
- Lastly, its LDAP authentication method requires some additional configuration in order for the DC to process it properly as a 2-factor logon.
Configuration for vSphere 2-factor logon enforcement:
- Set up AuthLite users, placing them into the AuthLite users group, and assigning one or more tokens
- Enforce blocking 1-factor logon of AuthLite users to your vSphere servers, by adding the vSphere servers by name or IP to the Forced 2-factor Computers list in AuthLite. This is the least favored way to enforce, but we have no other option because group policy is not relevant to vSphere.
- Make sure "Treat LDAP client IP as the authentication source" is selected.
- Add the vSphere servers to the "LDAP Permissions" list in AuthLite Configuration. The default timeout of 5 seconds should be sufficient.
- Wait 20 minutes for all DCs to synchronize with the new AuthLite settings
To authenticate to the vSphere client as a 2-factor user, you must do the following:
- Uncheck the "Use Windows session credentials" checkbox
- In the username field, enter the NETBIOS domain name and a backslash,
- If you are using a YubiKey, now press the button to fill in the OTP after the backslash.
- If you are using an OATH token, enter your username, followed by a dash, and then the current OATH OTP digits
- Enter your AD password as normal
- Click "Login"